CVE-2016-3706: getaddrinfo: stack overflow in hostent conversion [BZ #20010]

When converting a struct hostent response to struct gaih_addrtuple, the gethosts macro (which is called from gaih_inet) used alloca, without malloc fallback for large responses. This commit changes this code to use calloc unconditionally. This commit also consolidated a second hostent-to-gaih_addrtuple conversion loop (in gaih_inet) to use the new conversion function. (cherry picked from commit 4ab2ab03d4351914ee53248dc5aef4a8c88ff8b9)
author: Florian Weimer <fweimer@redhat.com> 2016-04-29 10:35:34 +0200
committer: Florian Weimer <fweimer@redhat.com> 2016-05-11 11:55:19 +0200
commit: 1a8a7c12950a0026a3c406a7cb1608f96aa1460e (patch)
tree: fb282a9d7d058b60beef5d46200bdc33bfd8ad7f /ChangeLog
parent: 24e2b1cede1952d7d4411a3cafd25dd8593dab9f (diff)
download: glibc-1a8a7c12950a0026a3c406a7cb1608f96aa1460e.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 164f80c842..c3aa01a643 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2016-04-29  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #20010]
+	CVE-2016-3706
+	* sysdeps/posix/getaddrinfo.c
+	(convert_hostent_to_gaih_addrtuple): New function.
+	(gethosts): Call convert_hostent_to_gaih_addrtuple.
+	(gaih_inet): Use convert_hostent_to_gaih_addrtuple to convert
+	AF_INET data.
+
 2016-03-07  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #19610]
author	Florian Weimer <fweimer@redhat.com>	2016-04-29 10:35:34 +0200
committer	Florian Weimer <fweimer@redhat.com>	2016-05-11 11:55:19 +0200
commit	1a8a7c12950a0026a3c406a7cb1608f96aa1460e (patch)
tree	fb282a9d7d058b60beef5d46200bdc33bfd8ad7f /ChangeLog
parent	24e2b1cede1952d7d4411a3cafd25dd8593dab9f (diff)
download	glibc-1a8a7c12950a0026a3c406a7cb1608f96aa1460e.tar.gz