diff options
author | Arjun Shankar <arjun.is@lostca.se> | 2015-04-21 14:06:31 +0200 |
---|---|---|
committer | Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com> | 2015-04-23 12:54:33 -0300 |
commit | 19250b9c8d4aec32b7a6ddfb97cc6e61d4e91208 (patch) | |
tree | ae2992aecc53f8113b2628823477615494676ed3 | |
parent | 7c6f38b4f37d21dbfb016b20748f39c6edb6533e (diff) | |
download | glibc-19250b9c8d4aec32b7a6ddfb97cc6e61d4e91208.tar.gz glibc-19250b9c8d4aec32b7a6ddfb97cc6e61d4e91208.tar.xz glibc-19250b9c8d4aec32b7a6ddfb97cc6e61d4e91208.zip |
CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]
Conflicts: NEWS resolv/nss_dns/dns-host.c
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | NEWS | 9 | ||||
-rw-r--r-- | resolv/nss_dns/dns-host.c | 3 |
3 files changed, 16 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog index fc104eb85b..d287261023 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2015-04-21 Arjun Shankar <arjun.is@lostca.se> + + [BZ #18287] + * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length + based on padding. (CVE-2015-1781) + 2015-03-10 Adhemerval Zanella <azanella@linux.vnet.ibm.com> * sysdeps/ieee754/dbl-64/Makefile (CFLAGS-e_pow.c): Add diff --git a/NEWS b/NEWS index 3af0fb6461..fbd25a119c 100644 --- a/NEWS +++ b/NEWS @@ -12,7 +12,14 @@ Version 2.19.1 15946, 16545, 16574, 16617, 16618, 16683, 16689, 16695, 16701, 16706, 16707, 16739, 16815, 16619, 16740, 16878, 16882, 16885, 16916, 16932, 16943, 16958, 17031, 17048, 17069, 17137, 17153, 17187, 17213, 17263, - 17325, 17555, 17625, 17630, 18104. + 17325, 17555, 17625, 17630, 18104, 18287. + +* A buffer overflow in gethostbyname_r and related functions performing DNS + requests has been fixed. If the NSS functions were called with a + misaligned buffer, the buffer length change due to pointer alignment was + not taken into account. This could result in application crashes or, + potentially arbitrary code execution, using crafted, but syntactically + valid DNS responses. (CVE-2015-1781) * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag under certain input conditions resulting in the execution of a shell for diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c index f0b4b17b06..f36d28bd70 100644 --- a/resolv/nss_dns/dns-host.c +++ b/resolv/nss_dns/dns-host.c @@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype, int have_to_map = 0; uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data); buffer += pad; - if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0)) + buflen = buflen > pad ? buflen - pad : 0; + if (__builtin_expect (buflen < sizeof (struct host_data), 0)) { /* The buffer is too small. */ too_small: |