CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]

(cherry picked from commit 2959eda9272a033863c271aff62095abd01bd4e3)

diff --git a/ChangeLog b/ChangeLog
index 45579dea4082523b2c8bf8210e8d5679309fdd01..26feb0734ef8360273ffd3a24fed1f184c39a20e 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-04-21  Arjun Shankar  <arjun.is@lostca.se>
+
+       [BZ #18287]
+       * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+       based on padding.  (CVE-2015-1781)
+
 2015-02-10  Evangelos Foutras  <evangelos@foutrelis.com>
 
        [BZ #17949]

diff --git a/NEWS b/NEWS
index ff79f0d1b5b32e2eb2a1c27019b3fab00efe0010..c9f6b584866724dd5657a8eae2590c3057dd33f6 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,14 @@ Version 2.21.1
 
 * The following bugs are resolved with this release:
 
-  17949.
+  17949, 18287.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+  requests has been fixed.  If the NSS functions were called with a
+  misaligned buffer, the buffer length change due to pointer alignment was
+  not taken into account.  This could result in application crashes or,
+  potentially arbitrary code execution, using crafted, but syntactically
+  valid DNS responses.  (CVE-2015-1781)
 \f
 Version 2.21
 

diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index f715ab0b3fa7886afe9b9143d000d7f2ac0540b2..40069a73c63cbb3ef4e2ae052740da54ca967245 100644 (file)
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
   int have_to_map = 0;
   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
   buffer += pad;
-  if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
+  buflen = buflen > pad ? buflen - pad : 0;
+  if (__glibc_unlikely (buflen < sizeof (struct host_data)))
     {
       /* The buffer is too small.  */
     too_small: