From 75c64c2b6d77856b90903cc3b7c6a2f62ff8eb7b Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 2 Oct 2015 11:31:45 +0200 Subject: [PATCH] dirmngr: Fix use-after-free due to a realloc shrinking. * dirmngr/ks-engine-hkp.c (map_host): Do not use original pointer after realloc. -- vex01 reported and debugged the problem. GnuPG-bug-id: 2107 Signed-off-by: Werner Koch --- dirmngr/ks-engine-hkp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c index 18ad7317d..411f1087b 100644 --- a/dirmngr/ks-engine-hkp.c +++ b/dirmngr/ks-engine-hkp.c @@ -383,7 +383,7 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect, int n_v6, n_v4; /* First figure out whether this is a pool. For a pool we - use a different strategy than for a plains erver: We use + use a different strategy than for a plain server: We use the canonical name of the pool as the virtual host along with the IP addresses. If it is not a pool, we use the specified name. */ @@ -512,7 +512,7 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect, xfree (reftbl); return err; } - qsort (reftbl, refidx, sizeof *reftbl, sort_hostpool); + qsort (hi->pool, refidx, sizeof *reftbl, sort_hostpool); } else xfree (reftbl);