diff options
| author | Florian Weimer <fweimer@redhat.com> | 2018-11-27 16:12:43 +0100 |
|---|---|---|
| committer | Florian Weimer <fweimer@redhat.com> | 2018-11-27 21:35:31 +0100 |
| commit | a0bc5dd3bed4b04814047265b3bcead7ab973b87 (patch) | |
| tree | 225222395ade278969b745c64e149d6661dda414 | |
| parent | 27e46f5836d69c3e82442b1e3ac8a8b5e9ab12ce (diff) | |
| download | glibc-a0bc5dd3bed4b04814047265b3bcead7ab973b87.tar.gz glibc-a0bc5dd3bed4b04814047265b3bcead7ab973b87.tar.xz glibc-a0bc5dd3bed4b04814047265b3bcead7ab973b87.zip | |
CVE-2018-19591: if_nametoindex: Fix descriptor for overlong name [BZ #23927]
(cherry picked from commit d527c860f5a3f0ed687bd03f0cb464612dc23408)
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | NEWS | 5 | ||||
| -rw-r--r-- | sysdeps/unix/sysv/linux/if_index.c | 11 |
3 files changed, 18 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog index 23724daa2f..2d3af62685 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2018-11-27 Florian Weimer <fweimer@redhat.com> + + [BZ #23927] + CVE-2018-19591 + * sysdeps/unix/sysv/linux/if_index.c (__if_nametoindex): Avoid + descriptor leak in case of ENODEV error. + 2018-11-08 Alexandra Hájková <ahajkova@redhat.com> [BZ #17630] diff --git a/NEWS b/NEWS index 3c708d2903..f6d26425ff 100644 --- a/NEWS +++ b/NEWS @@ -82,6 +82,10 @@ Security related changes: architecture could write beyond the target buffer, resulting in a buffer overflow. Reported by Andreas Schwab. + CVE-2018-19591: A file descriptor leak in if_nametoindex can lead to a + denial of service due to resource exhaustion when processing getaddrinfo + calls with crafted host names. Reported by Guido Vranken. + The following bugs are resolved with this release: [16750] ldd: Never run file directly. @@ -158,6 +162,7 @@ The following bugs are resolved with this release: [23562] signal: Use correct type for si_band in siginfo_t [23579] libc: Errors misreported in preadv2 [23709] Fix CPU string flags for Haswell-type CPUs + [23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591) Version 2.26 diff --git a/sysdeps/unix/sysv/linux/if_index.c b/sysdeps/unix/sysv/linux/if_index.c index a874634d52..b620d21936 100644 --- a/sysdeps/unix/sysv/linux/if_index.c +++ b/sysdeps/unix/sysv/linux/if_index.c @@ -38,11 +38,6 @@ __if_nametoindex (const char *ifname) return 0; #else struct ifreq ifr; - int fd = __opensock (); - - if (fd < 0) - return 0; - if (strlen (ifname) >= IFNAMSIZ) { __set_errno (ENODEV); @@ -50,6 +45,12 @@ __if_nametoindex (const char *ifname) } strncpy (ifr.ifr_name, ifname, sizeof (ifr.ifr_name)); + + int fd = __opensock (); + + if (fd < 0) + return 0; + if (__ioctl (fd, SIOCGIFINDEX, &ifr) < 0) { int saved_errno = errno; |