metalefty/glibc
1
0
Fork 0
forked from rpms/glibc
Code Pull Requests Activity

Sync with upstream master after 2.23 branch.

Browse Source 
- Drop glibc-CVE-2015-7547.patch, glibc-isinf-cxx11.patch
  and glibc-rh1114591.patch since they are all upstream.
This commit is contained in:
Carlos O'Donell 2016-02-25 15:48:36 -05:00
parent ba7912605b
commit dd72bee11f
8 changed files with 36 additions and 691 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
/glibc-2.22-719-g1233be7.tar.gz
/glibc-2.23-40-gde51ff8.tar.gz

567
glibc-CVE-2015-7547.patch
View File

@ -1,567 +0,0 @@
CVE-2015-7547
2016-02-15 Carlos O'Donell <carlos@redhat.com>
[BZ #18665]
* resolv/nss_dns/dns-host.c (gaih_getanswer_slice): Always set
*herrno_p.
(gaih_getanswer): Document functional behviour. Return tryagain
if any result is tryagain.
* resolv/res_query.c (__libc_res_nsearch): Set buffer size to zero
when freed.
* resolv/res_send.c: Add copyright text.
(__libc_res_nsend): Document that MAXPACKET is expected.
(send_vc): Document. Remove buffer reuse.
(send_dg): Document. Remove buffer reuse. Set *thisanssizp to set the
size of the buffer. Add Dprint for truncated UDP buffer.
Index: glibc-2.22-719-g1233be7/resolv/nss_dns/dns-host.c
===================================================================
--- glibc-2.22-719-g1233be7.orig/resolv/nss_dns/dns-host.c
+++ glibc-2.22-719-g1233be7/resolv/nss_dns/dns-host.c
@@ -1041,7 +1041,10 @@ gaih_getanswer_slice (const querybuf *an
int h_namelen = 0;
if (ancount == 0)
- return NSS_STATUS_NOTFOUND;
+ {
+ *h_errnop = HOST_NOT_FOUND;
+ return NSS_STATUS_NOTFOUND;
+ }
while (ancount-- > 0 && cp < end_of_message && had_error == 0)
{
@@ -1218,7 +1221,14 @@ gaih_getanswer_slice (const querybuf *an
/* Special case here: if the resolver sent a result but it only
contains a CNAME while we are looking for a T_A or T_AAAA record,
we fail with NOTFOUND instead of TRYAGAIN. */
- return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
+ if (canon != NULL)
+ {
+ *h_errnop = HOST_NOT_FOUND;
+ return NSS_STATUS_NOTFOUND;
+ }
+
+ *h_errnop = NETDB_INTERNAL;
+ return NSS_STATUS_TRYAGAIN;
}
@@ -1232,11 +1242,101 @@ gaih_getanswer (const querybuf *answer1,
enum nss_status status = NSS_STATUS_NOTFOUND;
+ /* Combining the NSS status of two distinct queries requires some
+ compromise and attention to symmetry (A or AAAA queries can be
+ returned in any order). What follows is a breakdown of how this
+ code is expected to work and why. We discuss only SUCCESS,
+ TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns
+ that apply (though RETURN and MERGE exist). We make a distinction
+ between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable).
+ A recoverable TRYAGAIN is almost always due to buffer size issues
+ and returns ERANGE in errno and the caller is expected to retry
+ with a larger buffer.
+
+ Lastly, you may be tempted to make significant changes to the
+ conditions in this code to bring about symmetry between responses.
+ Please don't change anything without due consideration for
+ expected application behaviour. Some of the synthesized responses
+ aren't very well thought out and sometimes appear to imply that
+ IPv4 responses are always answer 1, and IPv6 responses are always
+ answer 2, but that's not true (see the implemetnation of send_dg
+ and send_vc to see response can arrive in any order, particlarly
+ for UDP). However, we expect it holds roughly enough of the time
+ that this code works, but certainly needs to be fixed to make this
+ a more robust implementation.
+
+ ----------------------------------------------
+ | Answer 1 Status / | Synthesized | Reason |
+ | Answer 2 Status | Status | |
+ |--------------------------------------------|
+ | SUCCESS/SUCCESS | SUCCESS | [1] |
+ | SUCCESS/TRYAGAIN | TRYAGAIN | [5] |
+ | SUCCESS/TRYAGAIN' | SUCCESS | [1] |
+ | SUCCESS/NOTFOUND | SUCCESS | [1] |
+ | SUCCESS/UNAVAIL | SUCCESS | [1] |
+ | TRYAGAIN/SUCCESS | TRYAGAIN | [2] |
+ | TRYAGAIN/TRYAGAIN | TRYAGAIN | [2] |
+ | TRYAGAIN/TRYAGAIN' | TRYAGAIN | [2] |
+ | TRYAGAIN/NOTFOUND | TRYAGAIN | [2] |
+ | TRYAGAIN/UNAVAIL | TRYAGAIN | [2] |
+ | TRYAGAIN'/SUCCESS | SUCCESS | [3] |
+ | TRYAGAIN'/TRYAGAIN | TRYAGAIN | [3] |
+ | TRYAGAIN'/TRYAGAIN' | TRYAGAIN' | [3] |
+ | TRYAGAIN'/NOTFOUND | TRYAGAIN' | [3] |
+ | TRYAGAIN'/UNAVAIL | UNAVAIL | [3] |
+ | NOTFOUND/SUCCESS | SUCCESS | [3] |
