From 0c328d4b3a8c2c005f3798b1048b0862d1cd34bd Mon Sep 17 00:00:00 2001
From: ulfvonbelow <striness@tilde.club>
Date: Thu, 2 May 2024 16:05:00 -0500
Subject: [PATCH] service: namestore: fix use-after-free in
 handle_edit_record_set.

The editor_hint string that is passed in to GNUNET_NAMESTORE_RecordIterators
isn't guaranteed to stay live between when the iterator is called and when
GNUNET_NAMESTORE_PluginFunctions.edit_records returns. So lookup_it should
strdup that string, and anything that uses lookup_it should manage its
lifetime. Currently that's just handle_edit_record_set and
handle_record_lookup.
---
 src/service/namestore/gnunet-service-namestore.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/service/namestore/gnunet-service-namestore.c b/src/service/namestore/gnunet-service-namestore.c
index f29058d0e..448a9d2b3 100644
--- a/src/service/namestore/gnunet-service-namestore.c
+++ b/src/service/namestore/gnunet-service-namestore.c
@@ -1157,7 +1157,8 @@ lookup_it (void *cls,
   if (0 != strcmp (label, rlc->label))
     return;
   rlc->found = GNUNET_YES;
-  rlc->editor_hint = editor_hint;
+  if (NULL == rlc->editor_hint)
+    rlc->editor_hint = GNUNET_strdup (editor_hint);
   if (GNUNET_OK != GNUNET_GNSRECORD_normalize_record_set (rlc->label,
                                                           rd_nf,
                                                           rd_count_nf,
@@ -1332,6 +1333,7 @@ handle_edit_record_set (void *cls, const struct EditRecordSetMessage *er_msg)
     return;
   }
   name_len = strlen (conv_name) + 1;
+  rlc.editor_hint = NULL;
   rlc.label = conv_name;
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "Looking up without filter\n");
@@ -1370,6 +1372,7 @@ handle_edit_record_set (void *cls, const struct EditRecordSetMessage *er_msg)
   GNUNET_memcpy ((char*) &rer_msg[1] + old_editor_hint_len, rlc.res_rd,
                  rlc.rd_ser_len);
   GNUNET_MQ_send (nc->mq, env);
+  GNUNET_free (rlc.editor_hint);
   GNUNET_free (rlc.res_rd);
   GNUNET_free (conv_name);
 }
@@ -1566,6 +1569,7 @@ handle_record_lookup (void *cls, const struct LabelLookupMessage *ll_msg)
     return;
   }
   name_len = strlen (conv_name) + 1;
+  rlc.editor_hint = NULL;
   rlc.label = conv_name;
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "Looking up with filter %u\n", ntohs (ll_msg->filter));
@@ -1601,6 +1605,7 @@ handle_record_lookup (void *cls, const struct LabelLookupMessage *ll_msg)
   GNUNET_memcpy (res_name, conv_name, name_len);
   GNUNET_memcpy (&res_name[name_len], rlc.res_rd, rlc.rd_ser_len);
   GNUNET_MQ_send (nc->mq, env);
+  GNUNET_free (rlc.editor_hint);
   GNUNET_free (rlc.res_rd);
   GNUNET_free (conv_name);
 }
-- 
2.41.0