CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]

author: Arjun Shankar <arjun.is@lostca.se> 2015-04-21 14:06:31 +0200
committer: Florian Weimer <fweimer@redhat.com> 2015-04-21 14:06:50 +0200
commit: 2959eda9272a033863c271aff62095abd01bd4e3 (patch)
tree: 921b14d182ce222b9b44f983e8dca7bacb3c8fda /resolv
parent: 7bf8fb104226407b75103b95525364c4667c869f (diff)
download: glibc-2959eda9272a033863c271aff62095abd01bd4e3.tar.gz
glibc-2959eda9272a033863c271aff62095abd01bd4e3.tar.xz
glibc-2959eda9272a033863c271aff62095abd01bd4e3.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index b16b0ddf11..d8c5579159 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
   int have_to_map = 0;
   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
   buffer += pad;
-  if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
+  buflen = buflen > pad ? buflen - pad : 0;
+  if (__glibc_unlikely (buflen < sizeof (struct host_data)))
     {
       /* The buffer is too small.  */
     too_small:
author	Arjun Shankar <arjun.is@lostca.se>	2015-04-21 14:06:31 +0200
committer	Florian Weimer <fweimer@redhat.com>	2015-04-21 14:06:50 +0200
commit	2959eda9272a033863c271aff62095abd01bd4e3 (patch)
tree	921b14d182ce222b9b44f983e8dca7bacb3c8fda /resolv
parent	7bf8fb104226407b75103b95525364c4667c869f (diff)
download	glibc-2959eda9272a033863c271aff62095abd01bd4e3.tar.gz glibc-2959eda9272a033863c271aff62095abd01bd4e3.tar.xz glibc-2959eda9272a033863c271aff62095abd01bd4e3.zip