summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArjun Shankar <arjun.is@lostca.se>2015-04-21 14:06:31 +0200
committerAllan McRae <allan@archlinux.org>2015-04-22 20:01:12 +1000
commit01b07c70ad77ef28b6a3661ed3142ebff35b6e69 (patch)
treec0e28045a7cc2b0fda16fac8f5d570efd02e552f
parent75adf430d2d7ee16eaf3166680de83b498444720 (diff)
downloadglibc-01b07c70ad77ef28b6a3661ed3142ebff35b6e69.tar.gz
CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]
(cherry picked from commit 2959eda9272a033863c271aff62095abd01bd4e3)
-rw-r--r--ChangeLog6
-rw-r--r--NEWS9
-rw-r--r--resolv/nss_dns/dns-host.c3
3 files changed, 16 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 45579dea40..26feb0734e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-04-21 Arjun Shankar <arjun.is@lostca.se>
+
+ [BZ #18287]
+ * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+ based on padding. (CVE-2015-1781)
+
2015-02-10 Evangelos Foutras <evangelos@foutrelis.com>
[BZ #17949]
diff --git a/NEWS b/NEWS
index ff79f0d1b5..c9f6b58486 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,14 @@ Version 2.21.1
* The following bugs are resolved with this release:
- 17949.
+ 17949, 18287.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+ requests has been fixed. If the NSS functions were called with a
+ misaligned buffer, the buffer length change due to pointer alignment was
+ not taken into account. This could result in application crashes or,
+ potentially arbitrary code execution, using crafted, but syntactically
+ valid DNS responses. (CVE-2015-1781)
Version 2.21
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index f715ab0b3f..40069a73c6 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
int have_to_map = 0;
uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
buffer += pad;
- if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
+ buflen = buflen > pad ? buflen - pad : 0;
+ if (__glibc_unlikely (buflen < sizeof (struct host_data)))
{
/* The buffer is too small. */
too_small: