diff --git a/0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch b/0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch new file mode 100644 index 0000000..5ca9065 --- /dev/null +++ b/0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch @@ -0,0 +1,64 @@ +From 9903253c347f9e0bffd285ae3829aef251cc852d Mon Sep 17 00:00:00 2001 +From: hopper-vul <118949689+hopper-vul@users.noreply.github.com> +Date: Wed, 18 Jan 2023 22:14:26 +0800 +Subject: [PATCH] Add str len check in config_sortlist to avoid stack overflow + (#497) + +In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse +the input str and initialize a sortlist configuration. + +However, ares_set_sortlist has not any checks about the validity of the input str. +It is very easy to create an arbitrary length stack overflow with the unchecked +`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` +statements in the config_sortlist call, which could potentially cause severe +security impact in practical programs. + +This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the +potential stack overflows. + +fixes #496 + +Fix By: @hopper-vul +--- + src/lib/ares_init.c | 4 ++++ + test/ares-test-init.cc | 2 ++ + 2 files changed, 6 insertions(+) + +diff --git a/src/lib/ares_init.c b/src/lib/ares_init.c +index 51668a5..3f9cec6 100644 +--- a/src/lib/ares_init.c ++++ b/src/lib/ares_init.c +@@ -1913,6 +1913,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + q = str; + while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 16) ++ return ARES_EBADSTR; + memcpy(ipbuf, str, q-str); + ipbuf[q-str] = '\0'; + /* Find the prefix */ +@@ -1921,6 +1923,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str2 = q+1; + while (*q && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 32) ++ return ARES_EBADSTR; + memcpy(ipbufpfx, str, q-str); + ipbufpfx[q-str] = '\0'; + str = str2; +diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc +index 63c6a22..ee84518 100644 +--- a/test/ares-test-init.cc ++++ b/test/ares-test-init.cc +@@ -275,6 +275,8 @@ TEST_F(DefaultChannelTest, SetAddresses) { + + TEST_F(DefaultChannelTest, SetSortlistFailures) { + EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123")); + } +-- +2.37.3 + diff --git a/c-ares.spec b/c-ares.spec index e5487c8..830e7e3 100644 --- a/c-ares.spec +++ b/c-ares.spec @@ -3,7 +3,7 @@ Summary: A library that performs asynchronous DNS operations Name: c-ares Version: 1.17.1 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT URL: http://c-ares.haxx.se/ Source0: http://c-ares.haxx.se/download/%{name}-%{version}.tar.gz @@ -11,6 +11,7 @@ Source0: http://c-ares.haxx.se/download/%{name}-%{version}.tar.gz Source1: LICENSE Patch0: 0001-Use-RPM-compiler-options.patch Patch1: 0002-fix-CVE-2021-3672.patch +Patch2: 0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch BuildRequires: gcc %if %{use_cmake} BuildRequires: cmake @@ -83,6 +84,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libcares.la %{_mandir}/man3/ares_* %changelog +* Fri May 12 2023 Alexey Tikhonov - 1.17.1-6 +- Resolves: rhbz#2170868 - c-ares: buffer overflow in config_sortlist() due to missing string length check [rhel-9] + * Fri Nov 26 2021 Alexey Tikhonov - 1.17.1-5 - Resolves: rhbz#2014523 - c-ares: missing input validation of host names may lead to Domain Hijacking [rhel-9]