+ | NOTFOUND/TRYAGAIN | TRYAGAIN | [3] |
+ | NOTFOUND/TRYAGAIN' | TRYAGAIN' | [3] |
+ | NOTFOUND/NOTFOUND | NOTFOUND | [3] |
+ | NOTFOUND/UNAVAIL | UNAVAIL | [3] |
+ | UNAVAIL/SUCCESS | UNAVAIL | [4] |
+ | UNAVAIL/TRYAGAIN | UNAVAIL | [4] |
+ | UNAVAIL/TRYAGAIN' | UNAVAIL | [4] |
+ | UNAVAIL/NOTFOUND | UNAVAIL | [4] |
+ | UNAVAIL/UNAVAIL | UNAVAIL | [4] |
+ ----------------------------------------------
+
+ [1] If the first response is a success we return success.
+ This ignores the state of the second answer and in fact
+ incorrectly sets errno and h_errno to that of the second
+ answer. However because the response is a success we ignore
+ *errnop and *h_errnop (though that means you touched errno on
+ success). We are being conservative here and returning the
+ likely IPv4 response in the first answer as a success.
+
+ [2] If the first response is a recoverable TRYAGAIN we return
+ that instead of looking at the second response. The
+ expectation here is that we have failed to get an IPv4 response
+ and should retry both queries.
+
+ [3] If the first response was not a SUCCESS and the second
+ response is not NOTFOUND (had a SUCCESS, need to TRYAGAIN,
+ or failed entirely e.g. TRYAGAIN' and UNAVAIL) then use the
+ result from the second response, otherwise the first responses
+ status is used. Again we have some odd side-effects when the
+ second response is NOTFOUND because we overwrite *errnop and
+ *h_errnop that means that a first answer of NOTFOUND might see
+ its *errnop and *h_errnop values altered. Whether it matters
+ in practice that a first response NOTFOUND has the wrong
+ *errnop and *h_errnop is undecided.
+
+ [4] If the first response is UNAVAIL we return that instead of
+ looking at the second response. The expectation here is that
+ it will have failed similarly e.g. configuration failure.
+
+ [5] Testing this code is complicated by the fact that truncated
+ second response buffers might be returned as SUCCESS if the
+ first answer is a SUCCESS. To fix this we add symmetry to
+ TRYAGAIN with the second response. If the second response
+ is a recoverable error we now return TRYAGIN even if the first
+ response was SUCCESS. */
+
if (anslen1 > 0)
status = gaih_getanswer_slice(answer1, anslen1, qname,
&pat, &buffer, &buflen,
errnop, h_errnop, ttlp,
&first);
+
if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND
|| (status == NSS_STATUS_TRYAGAIN
/* We want to look at the second answer in case of an
@@ -1252,8 +1352,15 @@ gaih_getanswer (const querybuf *answer1,
&pat, &buffer, &buflen,
errnop, h_errnop, ttlp,
&first);
+ /* Use the second response status in some cases. */
if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND)
status = status2;
+ /* Do not return a truncated second response (unless it was
+ unavoidable e.g. unrecoverable TRYAGAIN). */
+ if (status == NSS_STATUS_SUCCESS
+ && (status2 == NSS_STATUS_TRYAGAIN
+ && *errnop == ERANGE && *h_errnop != NO_RECOVERY))
+ status = NSS_STATUS_TRYAGAIN;
}
return status;
Index: glibc-2.22-719-g1233be7/resolv/res_query.c
===================================================================
--- glibc-2.22-719-g1233be7.orig/resolv/res_query.c
+++ glibc-2.22-719-g1233be7/resolv/res_query.c
@@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp,
{
free (*answerp2);
*answerp2 = NULL;
+ *nanswerp2 = 0;
*answerp2_malloced = 0;
}
}
@@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp,
{
free (*answerp2);
*answerp2 = NULL;
+ *nanswerp2 = 0;
*answerp2_malloced = 0;
}
@@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp,
{
free (*answerp2);
*answerp2 = NULL;
+ *nanswerp2 = 0;
*answerp2_malloced = 0;
}
if (saved_herrno != -1)
Index: glibc-2.22-719-g1233be7/resolv/res_send.c
===================================================================
--- glibc-2.22-719-g1233be7.orig/resolv/res_send.c
+++ glibc-2.22-719-g1233be7/resolv/res_send.c
@@ -1,3 +1,20 @@
+/* Copyright (C) 2016 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
/*
* Copyright (c) 1985, 1989, 1993
* The Regents of the University of California. All rights reserved.
@@ -353,6 +370,8 @@ __libc_res_nsend(res_state statp, const
#ifdef USE_HOOKS
if (__glibc_unlikely (statp->qhook || statp->rhook)) {
if (anssiz < MAXPACKET && ansp) {
+ /* Always allocate MAXPACKET, callers expect
+ this specific size. */
u_char *buf = malloc (MAXPACKET);
if (buf == NULL)
return (-1);
