From: Florian Weimer Date: Tue, 29 Mar 2016 10:57:56 +0000 (+0200) Subject: CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879] X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a02f3e795993ae0f80242b488061b74666605625;p=thirdparty%2Fglibc.git CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879] The defensive copy is not needed because the name may not alias the output buffer. (cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4) --- diff --git a/ChangeLog b/ChangeLog index 99070196048..685dd909f2a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2016-04-01 Florian Weimer + + [BZ #19879] + CVE-2016-3075 + * resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not + copy name. + 2016-02-12 Florian Weimer * misc/bug18240.c (do_test): Set RLIMIT_AS. diff --git a/NEWS b/NEWS index 0d1952c9f44..d7da53f9ba2 100644 --- a/NEWS +++ b/NEWS @@ -12,7 +12,7 @@ Version 2.19.1 15946, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16760, 16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069, 17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 17905, 18007, - 18032, 18240, 18287, 18905. + 18032, 18240, 18287, 18905, 19879. * A buffer overflow in gethostbyname_r and related functions performing DNS requests has been fixed. If the NSS functions were called with a @@ -63,6 +63,11 @@ Version 2.19.1 the get*ent functions if any of the query functions for the same database are used during the iteration, causing a denial-of-service condition in some applications. + +* The getnetbyname implementation in nss_dns had a potentially unbounded + alloca call (in the form of a call to strdupa), leading to a stack + overflow (stack exhaustion) and a crash if getnetbyname is invoked + on a very long name. (CVE-2016-3075) Version 2.19 diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c index 13ad38c5dec..37de664818c 100644 --- a/resolv/nss_dns/dns-network.c +++ b/resolv/nss_dns/dns-network.c @@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result, } net_buffer; querybuf *orig_net_buffer; int anslen; - char *qbuf; enum nss_status status; if (__res_maybe_init (&_res, 0) == -1) return NSS_STATUS_UNAVAIL; - qbuf = strdupa (name); - net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024); - anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf, + anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf, 1024, &net_buffer.ptr, NULL, NULL, NULL, NULL); if (anslen < 0) {