Subject: Possible bug in (cvs) ares_parse_srv_reply.c /

Possible bug in (cvs) ares_parse_srv_reply.c /

From: John Engelhart <john.engelhart_at_gmail.com>
Date: Fri, 23 Oct 2009 13:09:46 -0400

While the top of ares_parse_srv_reply() checks the srv_out and nsrvreply
arguments to make sure they are non-NULL before using them, the bottom of
the function does not:

ares_parse_srv_reply(const unsigned char *abuf, int alen, struct srv_reply
**srv_out, int *nsrvreply)
{
  // ... snip ... Near top, line ~66

  /* Set *srv_out to NULL for all failure cases. */
  if (srv_out)
    *srv_out = NULL;
  /* Same with *nsrvreply. */
  if (nsrvreply)
    *nsrvreply = 0;

  // ... snip ... Near bottom, line ~165

  /* everything looks fine, return the data */
  *srv_out = srv;
  *nsrvreply = ancount;

  // ... snip ...
}

Those bottom lines should probably be:

  /* everything looks fine, return the data */
  if(srv_out) *srv_out = srv;
  if(nsrvreply) *nsrvreply = ancount;
Received on 2009-10-23