@@ -652,6 +671,77 @@ libresolv_hidden_def (res_nsend)
/* Private */
+/* The send_vc function is responsible for sending a DNS query over TCP
+ to the nameserver numbered NS from the res_state STATP i.e.
+ EXT(statp).nssocks[ns]. The function supports sending both IPv4 and
+ IPv6 queries at the same serially on the same socket.
+
+ Please note that for TCP there is no way to disable sending both
+ queries, unlike UDP, which honours RES_SNGLKUP and RES_SNGLKUPREOP
+ and sends the queries serially and waits for the result after each
+ sent query. This implemetnation should be corrected to honour these
+ options.
+
+ Please also note that for TCP we send both queries over the same
+ socket one after another. This technically violates best practice
+ since the server is allowed to read the first query, respond, and
+ then close the socket (to service another client). If the server
+ does this, then the remaining second query in the socket data buffer
+ will cause the server to send the client an RST which will arrive
+ asynchronously and the client's OS will likely tear down the socket
+ receive buffer resulting in a potentially short read and lost
+ response data. This will force the client to retry the query again,
+ and this process may repeat until all servers and connection resets
+ are exhausted and then the query will fail. It's not known if this
+ happens with any frequency in real DNS server implementations. This
+ implementation should be corrected to use two sockets by default for
+ parallel queries.
+
+ The query stored in BUF of BUFLEN length is sent first followed by
+ the query stored in BUF2 of BUFLEN2 length. Queries are sent
+ serially on the same socket.
+
+ Answers to the query are stored firstly in *ANSP up to a max of
+ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP
+ is non-NULL (to indicate that modifying the answer buffer is allowed)
+ then malloc is used to allocate a new response buffer and ANSCP and
+ ANSP will both point to the new buffer. If more than *ANSSIZP bytes
+ are needed but ANSCP is NULL, then as much of the response as
+ possible is read into the buffer, but the results will be truncated.
+ When truncation happens because of a small answer buffer the DNS
+ packets header feild TC will bet set to 1, indicating a truncated
+ message and the rest of the socket data will be read and discarded.
+
+ Answers to the query are stored secondly in *ANSP2 up to a max of
+ *ANSSIZP2 bytes, with the actual response length stored in
+ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2
+ is non-NULL (required for a second query) then malloc is used to
+ allocate a new response buffer, *ANSSIZP2 is set to the new buffer
+ size and *ANSP2_MALLOCED is set to 1.
+
+ The ANSP2_MALLOCED argument will eventually be removed as the
+ change in buffer pointer can be used to detect the buffer has
+ changed and that the caller should use free on the new buffer.
+
+ Note that the answers may arrive in any order from the server and
+ therefore the first and second answer buffers may not correspond to
+ the first and second queries.
+
+ It is not supported to call this function with a non-NULL ANSP2
+ but a NULL ANSCP. Put another way, you can call send_vc with a
+ single unmodifiable buffer or two modifiable buffers, but no other
+ combination is supported.
+
+ It is the caller's responsibility to free the malloc allocated
+ buffers by detecting that the pointers have changed from their
+ original values i.e. *ANSCP or *ANSP2 has changed.
+
+ If errors are encountered then *TERRNO is set to an appropriate
+ errno value and a zero result is returned for a recoverable error,
+ and a less-than zero result is returned for a non-recoverable error.
+
+ If no errors are encountered then *TERRNO is left unmodified and
+ a the length of the first response in bytes is returned. */
static int
send_vc(res_state statp,
const u_char *buf, int buflen, const u_char *buf2, int buflen2,
@@ -661,11 +751,7 @@ send_vc(res_state statp,
{
const HEADER *hp = (HEADER *) buf;
const HEADER *hp2 = (HEADER *) buf2;
- u_char *ans = *ansp;
- int orig_anssizp = *anssizp;
- // XXX REMOVE
- // int anssiz = *anssizp;
- HEADER *anhp = (HEADER *) ans;
+ HEADER *anhp = (HEADER *) *ansp;
struct sockaddr_in6 *nsap = EXT(statp).nsaddrs[ns];
int truncating, connreset, n;
/* On some architectures compiler might emit a warning indicating
