lib/57758: resource leak in /etc/hosts gethostbyname (libc/net/sethostent.c)

[campbell+netbsd%mumble.net@localhost]

>Number:         57758
>Category:       lib
>Synopsis:       resource leak in /etc/hosts gethostbyname (libc/net/sethostent.c)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Dec 07 23:25:00 +0000 2023
>Originator:     Taylor R Campbell
>Release:        current, 10, 9, 8
>Organization:
The NetBSD Foundation
>Environment:
>Description:
The _hf_gethtbyname2 function in src/lib/libc/net/sethostent.c, used by gethostbyname for name resolution through /etc/hosts, leaks an open stdio FILE object in some failure branches.

Reported by enh%google.com@localhost on findings by wuhaitao3 <wuhaitao3%xiaomi.corp-partner.google.com@localhost> and Chris Ferris <cferris%google.com@localhost>.
>How-To-Repeat:
Call gethostbyname with a hostname when any of the following conditions holds:

- /etc/hosts is missing
- the hostname in question has more than 35 addresses or aliases
- any of various buffers involved in _hf_gethtbyname2 is out of space
>Fix:
diff --git a/lib/libc/net/sethostent.c b/lib/libc/net/sethostent.c
index b5f7ac8f2058..1029b3308c93 100644
--- a/lib/libc/net/sethostent.c
+++ b/lib/libc/net/sethostent.c
@@ -172,6 +172,7 @@ _hf_gethtbyname2(const char *name, int af, struct getnamaddr *info)
 
 	if ((ptr = buf = malloc(len = info->buflen)) == NULL) {
 		*info->he = NETDB_INTERNAL;
+		endhostent_r(&hf);
 		return NULL;
 	}
 
@@ -252,6 +253,7 @@ _hf_gethtbyname2(const char *name, int af, struct getnamaddr *info)
 	return hp;
 nospc:
 	*info->he = NETDB_INTERNAL;
+	endhostent_r(&hf);
 	free(buf);
 	errno = ENOSPC;
 	return NULL;