| blob | 19b8b6ebd877343c864750927cbff20880921ec7 |
1 Fetched from gentoo glibc patchball
2 Original patch filename: 10_all_glibc-CVE-2015-7547.patch
3 Based on: https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
5 Fixes:
6 CVE-2015-7547 - glibc getaddrinfo stack-based buffer overflow.
8 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
10 --- a/resolv/nss_dns/dns-host.c
11 +++ b/resolv/nss_dns/dns-host.c
12 @@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname,
13 int h_namelen = 0;
15 if (ancount == 0)
16 - return NSS_STATUS_NOTFOUND;
17 + {
18 + *h_errnop = HOST_NOT_FOUND;
19 + return NSS_STATUS_NOTFOUND;
20 + }
22 while (ancount-- > 0 && cp < end_of_message && had_error == 0)
23 {
24 @@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname,
25 /* Special case here: if the resolver sent a result but it only
26 contains a CNAME while we are looking for a T_A or T_AAAA record,
27 we fail with NOTFOUND instead of TRYAGAIN. */
28 - return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
29 + if (canon != NULL)
30 + {
31 + *h_errnop = HOST_NOT_FOUND;
32 + return NSS_STATUS_NOTFOUND;
33 + }
34 +
35 + *h_errnop = NETDB_INTERNAL;
36 + return NSS_STATUS_TRYAGAIN;
37 }
40 @@ -1242,8 +1252,15 @@ gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2,
41 &pat, &buffer, &buflen,
42 errnop, h_errnop, ttlp,
43 &first);
44 + /* Use the second response status in some cases. */
45 if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND)
46 status = status2;
47 + /* Do not return a truncated second response (unless it was
48 + unavoidable e.g. unrecoverable TRYAGAIN). */
49 + if (status == NSS_STATUS_SUCCESS
50 + && (status2 == NSS_STATUS_TRYAGAIN
51 + && *errnop == ERANGE && *h_errnop != NO_RECOVERY))
52 + status = NSS_STATUS_TRYAGAIN;
53 }
55 return status;
56 --- a/resolv/res_query.c
57 +++ b/resolv/res_query.c
58 @@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp,
59 {
60 free (*answerp2);
61 *answerp2 = NULL;
62 + *nanswerp2 = 0;
63 *answerp2_malloced = 0;
64 }
65 }
66 @@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp,
67 {
68 free (*answerp2);
69 *answerp2 = NULL;
70 + *nanswerp2 = 0;
71 *answerp2_malloced = 0;
72 }
74 @@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp,
75 {
76 free (*answerp2);
77 *answerp2 = NULL;
78 + *nanswerp2 = 0;
79 *answerp2_malloced = 0;
80 }
81 if (saved_herrno != -1)
82 --- a/resolv/res_send.c
83 +++ b/resolv/res_send.c
84 @@ -639,11 +639,7 @@ send_vc(res_state statp,
85 {
86 const HEADER *hp = (HEADER *) buf;
87 const HEADER *hp2 = (HEADER *) buf2;
88 - u_char *ans = *ansp;
89 - int orig_anssizp = *anssizp;
90 - // XXX REMOVE
91 - // int anssiz = *anssizp;
92 - HEADER *anhp = (HEADER *) ans;
93 + HEADER *anhp = (HEADER *) *ansp;
94 struct sockaddr *nsap = get_nsaddr (statp, ns);
95 int truncating, connreset, n;
96 /* On some architectures compiler might emit a warning indicating
97 @@ -767,35 +763,6 @@ send_vc(res_state statp,
98 assert (anscp != NULL || ansp2 == NULL);
99 thisresplenp = &resplen;
100 } else {
101 - if (*anssizp != MAXPACKET) {
102 - /* No buffer allocated for the first
103 - reply. We can try to use the rest
104 - of the user-provided buffer. */
105 -#if __GNUC_PREREQ (4, 7)
106 - DIAG_PUSH_NEEDS_COMMENT;
107 - DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
108 -#endif
109 -#if _STRING_ARCH_unaligned
110 - *anssizp2 = orig_anssizp - resplen;
111 - *ansp2 = *ansp + resplen;
112 -#else
113 - int aligned_resplen
114 - = ((resplen + __alignof__ (HEADER) - 1)
115 - & ~(__alignof__ (HEADER) - 1));
116 - *anssizp2 = orig_anssizp - aligned_resplen;
117 - *ansp2 = *ansp + aligned_resplen;
118 -#endif
119 -#if __GNUC_PREREQ (4, 7)
120 - DIAG_POP_NEEDS_COMMENT;
121 -#endif
122 - } else {
123 - /* The first reply did not fit into the
