CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879]

The defensive copy is not needed because the name may not alias the
output buffer.

(cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4)

diff --git a/ChangeLog b/ChangeLog
index 990701960483cc3513d37174aadc9f777c449819..685dd909f2ac3cca32f6897954212fee82f1b80a 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-04-01  Florian Weimer  <fweimer@redhat.com>
+
+       [BZ #19879]
+       CVE-2016-3075
+       * resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not
+       copy name.
+
 2016-02-12  Florian Weimer  <fweimer@redhat.com>
 
        * misc/bug18240.c (do_test): Set RLIMIT_AS.

diff --git a/NEWS b/NEWS
index 0d1952c9f441df85f416f776357175bb46a735de..d7da53f9ba2f30f7e34e575c6b4bb6818cf21e0b 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -12,7 +12,7 @@ Version 2.19.1
   15946, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16760,
   16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069,
   17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 17905, 18007,
-  18032, 18240, 18287, 18905.
+  18032, 18240, 18287, 18905, 19879.
 
 * A buffer overflow in gethostbyname_r and related functions performing DNS
   requests has been fixed.  If the NSS functions were called with a
@@ -63,6 +63,11 @@ Version 2.19.1
   the get*ent functions if any of the query functions for the same database
   are used during the iteration, causing a denial-of-service condition in
   some applications.
+
+* The getnetbyname implementation in nss_dns had a potentially unbounded
+  alloca call (in the form of a call to strdupa), leading to a stack
+  overflow (stack exhaustion) and a crash if getnetbyname is invoked
+  on a very long name.  (CVE-2016-3075)
 \f
 Version 2.19
 

diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
index 13ad38c5dec258d7cc75e5658bc70fd5d097c4ae..37de664818c95277263b3403c244d307e2155587 100644 (file)
--- a/resolv/nss_dns/dns-network.c
+++ b/resolv/nss_dns/dns-network.c
@@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result,
   } net_buffer;
   querybuf *orig_net_buffer;
   int anslen;
-  char *qbuf;
   enum nss_status status;
 
   if (__res_maybe_init (&_res, 0) == -1)
     return NSS_STATUS_UNAVAIL;
 
-  qbuf = strdupa (name);
-
   net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);
 
-  anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf,
+  anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf,
                               1024, &net_buffer.ptr, NULL, NULL, NULL, NULL);
   if (anslen < 0)
     {