From: Florian Weimer Date: Tue, 29 Mar 2016 10:57:56 +0000 (+0200) Subject: CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879] X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=146b58d11fddbef15b888906e3be4f33900c416f;p=thirdparty%2Fglibc.git CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879] The defensive copy is not needed because the name may not alias the output buffer. (cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4) (cherry picked from commit 883dceebc8f11921a9890211a4e202e5be17562f) --- diff --git a/ChangeLog b/ChangeLog index 64a2746e2d0..4a0461d3c35 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2016-04-01 Florian Weimer + + [BZ #19879] + CVE-2016-3075 + * resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not + copy name. + 2016-04-01 Stefan Liebler * sysdeps/s390/bits/link.h: (La_s390_vr) New typedef. diff --git a/NEWS b/NEWS index 674d21701d0..a08f96bd199 100644 --- a/NEWS +++ b/NEWS @@ -9,7 +9,10 @@ Version 2.23.1 Security related changes: - [Add security related changes here] +* The getnetbyname implementation in nss_dns had a potentially unbounded + alloca call (in the form of a call to strdupa), leading to a stack + overflow (stack exhaustion) and a crash if getnetbyname is invoked + on a very long name. (CVE-2016-3075) The following bugs are resolved with this release: @@ -17,9 +20,12 @@ The following bugs are resolved with this release: [19758] Or bit_Prefer_MAP_32BIT_EXEC in EXTRA_LD_ENVVARS [19759] Don't inline mempcpy for x86 [19762] Use HAS_ARCH_FEATURE with Fast_Rep_String - [19791] Assertion failure in res_query.c with un-connectable name server addresses + [19791] Assertion failure in res_query.c with un-connectable name server + addresses [19792] MIPS: backtrace yields infinite backtrace with makecontext [19822] libm.so install clobbers old version + [19879] network: nss_dns: Stack overflow in getnetbyname implementation + (CVE-2016-3075) Version 2.23 diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c index 2eb2f67e66a..8f301a706b3 100644 --- a/resolv/nss_dns/dns-network.c +++ b/resolv/nss_dns/dns-network.c @@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result, } net_buffer; querybuf *orig_net_buffer; int anslen; - char *qbuf; enum nss_status status; if (__res_maybe_init (&_res, 0) == -1) return NSS_STATUS_UNAVAIL; - qbuf = strdupa (name); - net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024); - anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf, + anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf, 1024, &net_buffer.ptr, NULL, NULL, NULL, NULL); if (anslen < 0) {