- Fix out of bounds memory access in resolver (#798471)
This commit is contained in:
Jeff Law
parent
f2aa906557
commit
296965fe20
31
glibc-rh798471.patch
Normal file
31
glibc-rh798471.patch
Normal file
@ -0,0 +1,31 @@
|
||||
|
||||
|
||||
2012-02-28 Jeff Law <law@redhat.com>
|
||||
|
||||
* resolv/res_query.c (__libc_res_nquerydomain): Avoid
|
||||
out of bounds read.
|
||||
|
||||
diff --git a/resolv/res_query.c b/resolv/res_query.c
|
||||
index 947c651..abccd4a 100644
|
||||
--- a/resolv/res_query.c
|
||||
+++ b/resolv/res_query.c
|
||||
@@ -556,12 +556,16 @@ __libc_res_nquerydomain(res_state statp,
|
||||
* copy without '.' if present.
|
||||
*/
|
||||
n = strlen(name);
|
||||
- if (n >= MAXDNAME) {
|
||||
+
|
||||
+ /* Decrement N prior to checking it against MAXDNAME
|
||||
+ so that we detect a wrap to SIZE_MAX and return
|
||||
+ a reasonable error. */
|
||||
+ n--;
|
||||
+ if (n >= MAXDNAME - 1) {
|
||||
RES_SET_H_ERRNO(statp, NO_RECOVERY);
|
||||
return (-1);
|
||||
}
|
||||
- n--;
|
||||
- if (n >= 0 && name[n] == '.') {
|
||||
+ if (name[n] == '.') {
|
||||
strncpy(nbuf, name, n);
|
||||
nbuf[n] = '\0';
|
||||
} else
|
||||
@ -28,7 +28,7 @@
|
||||
Summary: The GNU libc libraries
|
||||
Name: glibc
|
||||
Version: %{glibcversion}
|
||||
Release: 24%{?dist}
|
||||
Release: 25%{?dist}
|
||||
# GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
|
||||
# Things that are linked directly into dynamically linked programs
|
||||
# and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
|
||||
@ -106,6 +106,8 @@ Patch35 : %{name}-rh788989.patch
|
||||
Patch36 : %{name}-rh795498.patch
|
||||
# Posted upstream (bz 13705)
|
||||
Patch37 : %{name}-rh760935.patch
|
||||
# Approved upstream, waiting for privs to commit
|
||||
Patch38 : %{name}-rh798471.patch
|
||||
|
||||
|
||||
|
||||
@ -363,6 +365,7 @@ rm -rf %{glibcportsdir}
|
||||
%patch35 -p1
|
||||
%patch36 -p1
|
||||
%patch37 -p1
|
||||
%patch38 -p1
|
||||
|
||||
# A lot of programs still misuse memcpy when they have to use
|
||||
# memmove. The memcpy implementation below is not tolerant at
|
||||
@ -1215,6 +1218,9 @@ rm -f *.filelist*
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Feb 29 2012 Jeff Law <law@redhat.com> - 2.15-25
|
||||
- Fix out of bounds memory access in resolver (#798471)
|
||||
|
||||
* Fri Feb 24 2012 Jeff Law <law@redhat.com> - 2.15-24
|
||||
- Fix bogus underflow (#760935)
|
||||
- Correctly handle dns request where large numbers of A and AAA records
|
||||
|
||||
Loading…
Reference in New Issue
Block a user