diff options
| author | Andreas Schwab <schwab@suse.de> | 2013-03-21 15:50:27 +0100 |
|---|---|---|
| committer | Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com> | 2015-04-13 17:39:37 -0300 |
| commit | 002be9b8d178ace55a47dd9e2c166f217e380380 (patch) | |
| tree | a6b007190d1e20f22a71246508cad4173ae41866 | |
| parent | e9c2f97bf02666b01aa4af63c4e41355396acc3c (diff) | |
| download | glibc-ibm/2.16/master.tar.gz glibc-ibm/2.16/master.tar.xz glibc-ibm/2.16/master.zip | |
Fix stack overflow in getaddrinfo with many results ibm/2.16/master
Conflicts: NEWS
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | NEWS | 7 | ||||
| -rw-r--r-- | sysdeps/posix/getaddrinfo.c | 23 |
3 files changed, 32 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog index 246f0a5184..b6ef28d738 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2013-04-03 Andreas Schwab <schwab@suse.de> + + [BZ #15330] + * sysdeps/posix/getaddrinfo.c (getaddrinfo): Allocate results and + order arrays from heap if bigger than alloca cutoff. + 2014-06-03 Andreas Schwab <schwab@suse.de> [BZ #15946] diff --git a/NEWS b/NEWS index 6a49b4bdb5..2b31faa0ea 100644 --- a/NEWS +++ b/NEWS @@ -10,8 +10,11 @@ Version 2.16.1 * The following bugs are resolved with this release: 6530, 14195, 14547, 14459, 14476, 14562, 14621, 14648, 14699, 14719, - 14756, 14831, 15014, 15078, 15754, 15755, 15946, 16072, 16431, 16617, - 16618, 17048, 17137, 17187, 17325, 17625, 17630. + 14756, 14831, 15014, 15078, 15330, 15754, 15755, 15946, 16072, 16431, + 16617, 16618, 17048, 17137, 17187, 17325, 17625, 17630. + +* CVE-2013-1914 Stack overflow in getaddrinfo with many results has been + fixed (Bugzilla #15330). * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag under certain input conditions resulting in the execution of a shell for diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c index dd85130554..c88e1ec005 100644 --- a/sysdeps/posix/getaddrinfo.c +++ b/sysdeps/posix/getaddrinfo.c @@ -2467,11 +2467,27 @@ getaddrinfo (const char *name, const char *service, __typeof (once) old_once = once; __libc_once (once, gaiconf_init); /* Sort results according to RFC 3484. */ - struct sort_result results[nresults]; - size_t order[nresults]; + struct sort_result *results; + size_t *order; struct addrinfo *q; struct addrinfo *last = NULL; char *canonname = NULL; + bool malloc_results; + + malloc_results + = !__libc_use_alloca (nresults * (sizeof (*results) + sizeof (size_t))); + if (malloc_results) + { + results = malloc (nresults * (sizeof (*results) + sizeof (size_t))); + if (results == NULL) + { + __free_in6ai (in6ai); + return EAI_MEMORY; + } + } + else + results = alloca (nresults * (sizeof (*results) + sizeof (size_t))); + order = (size_t *) (results + nresults); /* Now we definitely need the interface information. */ if (! check_pf_called) @@ -2642,6 +2658,9 @@ getaddrinfo (const char *name, const char *service, /* Fill in the canonical name into the new first entry. */ p->ai_canonname = canonname; + + if (malloc_results) + free (results); } __free_in6ai (in6ai); |