@@ -754,6 +840,8 @@ send_vc(res_state statp,
* Receive length & response
*/
int recvresp1 = 0;
+ /* Skip the second response if there is no second query.
+ To do that we mark the second response as received. */
int recvresp2 = buf2 == NULL;
uint16_t rlen16;
read_len:
@@ -790,36 +878,14 @@ send_vc(res_state statp,
u_char **thisansp;
int *thisresplenp;
if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) {
+ /* We have not received any responses
+ yet or we only have one response to
+ receive. */
thisanssizp = anssizp;
thisansp = anscp ?: ansp;
assert (anscp != NULL || ansp2 == NULL);
thisresplenp = &resplen;
} else {
- if (*anssizp != MAXPACKET) {
- /* No buffer allocated for the first
- reply. We can try to use the rest
- of the user-provided buffer. */
- DIAG_PUSH_NEEDS_COMMENT;
- DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
-#if _STRING_ARCH_unaligned
- *anssizp2 = orig_anssizp - resplen;
- *ansp2 = *ansp + resplen;
-#else
- int aligned_resplen
- = ((resplen + __alignof__ (HEADER) - 1)
- & ~(__alignof__ (HEADER) - 1));
- *anssizp2 = orig_anssizp - aligned_resplen;
- *ansp2 = *ansp + aligned_resplen;
-#endif
- DIAG_POP_NEEDS_COMMENT;
- } else {
- /* The first reply did not fit into the
- user-provided buffer. Maybe the second
- answer will. */
- *anssizp2 = orig_anssizp;
- *ansp2 = *ansp;
- }
-
thisanssizp = anssizp2;
thisansp = ansp2;
thisresplenp = resplen2;
@@ -827,10 +893,14 @@ send_vc(res_state statp,
anhp = (HEADER *) *thisansp;
*thisresplenp = rlen;
- if (rlen > *thisanssizp) {
- /* Yes, we test ANSCP here. If we have two buffers
- both will be allocatable. */
- if (__glibc_likely (anscp != NULL)) {
+ /* Is the answer buffer too small? */
+ if (*thisanssizp < rlen) {
+ /* If the current buffer is not the the static
+ user-supplied buffer then we can reallocate
+ it. */
+ if (thisansp != NULL && thisansp != ansp) {
+ /* Always allocate MAXPACKET, callers expect
+ this specific size. */
u_char *newp = malloc (MAXPACKET);
if (newp == NULL) {
*terrno = ENOMEM;
@@ -842,6 +912,9 @@ send_vc(res_state statp,
if (thisansp == ansp2)
*ansp2_malloced = 1;
anhp = (HEADER *) newp;
+ /* A uint16_t can't be larger than MAXPACKET
+ thus it's safe to allocate MAXPACKET but
+ read RLEN bytes instead. */
len = rlen;
} else {
Dprint(statp->options & RES_DEBUG,
@@ -972,6 +1045,66 @@ reopen (res_state statp, int *terrno, in
return 1;
}
+/* The send_dg function is responsible for sending a DNS query over UDP
+ to the nameserver numbered NS from the res_state STATP i.e.
+ EXT(statp).nssocks[ns]. The function supports IPv4 and IPv6 queries
+ along with the ability to send the query in parallel for both stacks
+ (default) or serially (RES_SINGLKUP). It also supports serial lookup
+ with a close and reopen of the socket used to talk to the server
+ (RES_SNGLKUPREOP) to work around broken name servers.
+
+ The query stored in BUF of BUFLEN length is sent first followed by
+ the query stored in BUF2 of BUFLEN2 length. Queries are sent
+ in parallel (default) or serially (RES_SINGLKUP or RES_SNGLKUPREOP).
+
+ Answers to the query are stored firstly in *ANSP up to a max of
+ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP
+ is non-NULL (to indicate that modifying the answer buffer is allowed)
+ then malloc is used to allocate a new response buffer and ANSCP and
+ ANSP will both point to the new buffer. If more than *ANSSIZP bytes
+ are needed but ANSCP is NULL, then as much of the response as
+ possible is read into the buffer, but the results will be truncated.
+ When truncation happens because of a small answer buffer the DNS
+ packets header feild TC will bet set to 1, indicating a truncated
+ message, while the rest of the UDP packet is discarded.
+
+ Answers to the query are stored secondly in *ANSP2 up to a max of
+ *ANSSIZP2 bytes, with the actual response length stored in
+ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2
+ is non-NULL (required for a second query) then malloc is used to
+ allocate a new response buffer, *ANSSIZP2 is set to the new buffer
+ size and *ANSP2_MALLOCED is set to 1.
+
+ The ANSP2_MALLOCED argument will eventually be removed as the
+ change in buffer pointer can be used to detect the buffer has
+ changed and that the caller should use free on the new buffer.
+
+ Note that the answers may arrive in any order from the server and
