diff options
author | Florian Weimer <fweimer@redhat.com> | 2016-04-20 09:01:33 -0500 |
---|---|---|
committer | Paul E. Murphy <murphyp@linux.vnet.ibm.com> | 2016-04-20 09:17:30 -0500 |
commit | d3d94abbe8af2aa6e3de6a85983b9f17070a7564 (patch) | |
tree | a62af71109ec79fc8376125276a867afce0f58ed | |
parent | 2eb35ebfb291f773c1ba7939601a049acb4f3706 (diff) | |
download | glibc-d3d94abbe8af2aa6e3de6a85983b9f17070a7564.tar.gz glibc-d3d94abbe8af2aa6e3de6a85983b9f17070a7564.tar.xz glibc-d3d94abbe8af2aa6e3de6a85983b9f17070a7564.zip |
CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879]
The defensive copy is not needed because the name may not alias the output buffer. (cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4)
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | resolv/nss_dns/dns-network.c | 5 |
3 files changed, 9 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog index c4caed2193..e90ad799a9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2016-04-20 Florian Weimer <fweimer@redhat.com> + + [BZ #19879] + CVE-2016-3075 + * resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not + copy name. + 2016-04-19 Florian Weimer <fweimer@redhat.com> [BZ #19791] diff --git a/NEWS b/NEWS index 9b796d6c88..47b994455b 100644 --- a/NEWS +++ b/NEWS @@ -27,7 +27,7 @@ Version 2.18.1 15723, 15734, 15735, 15797, 15892, 15895, 15909, 15915, 15917, 15946, 15996, 16009, 16072, 16150, 16169, 16387, 16414, 16430, 16431, 16510, 16617, 16618, 16885, 16916, 16943, 16958, 17048, 17137, 17187, 17269, - 17325, 17625, 17630, 18007, 18032, 18104, 18287, 18928, 19018. + 17325, 17625, 17630, 18007, 18032, 18104, 18287, 18928, 19018, 19879. * The LD_POINTER_GUARD environment variable can no longer be used to disable the pointer guard feature. It is always enabled. diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c index 7507f8c467..a6593c55c8 100644 --- a/resolv/nss_dns/dns-network.c +++ b/resolv/nss_dns/dns-network.c @@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result, } net_buffer; querybuf *orig_net_buffer; int anslen; - char *qbuf; enum nss_status status; if (__res_maybe_init (&_res, 0) == -1) return NSS_STATUS_UNAVAIL; - qbuf = strdupa (name); - net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024); - anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf, + anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf, 1024, &net_buffer.ptr, NULL, NULL, NULL); if (anslen < 0) { |