Backport fix for BZ 18287 (CVE-2015-1781)

author Stan Shebs <stanshebs@google.com>

Mon, 17 Aug 2015 21:39:38 +0000 (14:39 -0700)

committer Stan Shebs <stanshebs@google.com>

Mon, 17 Aug 2015 21:39:38 +0000 (14:39 -0700)
author Stan Shebs <stanshebs@google.com>
Mon, 17 Aug 2015 21:39:38 +0000 (14:39 -0700)
committer Stan Shebs <stanshebs@google.com>
Mon, 17 Aug 2015 21:39:38 +0000 (14:39 -0700)
diff --git a/README.google b/README.google

index cd604a37dfa3ec15f0ed8fe8cb147df2c44d9c85..01359a0b9a3ef23e55a88ef9f3f1f67ac2be6cf6 100644 (file)
--- a/README.google
+++ b/README.google
@@ -461,3 +461,7 @@ nptl/tst-tls77mod.c
    upstream commit
    https://sourceware.org/git/?p=glibc.git&a=commit&h=f8aeae347377f3dfa8cbadde057adf1827fb1d44
    fixes this problem in a different way, so this patch is not needed upstream.
+
+resolv/nss_dns/dns-host.c
+  For b/21023324, backport buffer overflow in getanswer_r (PR18287, CVE-2015-1781)
+  https://sourceware.org/git/?p=glibc.git;a=commit;h=2959eda9272a03386
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c

index f8f192e5afb54f22667066e461a91a0e8d00d3a0..511bbe2d7407c29a4d3e56380880d6ff4624ba70 100644 (file)
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -613,7 +613,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
    int have_to_map = 0;
    uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
    buffer += pad;
-  if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0))
+  buflen = buflen > pad ? buflen - pad : 0;
+  if (__builtin_expect (buflen < sizeof (struct host_data), 0))
      {
        /* The buffer is too small.  */
      too_small:
author	Stan Shebs <stanshebs@google.com>
	Mon, 17 Aug 2015 21:39:38 +0000 (14:39 -0700)
committer	Stan Shebs <stanshebs@google.com>
	Mon, 17 Aug 2015 21:39:38 +0000 (14:39 -0700)
README.google		patch \| blob \| blame \| history
resolv/nss_dns/dns-host.c		patch \| blob \| blame \| history