+ therefore the first and second answer buffers may not correspond to
+ the first and second queries.
+
+ It is not supported to call this function with a non-NULL ANSP2
+ but a NULL ANSCP. Put another way, you can call send_vc with a
+ single unmodifiable buffer or two modifiable buffers, but no other
+ combination is supported.
+
+ It is the caller's responsibility to free the malloc allocated
+ buffers by detecting that the pointers have changed from their
+ original values i.e. *ANSCP or *ANSP2 has changed.
+
+ If an answer is truncated because of UDP datagram DNS limits then
+ *V_CIRCUIT is set to 1 and the return value non-zero to indicate to
+ the caller to retry with TCP. The value *GOTSOMEWHERE is set to 1
+ if any progress was made reading a response from the nameserver and
+ is used by the caller to distinguish between ECONNREFUSED and
+ ETIMEDOUT (the latter if *GOTSOMEWHERE is 1).
+
+ If errors are encountered then *TERRNO is set to an appropriate
+ errno value and a zero result is returned for a recoverable error,
+ and a less-than zero result is returned for a non-recoverable error.
+
+ If no errors are encountered then *TERRNO is left unmodified and
+ a the length of the first response in bytes is returned. */
static int
send_dg(res_state statp,
const u_char *buf, int buflen, const u_char *buf2, int buflen2,
@@ -981,8 +1114,6 @@ send_dg(res_state statp,
{
const HEADER *hp = (HEADER *) buf;
const HEADER *hp2 = (HEADER *) buf2;
- u_char *ans = *ansp;
- int orig_anssizp = *anssizp;
struct timespec now, timeout, finish;
struct pollfd pfd[1];
int ptimeout;
@@ -1015,6 +1146,8 @@ send_dg(res_state statp,
int need_recompute = 0;
int nwritten = 0;
int recvresp1 = 0;
+ /* Skip the second response if there is no second query.
+ To do that we mark the second response as received. */
int recvresp2 = buf2 == NULL;
pfd[0].fd = EXT(statp).nssocks[ns];
pfd[0].events = POLLOUT;
@@ -1178,55 +1311,56 @@ send_dg(res_state statp,
int *thisresplenp;
if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) {
+ /* We have not received any responses
+ yet or we only have one response to
+ receive. */
thisanssizp = anssizp;
thisansp = anscp ?: ansp;
assert (anscp != NULL || ansp2 == NULL);
thisresplenp = &resplen;
} else {
- if (*anssizp != MAXPACKET) {
- /* No buffer allocated for the first
- reply. We can try to use the rest
- of the user-provided buffer. */
-#if _STRING_ARCH_unaligned
- *anssizp2 = orig_anssizp - resplen;
- *ansp2 = *ansp + resplen;
-#else
- int aligned_resplen
- = ((resplen + __alignof__ (HEADER) - 1)
- & ~(__alignof__ (HEADER) - 1));
- *anssizp2 = orig_anssizp - aligned_resplen;
- *ansp2 = *ansp + aligned_resplen;
-#endif
- } else {
- /* The first reply did not fit into the
- user-provided buffer. Maybe the second
- answer will. */
- *anssizp2 = orig_anssizp;
- *ansp2 = *ansp;
- }
-
thisanssizp = anssizp2;
thisansp = ansp2;
thisresplenp = resplen2;
}
if (*thisanssizp < MAXPACKET
- /* Yes, we test ANSCP here. If we have two buffers
- both will be allocatable. */
- && anscp
+ /* If the current buffer is not the the static
+ user-supplied buffer then we can reallocate
+ it. */
+ && (thisansp != NULL && thisansp != ansp)
#ifdef FIONREAD
+ /* Is the size too small? */
&& (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0
|| *thisanssizp < *thisresplenp)
#endif
) {
+ /* Always allocate MAXPACKET, callers expect
+ this specific size. */
u_char *newp = malloc (MAXPACKET);
if (newp != NULL) {
- *anssizp = MAXPACKET;
- *thisansp = ans = newp;
+ *thisanssizp = MAXPACKET;
+ *thisansp = newp;
if (thisansp == ansp2)
*ansp2_malloced = 1;
}
}
+ /* We could end up with truncation if anscp was NULL
+ (not allowed to change caller's buffer) and the
+ response buffer size is too small. This isn't a
+ reliable way to detect truncation because the ioctl
+ may be an inaccurate report of the UDP message size.
+ Therefore we use this only to issue debug output.
+ To do truncation accurately with UDP we need
+ MSG_TRUNC which is only available on Linux. We
+ can abstract out the Linux-specific feature in the
+ future to detect truncation. */
+ if (__glibc_unlikely (*thisanssizp < *thisresplenp)) {
+ Dprint(statp->options & RES_DEBUG,
+ (stdout, ";; response may be truncated (UDP)\n")
+ );
+ }
+
HEADER *anhp = (HEADER *) *thisansp;
socklen_t fromlen = sizeof(struct sockaddr_in6);
assert (sizeof(from) <= fromlen);

