Infinite loop in res_mkquery with malformed domain name (#2255506)

2024-01-03 16:42:48 +01:00 · 2024-01-03 16:42:48 +01:00 · d6f60005eb
commit d6f60005eb
parent ca9e6ac795
2 changed files with 144 additions and 1 deletions
--- a/glibc-rh2255506.patch
+++ b/glibc-rh2255506.patch
@ -0,0 +1,139 @@
 commit 3e0853ab9a1609707ec8de453891b3c79ea556bc
 Author: Florian Weimer <fweimer@redhat.com>
 Date:   Wed Jan 3 16:40:32 2024 +0100
    Revert "resolve: Remove __res_context_query alloca usage"
    This reverts commit 40c0add7d48739f5d89ebba255c1df26629a76e2.
    The change causes an infinite loop with malformed domain
    names.
 diff --git a/resolv/res_query.c b/resolv/res_query.c
 index 1b148a2a05b8641c..049de91b95a2bd0c 100644
 --- a/resolv/res_query.c
 +++ b/resolv/res_query.c
@@ -80,7 +80,6 @@
 #include <stdlib.h>
 #include <string.h>
 #include <shlib-compat.h>
 -#include <scratch_buffer.h>
 #if PACKETSZ > 65536
 #define MAXPACKET	PACKETSZ
@@ -115,14 +114,11 @@ __res_context_query (struct resolv_context *ctx, const char *name,
 	struct __res_state *statp = ctx->resp;
 	UHEADER *hp = (UHEADER *) answer;
 	UHEADER *hp2;
 -	int n;
 -
 -	/* It requires 2 times QUERYSIZE for type == T_QUERY_A_AND_AAAA.  */
 -	struct scratch_buffer buf;
 -	scratch_buffer_init (&buf);
 -	_Static_assert (2 * QUERYSIZE <= sizeof (buf.__space.__c),
 -			"scratch_buffer too small");
 -	u_char *query1 = buf.data;
 +	int n, use_malloc = 0;
 +
 +	size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;
 +	u_char *buf = alloca (bufsize);
 +	u_char *query1 = buf;
 	int nquery1 = -1;
 	u_char *query2 = NULL;
 	int nquery2 = 0;
@@ -133,28 +129,37 @@ __res_context_query (struct resolv_context *ctx, const char *name,
 	if (type == T_QUERY_A_AND_AAAA)
 	  {
 	    n = __res_context_mkquery (ctx, QUERY, name, class, T_A, NULL,
 -				       query1, buf.length);
 +				       query1, bufsize);
 	    if (n > 0)
 	      {
 		if ((statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0)
 		  {
 		    /* Use RESOLV_EDNS_BUFFER_SIZE because the receive
 		       buffer can be reallocated.  */
 -		    n = __res_nopt (ctx, n, query1, buf.length,
 +		    n = __res_nopt (ctx, n, query1, bufsize,
 				    RESOLV_EDNS_BUFFER_SIZE);
 		    if (n < 0)
 		      goto unspec_nomem;
 		  }
 		nquery1 = n;
 -		query2 = buf.data + n;
 +		/* Align the buffer.  */
 +		int npad = ((nquery1 + __alignof__ (HEADER) - 1)
 +			    & ~(__alignof__ (HEADER) - 1)) - nquery1;
 +		if (n > bufsize - npad)
 +		  {
 +		    n = -1;
 +		    goto unspec_nomem;
 +		  }
 +		int nused = n + npad;
 +		query2 = buf + nused;
 		n = __res_context_mkquery (ctx, QUERY, name, class, T_AAAA,
 -					   NULL, query2, buf.length - n);
 +					   NULL, query2, bufsize - nused);
 		if (n > 0
 		    && (statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0)
 		  /* Use RESOLV_EDNS_BUFFER_SIZE because the receive
 		     buffer can be reallocated.  */
 -		  n = __res_nopt (ctx, n, query2, buf.length,
 +		  n = __res_nopt (ctx, n, query2, bufsize,
 				  RESOLV_EDNS_BUFFER_SIZE);
 		nquery2 = n;
 	      }
@@ -164,7 +169,7 @@ __res_context_query (struct resolv_context *ctx, const char *name,
 	else
 	  {
 	    n = __res_context_mkquery (ctx, QUERY, name, class, type, NULL,
 -				       query1, buf.length);
 +				       query1, bufsize);
 	    if (n > 0
 		&& (statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0)
@@ -176,25 +181,27 @@ __res_context_query (struct resolv_context *ctx, const char *name,
 		  advertise = anslen;
 		else
 		  advertise = RESOLV_EDNS_BUFFER_SIZE;
 -		n = __res_nopt (ctx, n, query1, buf.length, advertise);
 +		n = __res_nopt (ctx, n, query1, bufsize, advertise);
 	      }
 	    nquery1 = n;
 	  }
 -	if (__glibc_unlikely (n <= 0)) {
 +	if (__glibc_unlikely (n <= 0) && !use_malloc) {
 		/* Retry just in case res_nmkquery failed because of too
 		   short buffer.  Shouldn't happen.  */
 -		if (scratch_buffer_set_array_size (&buf,
 -						   T_QUERY_A_AND_AAAA ? 2 : 1,
 -						   MAXPACKET)) {
 -			query1 = buf.data;
 +		bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;
 +		buf = malloc (bufsize);
 +		if (buf != NULL) {
 +			query1 = buf;
 +			use_malloc = 1;
 			goto again;
 		}
 	}
 	if (__glibc_unlikely (n <= 0))       {
 		RES_SET_H_ERRNO(statp, NO_RECOVERY);
 -		scratch_buffer_free (&buf);
 +		if (use_malloc)
 +			free (buf);
 		return (n);
 	}
@@ -217,7 +224,8 @@ __res_context_query (struct resolv_context *ctx, const char *name,
 				    answerp2_malloced);
 	  }
 -	scratch_buffer_free (&buf);
 +	if (use_malloc)
 +		free (buf);
 	if (n < 0) {
 		RES_SET_H_ERRNO(statp, TRY_AGAIN);
 		return (n);
--- a/glibc.spec
+++ b/glibc.spec
@ -171,7 +171,7 @@ Version: %{glibcversion}
 # - It allows using the Release number without the %%dist tag in the dependency
 #   generator to make the generated requires interchangeable between Rawhide
 #   and ELN (.elnYY < .fcXX).
-%global baserelease 29
+%global baserelease 30
 Release: %{baserelease}%{?dist}
 # In general, GPLv2+ is used by programs, LGPLv2+ is used for
@ -242,6 +242,7 @@ Patch9: glibc-rh827510.patch
 Patch13: glibc-fedora-localedata-rh61908.patch
 Patch17: glibc-cs-path.patch
 Patch23: glibc-python3.patch
 Patch24: glibc-rh2255506.patch
 ##############################################################################
 # Continued list of core "glibc" package information:
@ -2212,6 +2213,9 @@ update_gconv_modules_cache ()
 %files -f compat-libpthread-nonshared.filelist -n compat-libpthread-nonshared
 %changelog
 * Wed Jan  3 2024 Florian Weimer <fweimer@redhat.com> - 2.38.9000-30
 - Infinite loop in res_mkquery with malformed domain name (#2255506)
 * Fri Dec 22 2023 Florian Weimer <fweimer@redhat.com> - 2.38.9000-29
 - Auto-sync with upstream branch master,
  commit 61bac1a9d2ab80ebcbc51484722e6ea43414bec7: