Fix stack overflow in getaddrinfo with many resultsibm/2.16/master

Conflicts: NEWS
author: Andreas Schwab <schwab@suse.de> 2013-03-21 15:50:27 +0100
committer: Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com> 2015-04-13 17:39:37 -0300
commit: 002be9b8d178ace55a47dd9e2c166f217e380380 (patch)
tree: a6b007190d1e20f22a71246508cad4173ae41866
parent: e9c2f97bf02666b01aa4af63c4e41355396acc3c (diff)
download: glibc-ibm/2.16/master.tar.gz
3 files changed, 32 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog
index 246f0a5184..b6ef28d738 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2013-04-03  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #15330]
+	* sysdeps/posix/getaddrinfo.c (getaddrinfo): Allocate results and
+	order arrays from heap if bigger than alloca cutoff.
+
 2014-06-03  Andreas Schwab  <schwab@suse.de>
 
 	[BZ #15946]
diff --git a/NEWS b/NEWS
index 6a49b4bdb5..2b31faa0ea 100644
--- a/NEWS
+++ b/NEWS
@@ -10,8 +10,11 @@ Version 2.16.1
 * The following bugs are resolved with this release:
 
   6530, 14195, 14547, 14459, 14476, 14562, 14621, 14648, 14699, 14719,
-  14756, 14831, 15014, 15078, 15754, 15755, 15946, 16072, 16431, 16617,
-  16618, 17048, 17137, 17187, 17325, 17625, 17630.
+  14756, 14831, 15014, 15078, 15330, 15754, 15755, 15946, 16072, 16431,
+  16617, 16618, 17048, 17137, 17187, 17325, 17625, 17630.
+
+* CVE-2013-1914 Stack overflow in getaddrinfo with many results has been
+  fixed (Bugzilla #15330).
 
 * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
   under certain input conditions resulting in the execution of a shell for
diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
index dd85130554..c88e1ec005 100644
--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
@@ -2467,11 +2467,27 @@ getaddrinfo (const char *name, const char *service,
       __typeof (once) old_once = once;
       __libc_once (once, gaiconf_init);
       /* Sort results according to RFC 3484.  */
-      struct sort_result results[nresults];
-      size_t order[nresults];
+      struct sort_result *results;
+      size_t *order;
       struct addrinfo *q;
       struct addrinfo *last = NULL;
       char *canonname = NULL;
+      bool malloc_results;
+
+      malloc_results
+	= !__libc_use_alloca (nresults * (sizeof (*results) + sizeof (size_t)));
+      if (malloc_results)
+	{
+	  results = malloc (nresults * (sizeof (*results) + sizeof (size_t)));
+	  if (results == NULL)
+	    {
+	      __free_in6ai (in6ai);
+	      return EAI_MEMORY;
+	    }
+	}
+      else
+	results = alloca (nresults * (sizeof (*results) + sizeof (size_t)));
+      order = (size_t *) (results + nresults);
 
       /* Now we definitely need the interface information.  */
       if (! check_pf_called)
@@ -2642,6 +2658,9 @@ getaddrinfo (const char *name, const char *service,
 
       /* Fill in the canonical name into the new first entry.  */
       p->ai_canonname = canonname;
+
+      if (malloc_results)
+	free (results);
     }
 
   __free_in6ai (in6ai);
author	Andreas Schwab <schwab@suse.de>	2013-03-21 15:50:27 +0100
committer	Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com>	2015-04-13 17:39:37 -0300
commit	002be9b8d178ace55a47dd9e2c166f217e380380 (patch)
tree	a6b007190d1e20f22a71246508cad4173ae41866
parent	e9c2f97bf02666b01aa4af63c4e41355396acc3c (diff)
download	glibc-ibm/2.16/master.tar.gz