32
glibc-isinf-cxx11.patch
View File

@ -1,32 +0,0 @@
commit 48746aa5a013aab5ca89ee8c29761baec8850c0f
Author: Jakub Jelinek <jakub@redhat.com>
Date: Mon Feb 1 16:17:55 2016 +0000
Restore isinf, isinfl, isnanf and isnanl for C++11
diff --git a/math/bits/mathcalls.h b/math/bits/mathcalls.h
index a48345d..9a7b3f0 100644
--- a/math/bits/mathcalls.h
+++ b/math/bits/mathcalls.h
@@ -196,7 +196,9 @@ __MATHDECL_1 (int,__finite,, (_Mdouble_ __value)) __attribute__ ((__const__));
_Mdouble_END_NAMESPACE
#ifdef __USE_MISC
-# if !defined __cplusplus || __cplusplus < 201103L /* Conflicts with C++11. */
+# if (!defined __cplusplus \
+ || __cplusplus < 201103L /* isinf conflicts with C++11. */ \
+ || __MATH_DECLARING_DOUBLE == 0) /* isinff or isinfl don't. */
/* Return 0 if VALUE is finite or NaN, +1 if it
is +Infinity, -1 if it is -Infinity. */
__MATHDECL_1 (int,isinf,, (_Mdouble_ __value)) __attribute__ ((__const__));
@@ -232,7 +234,9 @@ __END_NAMESPACE_C99
__MATHDECL_1 (int,__isnan,, (_Mdouble_ __value)) __attribute__ ((__const__));
#if defined __USE_MISC || (defined __USE_XOPEN && !defined __USE_XOPEN2K)
-# if !defined __cplusplus || __cplusplus < 201103L /* Conflicts with C++11. */
+# if (!defined __cplusplus \
+ || __cplusplus < 201103L /* isnan conflicts with C++11. */ \
+ || __MATH_DECLARING_DOUBLE == 0) /* isnanf or isnanl don't. */
/* Return nonzero if VALUE is not a number. */
__MATHDECL_1 (int,isnan,, (_Mdouble_ __value)) __attribute__ ((__const__));
# endif

47
glibc-rh1114591.patch
View File

@ -1,47 +0,0 @@
Upstream patch:
commit ff889b196575c2fbf6aa7130abb1ec862714ea4e
Author: Florian Weimer <fweimer@redhat.com>
Date: Fri Feb 19 14:21:34 2016 +0100
Remove trailing newline from date_fmt in Serbian locales [BZ #19581]
diff --git a/localedata/locales/sr_ME b/localedata/locales/sr_ME
index 4f243dc..dd68df8 100644
--- a/localedata/locales/sr_ME
+++ b/localedata/locales/sr_ME
@@ -119,7 +119,7 @@ am_pm "";""
t_fmt_ampm "<U0025><U0054>"
date_fmt "<U0025><U0061><U002c><U0020><U0025><U0065><U002E><U0020>/
<U0025><U0062><U0020><U0025><U0059><U002E><U0020><U0020><U0025><U0048>/
-<U003A><U0025><U004D><U003A><U0025><U0053><U0020><U0025><U005A><U000A>"
+<U003A><U0025><U004D><U003A><U0025><U0053><U0020><U0025><U005A>"
week 7;19971130;4
first_weekday 2
first_workday 2
diff --git a/localedata/locales/sr_RS b/localedata/locales/sr_RS
index 2ae085b..ffea86f 100644
--- a/localedata/locales/sr_RS
+++ b/localedata/locales/sr_RS
@@ -300,7 +300,7 @@ am_pm "";""
t_fmt_ampm "<U0025><U0054>"
date_fmt "<U0025><U0061><U002C><U0020><U0025><U0065><U002E><U0020>/
<U0025><U0062><U0020><U0025><U0059><U002E><U0020><U0020><U0025><U0048>/
-<U003A><U0025><U004D><U003A><U0025><U0053><U0020><U0025><U005A><U000A>"
+<U003A><U0025><U004D><U003A><U0025><U0053><U0020><U0025><U005A>"
week 7;19971130;4
first_weekday 2
first_workday 2
diff --git a/localedata/locales/sr_RS@latin b/localedata/locales/sr_RS@latin
index da6628b..fd10ea6 100644
--- a/localedata/locales/sr_RS@latin
+++ b/localedata/locales/sr_RS@latin
@@ -120,7 +120,7 @@ am_pm "";""
t_fmt_ampm "<U0025><U0054>"
date_fmt "<U0025><U0061><U002c><U0020><U0025><U0065><U002E><U0020>/
<U0025><U0062><U0020><U0025><U0059><U002E><U0020><U0020><U0025><U0048>/
-<U003A><U0025><U004D><U003A><U0025><U0053><U0020><U0025><U005A><U000A>"
+<U003A><U0025><U004D><U003A><U0025><U0053><U0020><U0025><U005A>"
week 7;19971130;4
first_weekday 2
first_workday 2

58
glibc-rh1252570.patch
View File

@ -12,11 +12,11 @@ Date: Thu Feb 19 15:52:08 2015 +0100
setting nsaddr_list[].sin_family to zero.
reverted:
Index: b/resolv/res_init.c
Index: glibc-2.23-39-g314f6de/resolv/res_init.c
===================================================================
--- a/resolv/res_init.c
+++ b/resolv/res_init.c
@@ -153,8 +153,10 @@ __res_vinit(res_state statp, int preinit
--- glibc-2.23-39-g314f6de.orig/resolv/res_init.c
+++ glibc-2.23-39-g314f6de/resolv/res_init.c
@@ -139,8 +139,10 @@ __res_vinit(res_state statp, int preinit
char *cp, **pp;
int n;
char buf[BUFSIZ];
@ -29,7 +29,7 @@ Index: b/resolv/res_init.c
int haveenv = 0;
int havesearch = 0;
#ifdef RESOLVSORT
@@ -183,9 +185,15 @@ __res_vinit(res_state statp, int preinit
@@ -169,9 +171,15 @@ __res_vinit(res_state statp, int preinit
statp->_flags = 0;
statp->qhook = NULL;
statp->rhook = NULL;
@ -47,7 +47,7 @@ Index: b/resolv/res_init.c
/* Allow user to override the local domain definition */
if ((cp = getenv("LOCALDOMAIN")) != NULL) {
@@ -289,7 +297,11 @@ __res_vinit(res_state statp, int preinit
@@ -275,7 +283,11 @@ __res_vinit(res_state statp, int preinit
continue;
}
/* read nameservers to query */
@ -59,7 +59,7 @@ Index: b/resolv/res_init.c
struct in_addr a;
cp = buf + sizeof("nameserver") - 1;
@@ -297,12 +309,13 @@ __res_vinit(res_state statp, int preinit
@@ -283,12 +295,13 @@ __res_vinit(res_state statp, int preinit
cp++;
if ((*cp != '\0') && (*cp != '\n')
&& __inet_aton(cp, &a)) {
@ -76,7 +76,7 @@ Index: b/resolv/res_init.c
} else {
struct in6_addr a6;
char *el;
@@ -344,11 +357,10 @@ __res_vinit(res_state statp, int preinit
@@ -330,11 +343,10 @@ __res_vinit(res_state statp, int preinit
}
}
@ -92,7 +92,7 @@ Index: b/resolv/res_init.c
}
}
#endif
@@ -403,9 +415,10 @@ __res_vinit(res_state statp, int preinit
@@ -389,9 +401,10 @@ __res_vinit(res_state statp, int preinit
continue;
}
}
@ -105,7 +105,7 @@ Index: b/resolv/res_init.c
/* We try IPv6 servers again. */
statp->ipv6_unavail = false;
}
@@ -594,7 +607,11 @@ __res_iclose(res_state statp, bool free_
@@ -580,7 +593,11 @@ __res_iclose(res_state statp, bool free_
statp->_vcsock = -1;
statp->_flags &= ~(RES_F_VC | RES_F_CONN);
}
@ -117,7 +117,7 @@ Index: b/resolv/res_init.c
if (statp->_u._ext.nsaddrs[ns]) {
if (statp->_u._ext.nssocks[ns] != -1) {
close_not_cancel_no_status(statp->_u._ext.nssocks[ns]);
@@ -605,6 +622,8 @@ __res_iclose(res_state statp, bool free_
@@ -591,6 +608,8 @@ __res_iclose(res_state statp, bool free_
statp->_u._ext.nsaddrs[ns] = NULL;
}
}
@ -126,11 +126,11 @@ Index: b/resolv/res_init.c
}
libc_hidden_def (__res_iclose)
Index: b/resolv/res_send.c
Index: glibc-2.23-39-g314f6de/resolv/res_send.c
===================================================================
--- a/resolv/res_send.c
+++ b/resolv/res_send.c
@@ -176,7 +176,6 @@ evNowTime(struct timespec *res) {
--- glibc-2.23-39-g314f6de.orig/resolv/res_send.c
+++ glibc-2.23-39-g314f6de/resolv/res_send.c
@@ -193,7 +193,6 @@ evNowTime(struct timespec *res) {
/* Forward. */
@ -138,7 +138,7 @@ Index: b/resolv/res_send.c
static int send_vc(res_state, const u_char *, int,
const u_char *, int,
u_char **, int *, int *, int, u_char **,
@@ -214,21 +213,20 @@ res_ourserver_p(const res_state statp, c
@@ -231,21 +230,20 @@ res_ourserver_p(const res_state statp, c
in_port_t port = in4p->sin_port;
in_addr_t addr = in4p->sin_addr.s_addr;
@ -166,7 +166,7 @@ Index: b/resolv/res_send.c
(srv->sin6_port == inp->sin6_port) &&
!(memcmp(&srv->sin6_addr, &in6addr_any,
sizeof (struct in6_addr)) &&
@@ -378,48 +376,80 @@ __libc_res_nsend(res_state statp, const
@@ -397,48 +395,80 @@ __libc_res_nsend(res_state statp, const
* If the ns_addr_list in the resolver context has changed, then
* invalidate our cached copy and the associated timing data.
*/
@ -264,7 +264,7 @@ Index: b/resolv/res_send.c
}
/*
@@ -428,37 +458,44 @@ __libc_res_nsend(res_state statp, const
@@ -447,37 +477,44 @@ __libc_res_nsend(res_state statp, const
*/
if (__builtin_expect ((statp->options & RES_ROTATE) != 0, 0) &&
(statp->options & RES_BLAST) == 0) {
@ -329,7 +329,7 @@ Index: b/resolv/res_send.c
same_ns:
#ifdef USE_HOOKS
if (__glibc_unlikely (statp->qhook != NULL)) {
@@ -615,21 +652,6 @@ libresolv_hidden_def (res_nsend)
@@ -634,21 +671,6 @@ libresolv_hidden_def (res_nsend)
/* Private */
@ -348,19 +348,19 @@ Index: b/resolv/res_send.c
- return (struct sockaddr *) (void *) &statp->nsaddr_list[n];
-}
-
static int
send_vc(res_state statp,
const u_char *buf, int buflen, const u_char *buf2, int buflen2,
@@ -644,7 +666,7 @@ send_vc(res_state statp,
// XXX REMOVE
// int anssiz = *anssizp;
HEADER *anhp = (HEADER *) ans;
/* The send_vc function is responsible for sending a DNS query over TCP
to the nameserver numbered NS from the res_state STATP i.e.
EXT(statp).nssocks[ns]. The function supports sending both IPv4 and
@@ -730,7 +752,7 @@ send_vc(res_state statp,
const HEADER *hp = (HEADER *) buf;
const HEADER *hp2 = (HEADER *) buf2;
HEADER *anhp = (HEADER *) *ansp;
- struct sockaddr *nsap = get_nsaddr (statp, ns);
+ struct sockaddr_in6 *nsap = EXT(statp).nsaddrs[ns];
int truncating, connreset, n;
/* On some architectures compiler might emit a warning indicating
'resplen' may be used uninitialized. However if buf2 == NULL
@@ -677,8 +699,8 @@ send_vc(res_state statp,
@@ -763,8 +785,8 @@ send_vc(res_state statp,
if (getpeername(statp->_vcsock,
(struct sockaddr *)&peer, &size) < 0 ||
@ -371,7 +371,7 @@ Index: b/resolv/res_send.c
statp->_flags &= ~RES_F_VC;
}
}
@@ -687,19 +709,20 @@ send_vc(res_state statp,
@@ -773,19 +795,20 @@ send_vc(res_state statp,
if (statp->_vcsock >= 0)
__res_iclose(statp, false);
@ -396,7 +396,7 @@ Index: b/resolv/res_send.c
__res_iclose(statp, false);
return (0);
}
@@ -906,7 +929,8 @@ static int
@@ -979,7 +1002,8 @@ static int
reopen (res_state statp, int *terrno, int ns)
{
if (EXT(statp).nssocks[ns] == -1) {

17
glibc.spec
View File

@ -1,6 +1,6 @@
%define glibcsrcdir glibc-2.22-719-g1233be7
%define glibcsrcdir glibc-2.23-40-gde51ff8
%define glibcversion 2.22.90
%define glibcrelease 37%{?dist}
%define glibcrelease 38%{?dist}
# Pre-release tarballs are pulled in from git using a command that is
# effectively:
#
@ -293,17 +293,10 @@ Patch2034: glibc-aarch64-workaround-nzcv-clobber-in-tlsdesc.patch
Patch2035: glibc-nsswitch-Add-group-merging-support.patch
Patch2036: glibc-gcc-PR69537.patch
Patch2037: glibc-isinf-cxx11.patch
# Upstream BZ 19573, patch reverts problematic commit
Patch2099: glibc-rh1252570.patch
# CVE-2015-7547
Patch2100: glibc-CVE-2015-7547.patch
# Upstream BZ 19581
Patch2101: glibc-rh1114591.patch
##############################################################################
#
# Benchmark comparison patches.
@ -697,10 +690,7 @@ cat /proc/meminfo
%patch0059 -p1
%patch2035 -p1
%patch2036 -p1
%patch2037 -p1
%patch2099 -p1
%patch2100 -p1
%patch2101 -p1
##############################################################################
# %%prep - Additional prep required...
@ -1967,6 +1957,9 @@ rm -f *.filelist*
%endif
%changelog
* Thu Feb 25 2016 Carlos O'Donell <carlos@systemhalted.org> - 2.22.90-38
- Auto-sync with upstream master.
* Fri Feb 19 2016 Florian Weimer <fweimer@redhat.com> - 2.22.90-37
- Remove stray newline from Serbian locales (#1114591).

2
series
View File

@ -38,6 +38,4 @@ glibc-bug-regex-gcc5.patch -p1 --fuzz=0
glibc-c-utf8-locale.patch -p1 --fuzz=0
glibc-nsswitch-Add-group-merging-support.patch -p1 --fuzz=0
glibc-gcc-PR69537.patch -p1 --fuzz=0
glibc-isinf-cxx11.patch -p1 --fuzz=0
glibc-rh1252570.patch -p1 --fuzz=0
glibc-CVE-2015-7547.patch -p1 --fuzz=0

2
sources
View File

@ -1 +1 @@
59f24ea4c6c662c064f54a64fca055a6 glibc-2.22-719-g1233be7.tar.gz
d1dab355e80e61297ed07d6b402cbbe1 glibc-2.23-40-gde51ff8.tar.gz