CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]

Conflicts:
	NEWS

3 files changed, 16 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index f302131dc4..f006275a24 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-04-21  Arjun Shankar  <arjun.is@lostca.se>
+
+	[BZ #18287]
+	* resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+	based on padding.  (CVE-2015-1781)
+
 2014-06-03  Andreas Schwab  <schwab@suse.de>
 
 	[BZ #15946]
diff --git a/NEWS b/NEWS
index ecccd4b68d..48bd9ede73 100644
--- a/NEWS
+++ b/NEWS
@@ -13,7 +13,14 @@ Version 2.18.1
   15723, 15734, 15735, 15797, 15892, 15895, 15909, 15915, 15917, 15946,
   15996, 16072, 16150, 16169, 16387, 16414, 16430, 16431, 16510, 16617,
   16618, 16885, 16916, 16943, 16958, 17048, 17137, 17187, 17325, 17625,
-  17630, 18104.
+  17630, 18104, 18287.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+  requests has been fixed.  If the NSS functions were called with a
+  misaligned buffer, the buffer length change due to pointer alignment was
+  not taken into account.  This could result in application crashes or,
+  potentially arbitrary code execution, using crafted, but syntactically
+  valid DNS responses.  (CVE-2015-1781)
 
 * Support for powerpc64le has been added.
 
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index 9018bb98a6..0c9d6dcc8b 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -613,7 +613,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
   int have_to_map = 0;
   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
   buffer += pad;
-  if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0))
+  buflen = buflen > pad ? buflen - pad : 0;
+  if (__builtin_expect (buflen < sizeof (struct host_data), 0))
     {
       /* The buffer is too small.  */
     too_small: