diff options
| author | Florian Weimer <fweimer@redhat.com> | 2016-03-29 12:57:56 +0200 |
|---|---|---|
| committer | Aurelien Jarno <aurelien@aurel32.net> | 2016-04-27 13:14:47 +0200 |
| commit | a02f3e795993ae0f80242b488061b74666605625 (patch) | |
| tree | d6cbf988020876fc0a82dca73a9265fdb3be9242 | |
| parent | 78c76f7374df7f3caff43840a01247bb7d25597e (diff) | |
| download | glibc-a02f3e795993ae0f80242b488061b74666605625.tar.gz glibc-a02f3e795993ae0f80242b488061b74666605625.tar.xz glibc-a02f3e795993ae0f80242b488061b74666605625.zip | |
CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879]
The defensive copy is not needed because the name may not alias the output buffer. (cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4)
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | NEWS | 7 | ||||
| -rw-r--r-- | resolv/nss_dns/dns-network.c | 5 |
3 files changed, 14 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog index 9907019604..685dd909f2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2016-04-01 Florian Weimer <fweimer@redhat.com> + + [BZ #19879] + CVE-2016-3075 + * resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not + copy name. + 2016-02-12 Florian Weimer <fweimer@redhat.com> * misc/bug18240.c (do_test): Set RLIMIT_AS. diff --git a/NEWS b/NEWS index 0d1952c9f4..d7da53f9ba 100644 --- a/NEWS +++ b/NEWS @@ -12,7 +12,7 @@ Version 2.19.1 15946, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16760, 16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069, 17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 17905, 18007, - 18032, 18240, 18287, 18905. + 18032, 18240, 18287, 18905, 19879. * A buffer overflow in gethostbyname_r and related functions performing DNS requests has been fixed. If the NSS functions were called with a @@ -63,6 +63,11 @@ Version 2.19.1 the get*ent functions if any of the query functions for the same database are used during the iteration, causing a denial-of-service condition in some applications. + +* The getnetbyname implementation in nss_dns had a potentially unbounded + alloca call (in the form of a call to strdupa), leading to a stack + overflow (stack exhaustion) and a crash if getnetbyname is invoked + on a very long name. (CVE-2016-3075) Version 2.19 diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c index 13ad38c5de..37de664818 100644 --- a/resolv/nss_dns/dns-network.c +++ b/resolv/nss_dns/dns-network.c @@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result, } net_buffer; querybuf *orig_net_buffer; int anslen; - char *qbuf; enum nss_status status; if (__res_maybe_init (&_res, 0) == -1) return NSS_STATUS_UNAVAIL; - qbuf = strdupa (name); - net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024); - anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf, + anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf, 1024, &net_buffer.ptr, NULL, NULL, NULL, NULL); if (anslen < 0) { |