From: Stan Shebs <stanshebs@google.com>
Date: Mon, 17 Aug 2015 21:39:38 +0000 (-0700)
Subject: Backport fix for BZ 18287 (CVE-2015-1781)
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4be23b848411e7d9f6dc8b15e677594f9ffa24f5;p=thirdparty%2Fglibc.git

Backport fix for BZ 18287 (CVE-2015-1781)
---

diff --git a/README.google b/README.google
index cd604a37dfa..01359a0b9a3 100644
--- a/README.google
+++ b/README.google
@@ -461,3 +461,7 @@ nptl/tst-tls77mod.c
   upstream commit
   https://sourceware.org/git/?p=glibc.git&a=commit&h=f8aeae347377f3dfa8cbadde057adf1827fb1d44
   fixes this problem in a different way, so this patch is not needed upstream.
+
+resolv/nss_dns/dns-host.c
+  For b/21023324, backport buffer overflow in getanswer_r (PR18287, CVE-2015-1781)
+  https://sourceware.org/git/?p=glibc.git;a=commit;h=2959eda9272a03386
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index f8f192e5afb..511bbe2d740 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -613,7 +613,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
   int have_to_map = 0;
   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
   buffer += pad;
-  if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0))
+  buflen = buflen > pad ? buflen - pad : 0;
+  if (__builtin_expect (buflen < sizeof (struct host_data), 0))
     {
       /* The buffer is too small.  */
     too_small: