diff options
author | Florian Weimer <fweimer@redhat.com> | 2016-04-27 14:26:47 +0200 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2016-04-27 14:26:47 +0200 |
commit | b9bdfa7c8fa22c944bb5f21a673dfd1f91b71c56 (patch) | |
tree | 51152c5b30660aae007c437bcf1169aff77d150a | |
parent | b06549a5e62d66ef16bdc2a2a6ec8e9dae2ea52b (diff) | |
download | glibc-b9bdfa7c8fa22c944bb5f21a673dfd1f91b71c56.tar.gz glibc-b9bdfa7c8fa22c944bb5f21a673dfd1f91b71c56.tar.xz glibc-b9bdfa7c8fa22c944bb5f21a673dfd1f91b71c56.zip |
resolv: Always set *resplen2 out parameter in send_vc [BZ #19825]
In various error scenarios (for example, if the server closes the TCP connection before sending the full response), send_vc can return without resetting the *resplen2 value. This can pass uninitialized or unexpected data to the caller.
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | resolv/res_send.c | 39 |
2 files changed, 25 insertions, 21 deletions
diff --git a/ChangeLog b/ChangeLog index 2a4ad3125a..954c95f9a9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2016-04-27 Florian Weimer <fweimer@redhat.com> + + [BZ #19825] + * resolv/res_send.c (send_vc): Remove early *resplen2 + initialization. Set *resplen2 on socket error. Call + close_and_return_error for other errors. + 2016-04-27 Stefan Liebler <stli@linux.vnet.ibm.com> * sysdeps/unix/sysv/linux/netiucv/iucv.h diff --git a/resolv/res_send.c b/resolv/res_send.c index b4efcb64a0..2c0bae10e6 100644 --- a/resolv/res_send.c +++ b/resolv/res_send.c @@ -762,8 +762,6 @@ send_vc(res_state statp, u_short len2; u_char *cp; - if (resplen2 != NULL) - *resplen2 = 0; connreset = 0; same_ns: truncating = 0; @@ -789,6 +787,8 @@ send_vc(res_state statp, if (statp->_vcsock < 0) { *terrno = errno; Perror(statp, stderr, "socket(vc)", errno); + if (resplen2 != NULL) + *resplen2 = 0; return (-1); } __set_errno (0); @@ -798,8 +798,7 @@ send_vc(res_state statp, : sizeof (struct sockaddr_in6)) < 0) { *terrno = errno; Aerror(statp, stderr, "connect/vc", errno, nsap); - __res_iclose(statp, false); - return (0); + return close_and_return_error (statp, resplen2); } statp->_flags |= RES_F_VC; } @@ -822,8 +821,7 @@ send_vc(res_state statp, if (TEMP_FAILURE_RETRY (writev(statp->_vcsock, iov, niov)) != explen) { *terrno = errno; Perror(statp, stderr, "write failed", errno); - __res_iclose(statp, false); - return (0); + return close_and_return_error (statp, resplen2); } /* * Receive length & response @@ -845,7 +843,6 @@ send_vc(res_state statp, if (n <= 0) { *terrno = errno; Perror(statp, stderr, "read failed", errno); - __res_iclose(statp, false); /* * A long running process might get its TCP * connection reset if the remote server was @@ -855,11 +852,13 @@ send_vc(res_state statp, * instead of failing. We only allow one reset * per query to prevent looping. */ - if (*terrno == ECONNRESET && !connreset) { - connreset = 1; - goto same_ns; - } - return (0); + if (*terrno == ECONNRESET && !connreset) + { + __res_iclose (statp, false); + connreset = 1; + goto same_ns; + } + return close_and_return_error (statp, resplen2); } int rlen = ntohs (rlen16); @@ -891,11 +890,11 @@ send_vc(res_state statp, /* Always allocate MAXPACKET, callers expect this specific size. */ u_char *newp = malloc (MAXPACKET); - if (newp == NULL) { - *terrno = ENOMEM; - __res_iclose(statp, false); - return (0); - } + if (newp == NULL) + { + *terrno = ENOMEM; + return close_and_return_error (statp, resplen2); + } *thisanssizp = MAXPACKET; *thisansp = newp; if (thisansp == ansp2) @@ -922,8 +921,7 @@ send_vc(res_state statp, Dprint(statp->options & RES_DEBUG, (stdout, ";; undersized: %d\n", len)); *terrno = EMSGSIZE; - __res_iclose(statp, false); - return (0); + return close_and_return_error (statp, resplen2); } cp = *thisansp; @@ -934,8 +932,7 @@ send_vc(res_state statp, if (__glibc_unlikely (n <= 0)) { *terrno = errno; Perror(statp, stderr, "read(vc)", errno); - __res_iclose(statp, false); - return (0); + return close_and_return_error (statp, resplen2); } if (__glibc_unlikely (truncating)) { /* |