+2016-05-24 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #19879]
+ CVE-2016-3075
+ * resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not
+ copy name.
+
2016-05-24 Paul Pluzhnikov <ppluzhnikov@google.com>
[BZ #17905]
called with the GLOB_ALTDIRFUNC flag and encountered a long file name.
Reported by Alexander Cherepanov. (CVE-2016-1234)
+* An unnecessary stack copy in _nss_dns_getnetbyname_r was removed. It
+ could result in a stack overflow when getnetbyname was called with an
+ overly long name. (CVE-2016-3075)
+
* Previously, getaddrinfo copied large amounts of address data to the stack,
even after the fix for CVE-2013-4458 has been applied, potentially
resulting in a stack overflow. getaddrinfo now uses a heap allocation
} net_buffer;
querybuf *orig_net_buffer;
int anslen;
- char *qbuf;
enum nss_status status;
if (__res_maybe_init (&_res, 0) == -1)
return NSS_STATUS_UNAVAIL;
- qbuf = strdupa (name);
-
net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);
- anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf,
+ anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf,
1024, &net_buffer.ptr, NULL, NULL, NULL, NULL);
if (anslen < 0)
{
projects / thirdparty / glibc.git / commitdiff