124 - user-provided buffer. Maybe the second
125 - answer will. */
126 - *anssizp2 = orig_anssizp;
127 - *ansp2 = *ansp;
128 - }
129 -
130 thisanssizp = anssizp2;
131 thisansp = ansp2;
132 thisresplenp = resplen2;
133 @@ -804,10 +771,14 @@ send_vc(res_state statp,
134 anhp = (HEADER *) *thisansp;
136 *thisresplenp = rlen;
137 - if (rlen > *thisanssizp) {
138 - /* Yes, we test ANSCP here. If we have two buffers
139 - both will be allocatable. */
140 - if (__glibc_likely (anscp != NULL)) {
141 + /* Is the answer buffer too small? */
142 + if (*thisanssizp < rlen) {
143 + /* If the current buffer is not the the static
144 + user-supplied buffer then we can reallocate
145 + it. */
146 + if (thisansp != NULL && thisansp != ansp) {
147 + /* Always allocate MAXPACKET, callers expect
148 + this specific size. */
149 u_char *newp = malloc (MAXPACKET);
150 if (newp == NULL) {
151 *terrno = ENOMEM;
152 @@ -957,8 +928,6 @@ send_dg(res_state statp,
153 {
154 const HEADER *hp = (HEADER *) buf;
155 const HEADER *hp2 = (HEADER *) buf2;
156 - u_char *ans = *ansp;
157 - int orig_anssizp = *anssizp;
158 struct timespec now, timeout, finish;
159 struct pollfd pfd[1];
160 int ptimeout;
161 @@ -1154,50 +1123,48 @@ send_dg(res_state statp,
162 assert (anscp != NULL || ansp2 == NULL);
163 thisresplenp = &resplen;
164 } else {
165 - if (*anssizp != MAXPACKET) {
166 - /* No buffer allocated for the first
167 - reply. We can try to use the rest
168 - of the user-provided buffer. */
169 -#if _STRING_ARCH_unaligned
170 - *anssizp2 = orig_anssizp - resplen;
171 - *ansp2 = *ansp + resplen;
172 -#else
173 - int aligned_resplen
174 - = ((resplen + __alignof__ (HEADER) - 1)
175 - & ~(__alignof__ (HEADER) - 1));
176 - *anssizp2 = orig_anssizp - aligned_resplen;
177 - *ansp2 = *ansp + aligned_resplen;
178 -#endif
179 - } else {
180 - /* The first reply did not fit into the
181 - user-provided buffer. Maybe the second
182 - answer will. */
183 - *anssizp2 = orig_anssizp;
184 - *ansp2 = *ansp;
185 - }
186 -
187 thisanssizp = anssizp2;
188 thisansp = ansp2;
189 thisresplenp = resplen2;
190 }
192 if (*thisanssizp < MAXPACKET
193 - /* Yes, we test ANSCP here. If we have two buffers
194 - both will be allocatable. */
195 - && anscp
196 + /* If the current buffer is not the the static
197 + user-supplied buffer then we can reallocate
198 + it. */
199 + && (thisansp != NULL && thisansp != ansp)
200 #ifdef FIONREAD
201 + /* Is the size too small? */
202 && (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0
203 || *thisanssizp < *thisresplenp)
204 #endif
205 ) {
206 + /* Always allocate MAXPACKET, callers expect
207 + this specific size. */
208 u_char *newp = malloc (MAXPACKET);
209 if (newp != NULL) {
210 - *anssizp = MAXPACKET;
211 - *thisansp = ans = newp;
212 + *thisanssizp = MAXPACKET;
213 + *thisansp = newp;
214 if (thisansp == ansp2)
215 *ansp2_malloced = 1;
216 }
217 }
218 + /* We could end up with truncation if anscp was NULL
219 + (not allowed to change caller's buffer) and the
220 + response buffer size is too small. This isn't a
221 + reliable way to detect truncation because the ioctl
222 + may be an inaccurate report of the UDP message size.
223 + Therefore we use this only to issue debug output.
224 + To do truncation accurately with UDP we need
225 + MSG_TRUNC which is only available on Linux. We
226 + can abstract out the Linux-specific feature in the
227 + future to detect truncation. */
228 + if (__glibc_unlikely (*thisanssizp < *thisresplenp)) {
229 + Dprint(statp->options & RES_DEBUG,
230 + (stdout, ";; response may be truncated (UDP)\n")
231 + );
232 + }
233 +
234 HEADER *anhp = (HEADER *) *thisansp;
235 socklen_t fromlen = sizeof(struct sockaddr_in6);
236 assert (sizeof(from) <= fromlen);