Avoid infinite loop in nss_dns getnetbyname [BZ #17630]

diff --git a/ChangeLog b/ChangeLog
index 7e859833dc700cc91865b8a497e5404a12dc35b0..e64ffd1c5ef323c5a926a54c15817872146e5b60 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2014-12-16  Florian Weimer  <fweimer@redhat.com>
+
+       [BZ #17630]
+       * resolv/nss_dns/dns-network.c (getanswer_r): Iterate over alias
+       names.
+
 2014-12-15  Jeff Law  <law@redhat.com>
 
        [BZ #16617]

diff --git a/NEWS b/NEWS
index cbac49229fe86819845c9f7a2510f7832823fdc1..49909f1834ae552edc330105d88551f45aabae18 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,10 @@ Version 2.16.1
 * The following bugs are resolved with this release:
 
   6530, 14195, 14547, 14459, 14476, 14562, 14621, 14648, 14699, 14756, 14831,
-  15078, 15754, 15755, 16072, 16617, 17048, 17137, 17187, 17325.
+  15078, 15754, 15755, 16072, 16617, 17048, 17137, 17187, 17325, 17630.
+
+* The nss_dns implementation of getnetbyname could run into an infinite loop
+  if the DNS response contained a PTR record of an unexpected format.
 
 * CVE-2012-3406 printf-style functions could run into a stack overflow when
   processing format strings with a large number of format specifiers.

diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
index 4c590babae4a451d2ae3c8b3121a8acd94b4ace2..d101306099a64dc9c972e3c88aa23207ef751c3b 100644 (file)
--- a/resolv/nss_dns/dns-network.c
+++ b/resolv/nss_dns/dns-network.c
@@ -398,8 +398,8 @@ getanswer_r (const querybuf *answer, int anslen, struct netent *result,
 
        case BYNAME:
          {
-           char **ap = result->n_aliases++;
-           while (*ap != NULL)
+           char **ap;
+           for (ap = result->n_aliases; *ap != NULL; ++ap)
              {
                /* Check each alias name for being of the forms:
                   4.3.2.1.in-addr.arpa         = net 1.2.3.4