diff options
| author | Arjun Shankar <arjun.is@lostca.se> | 2015-04-21 14:06:31 +0200 |
|---|---|---|
| committer | Aurelien Jarno <aurelien@aurel32.net> | 2015-08-28 22:54:02 +0200 |
| commit | 126e13008672dddfc757f7260cb8d6ff7c77a4b5 (patch) | |
| tree | 90e72a6e59192181a0daaf122ef235ac8cc4a8c2 | |
| parent | 323e41a8d8168dac0338bf95c12a8de5b0dfc56e (diff) | |
| download | glibc-126e13008672dddfc757f7260cb8d6ff7c77a4b5.tar.gz glibc-126e13008672dddfc757f7260cb8d6ff7c77a4b5.tar.xz glibc-126e13008672dddfc757f7260cb8d6ff7c77a4b5.zip | |
CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]
(cherry picked from commit 2959eda9272a033863c271aff62095abd01bd4e3)
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | NEWS | 10 | ||||
| -rw-r--r-- | resolv/nss_dns/dns-host.c | 3 |
3 files changed, 17 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog index b88cd041d3..0eb6c3f0a1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2015-04-21 Arjun Shankar <arjun.is@lostca.se> + + [BZ #18287] + * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length + based on padding. (CVE-2015-1781) + 2014-12-11 Andreas Schwab <schwab@suse.de> [BZ #16657] diff --git a/NEWS b/NEWS index 6f240cd5e7..7f9388fec9 100644 --- a/NEWS +++ b/NEWS @@ -10,7 +10,15 @@ Version 2.19.1 * The following bugs are resolved with this release: 15946, 16545, 16574, 16623, 16657, 16695, 16878, 16882, 16885, 16916, - 16932, 16943, 16958, 17048, 17069, 17137, 17213, 17263, 17325, 17555. + 16932, 16943, 16958, 17048, 17069, 17137, 17213, 17263, 17325, 17555, + 18287. + +* A buffer overflow in gethostbyname_r and related functions performing DNS + requests has been fixed. If the NSS functions were called with a + misaligned buffer, the buffer length change due to pointer alignment was + not taken into account. This could result in application crashes or, + potentially arbitrary code execution, using crafted, but syntactically + valid DNS responses. (CVE-2015-1781) * Reverted change of ABI data structures for s390 and s390x: On s390 and s390x the size of struct ucontext and jmp_buf was increased in diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c index f0b4b17b06..f36d28bd70 100644 --- a/resolv/nss_dns/dns-host.c +++ b/resolv/nss_dns/dns-host.c @@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype, int have_to_map = 0; uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data); buffer += pad; - if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0)) + buflen = buflen > pad ? buflen - pad : 0; + if (__builtin_expect (buflen < sizeof (struct host_data), 0)) { /* The buffer is too small. */ too_small: |