CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879]

The defensive copy is not needed because the name may not alias the
output buffer.

(cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4)

diff --git a/ChangeLog b/ChangeLog
index c4caed21933c50a8c8a7f9fb05ef04e27c2d3018..e90ad799a9839b19297ddab212fd1730c1a4af4b 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-04-20  Florian Weimer  <fweimer@redhat.com>
+
+       [BZ #19879]
+       CVE-2016-3075
+       * resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not
+       copy name.
+
 2016-04-19  Florian Weimer  <fweimer@redhat.com>
 
        [BZ #19791]

diff --git a/NEWS b/NEWS
index 9b796d6c88bea896f8ed8f6565989c8fc5db40e7..47b994455b5ffb90a03151586dfd8afc2a021a16 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -27,7 +27,7 @@ Version 2.18.1
   15723, 15734, 15735, 15797, 15892, 15895, 15909, 15915, 15917, 15946,
   15996, 16009, 16072, 16150, 16169, 16387, 16414, 16430, 16431, 16510,
   16617, 16618, 16885, 16916, 16943, 16958, 17048, 17137, 17187, 17269,
-  17325, 17625, 17630, 18007, 18032, 18104, 18287, 18928, 19018.
+  17325, 17625, 17630, 18007, 18032, 18104, 18287, 18928, 19018, 19879.
 
 * The LD_POINTER_GUARD environment variable can no longer be used to
   disable the pointer guard feature.  It is always enabled.

diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
index 7507f8c46749353c07924a1e9806f46e6a3edfde..a6593c55c8725065fb41b7ba9929808d769763a1 100644 (file)
--- a/resolv/nss_dns/dns-network.c
+++ b/resolv/nss_dns/dns-network.c
@@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result,
   } net_buffer;
   querybuf *orig_net_buffer;
   int anslen;
-  char *qbuf;
   enum nss_status status;
 
   if (__res_maybe_init (&_res, 0) == -1)
     return NSS_STATUS_UNAVAIL;
 
-  qbuf = strdupa (name);
-
   net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);
 
-  anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf,
+  anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf,
                               1024, &net_buffer.ptr, NULL, NULL, NULL);
   if (anslen < 0)
     {