From d3d94abbe8af2aa6e3de6a85983b9f17070a7564 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Wed, 20 Apr 2016 09:01:33 -0500 Subject: CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879] The defensive copy is not needed because the name may not alias the output buffer. (cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4) --- ChangeLog | 7 +++++++ NEWS | 2 +- resolv/nss_dns/dns-network.c | 5 +---- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index c4caed2193..e90ad799a9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2016-04-20 Florian Weimer + + [BZ #19879] + CVE-2016-3075 + * resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not + copy name. + 2016-04-19 Florian Weimer [BZ #19791] diff --git a/NEWS b/NEWS index 9b796d6c88..47b994455b 100644 --- a/NEWS +++ b/NEWS @@ -27,7 +27,7 @@ Version 2.18.1 15723, 15734, 15735, 15797, 15892, 15895, 15909, 15915, 15917, 15946, 15996, 16009, 16072, 16150, 16169, 16387, 16414, 16430, 16431, 16510, 16617, 16618, 16885, 16916, 16943, 16958, 17048, 17137, 17187, 17269, - 17325, 17625, 17630, 18007, 18032, 18104, 18287, 18928, 19018. + 17325, 17625, 17630, 18007, 18032, 18104, 18287, 18928, 19018, 19879. * The LD_POINTER_GUARD environment variable can no longer be used to disable the pointer guard feature. It is always enabled. diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c index 7507f8c467..a6593c55c8 100644 --- a/resolv/nss_dns/dns-network.c +++ b/resolv/nss_dns/dns-network.c @@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result, } net_buffer; querybuf *orig_net_buffer; int anslen; - char *qbuf; enum nss_status status; if (__res_maybe_init (&_res, 0) == -1) return NSS_STATUS_UNAVAIL; - qbuf = strdupa (name); - net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024); - anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf, + anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf, 1024, &net_buffer.ptr, NULL, NULL, NULL); if (anslen < 0) { -- cgit 1.4.1