diff options
author | Siddhesh Poyarekar <siddhesh@sourceware.org> | 2023-09-15 13:51:12 -0400 |
---|---|---|
committer | Siddhesh Poyarekar <siddhesh@sourceware.org> | 2023-09-15 14:38:28 -0400 |
commit | 973fe93a5675c42798b2161c6f29c01b0e243994 (patch) | |
tree | cc0af798900de7b19816445d0a8157f52d696f30 /nss/bug-erange.c | |
parent | 780adf7aeab9308c02d89260df6ffa84dc2289a5 (diff) | |
download | glibc-973fe93a5675c42798b2161c6f29c01b0e243994.tar.gz glibc-973fe93a5675c42798b2161c6f29c01b0e243994.tar.xz glibc-973fe93a5675c42798b2161c6f29c01b0e243994.zip |
getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
When an NSS plugin only implements the _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use memory that was freed during tmpbuf resizing, through h_name in a previous query response. The backing store for res->at->name when doing a query with gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in gethosts during the query. For AF_INET6 lookup with AI_ALL | AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second for a v4 lookup. In this case, if the first call reallocates tmpbuf enough number of times, resulting in a malloc, th->h_name (that res->at->name refers to) ends up on a heap allocated storage in tmpbuf. Now if the second call to gethosts also causes the plugin callback to return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF reference in res->at->name. This then gets dereferenced in the getcanonname_r plugin call, resulting in the use after free. Fix this by copying h_name over and freeing it at the end. This resolves BZ #30843, which is assigned CVE-2023-4806. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Diffstat (limited to 'nss/bug-erange.c')
0 files changed, 0 insertions, 0 deletions