diff options
author | Arjun Shankar <arjun.is@lostca.se> | 2015-04-21 14:06:31 +0200 |
---|---|---|
committer | Allan McRae <allan@archlinux.org> | 2015-04-22 20:01:12 +1000 |
commit | 01b07c70ad77ef28b6a3661ed3142ebff35b6e69 (patch) | |
tree | c0e28045a7cc2b0fda16fac8f5d570efd02e552f | |
parent | 75adf430d2d7ee16eaf3166680de83b498444720 (diff) | |
download | glibc-01b07c70ad77ef28b6a3661ed3142ebff35b6e69.tar.gz |
CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]
(cherry picked from commit 2959eda9272a033863c271aff62095abd01bd4e3)
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | NEWS | 9 | ||||
-rw-r--r-- | resolv/nss_dns/dns-host.c | 3 |
3 files changed, 16 insertions, 2 deletions
@@ -1,3 +1,9 @@ +2015-04-21 Arjun Shankar <arjun.is@lostca.se> + + [BZ #18287] + * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length + based on padding. (CVE-2015-1781) + 2015-02-10 Evangelos Foutras <evangelos@foutrelis.com> [BZ #17949] @@ -9,7 +9,14 @@ Version 2.21.1 * The following bugs are resolved with this release: - 17949. + 17949, 18287. + +* A buffer overflow in gethostbyname_r and related functions performing DNS + requests has been fixed. If the NSS functions were called with a + misaligned buffer, the buffer length change due to pointer alignment was + not taken into account. This could result in application crashes or, + potentially arbitrary code execution, using crafted, but syntactically + valid DNS responses. (CVE-2015-1781) Version 2.21 diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c index f715ab0b3f..40069a73c6 100644 --- a/resolv/nss_dns/dns-host.c +++ b/resolv/nss_dns/dns-host.c @@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype, int have_to_map = 0; uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data); buffer += pad; - if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad)) + buflen = buflen > pad ? buflen - pad : 0; + if (__glibc_unlikely (buflen < sizeof (struct host_data))) { /* The buffer is too small. */ too_small: |