From: Todd C. Miller <Todd.Miller@sudo.ws>
Date: Fri, 16 Feb 2018 21:17:39 +0000 (-0700)
Subject: Fix a use-after-free bug in get_recent_address() and two related issues.
X-Git-Tag: release-1.1pre16~27
X-Git-Url: http://tinc-vpn.org/git/browse?a=commitdiff_plain;h=536fe3ffcdc4c894ed986dfb5fdc0d6f78d6fe25;hp=536fe3ffcdc4c894ed986dfb5fdc0d6f78d6fe25;p=tinc

Fix a use-after-free bug in get_recent_address() and two related issues.
1) The sockaddr_t * returned may be part of memory freed by the call to
   freeaddrinfo().
2) The sockaddr_t * returned from a recently seen address not in the
   cache was cast from struct addrinfo *ai, not the struct sockaddr *
   inside of it.
3) In do_outgoing_connection(), when filling in the address in the
   connection_t, there is a buffer overflow (read, not write) if
   the sa returned by get_recent_address() didn't come from the
   cache of recently seen addresses.  That is, it was really a
   struct sockaddr * and not a sockaddr_t *.  This last was
   found by building tinc with address sanitizer.
---