inet/tst-if_index-long: New test case for CVE-2018-19591 [BZ #23927]

(cherry picked from commit 899478c2bfa00c5df8d8bedb52effbb065700278)

diff --git a/ChangeLog b/ChangeLog
index e6451fe03e3c7c56985f69e3b91fbed41cc78bba..44202d96fda065441aeb1b4fe166424630d94bd1 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2018-12-07  Florian Weimer  <fweimer@redhat.com>
+
+       [BZ #23927]
+       CVE-2018-19591
+       * inet/tst-if_index-long.c: New file.
+       * inet/Makefile (tests): Add tst-if_index-long.
+
 2018-12-07  Florian Weimer  <fweimer@redhat.com>
 
        * support/check.h (support_record_failure_is_failed): Declare.

diff --git a/inet/Makefile b/inet/Makefile
index 09f5ba78fc5f3120e71c23126af4a6e02c4976da..7782913b4c06f057bcfe8abf197dc2b6a397e612 100644 (file)
--- a/inet/Makefile
+++ b/inet/Makefile
@@ -52,7 +52,7 @@ aux := check_pf check_native ifreq
 tests := htontest test_ifindex tst-ntoa tst-ether_aton tst-network \
         tst-gethnm test-ifaddrs bug-if1 test-inet6_opt tst-ether_line \
         tst-getni1 tst-getni2 tst-inet6_rth tst-checks tst-checks-posix \
-        tst-sockaddr test-hnto-types
+        tst-sockaddr test-hnto-types tst-if_index-long
 
 # tst-deadline must be linked statically so that we can access
 # internal functions.

diff --git a/inet/tst-if_index-long.c b/inet/tst-if_index-long.c
new file mode 100644 (file)
index 0000000..3dc7487
--- /dev/null
+++ b/inet/tst-if_index-long.c
@@ -0,0 +1,61 @@
+/* Check for descriptor leak in if_nametoindex with a long interface name.
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+/* This test checks for a descriptor leak in case of a long interface
+   name (CVE-2018-19591, bug 23927).  */
+
+#include <errno.h>
+#include <net/if.h>
+#include <netdb.h>
+#include <string.h>
+#include <support/check.h>
+#include <support/descriptors.h>
+#include <support/support.h>
+
+static int
+do_test (void)
+{
+  struct support_descriptors *descrs = support_descriptors_list ();
+
+  /* Prepare a name which is just as long as required for trigging the
+     bug.  */
+  char name[IFNAMSIZ + 1];
+  memset (name, 'A', IFNAMSIZ);
+  name[IFNAMSIZ] = '\0';
+  TEST_COMPARE (strlen (name), IFNAMSIZ);
+  struct ifreq ifr;
+  TEST_COMPARE (strlen (name), sizeof (ifr.ifr_name));
+
+  /* Test directly via if_nametoindex.  */
+  TEST_COMPARE (if_nametoindex (name), 0);
+  TEST_COMPARE (errno, ENODEV);
+  support_descriptors_check (descrs);
+
+  /* Same test via getaddrinfo.  */
+  char *host = xasprintf ("fea0::%%%s", name);
+  struct addrinfo hints = { .ai_flags = AI_NUMERICHOST, };
+  struct addrinfo *ai;
+  TEST_COMPARE (getaddrinfo (host, NULL, &hints, &ai), EAI_NONAME);
+  support_descriptors_check (descrs);
+
+  support_descriptors_free (descrs);
+
+  return 0;
+}
+
+#include <support/test-driver.c>