- Fix out of bounds memory access in resolver (#798471)

This commit is contained in:
Jeff Law 2012-02-29 09:46:36 -07:00
parent f2aa906557
commit 296965fe20
2 changed files with 38 additions and 1 deletions

31
glibc-rh798471.patch Normal file
View File

@ -0,0 +1,31 @@
2012-02-28 Jeff Law <law@redhat.com>
* resolv/res_query.c (__libc_res_nquerydomain): Avoid
out of bounds read.
diff --git a/resolv/res_query.c b/resolv/res_query.c
index 947c651..abccd4a 100644
--- a/resolv/res_query.c
+++ b/resolv/res_query.c
@@ -556,12 +556,16 @@ __libc_res_nquerydomain(res_state statp,
* copy without '.' if present.
*/
n = strlen(name);
- if (n >= MAXDNAME) {
+
+ /* Decrement N prior to checking it against MAXDNAME
+ so that we detect a wrap to SIZE_MAX and return
+ a reasonable error. */
+ n--;
+ if (n >= MAXDNAME - 1) {
RES_SET_H_ERRNO(statp, NO_RECOVERY);
return (-1);
}
- n--;
- if (n >= 0 && name[n] == '.') {
+ if (name[n] == '.') {
strncpy(nbuf, name, n);
nbuf[n] = '\0';
} else

View File

@ -28,7 +28,7 @@
Summary: The GNU libc libraries Summary: The GNU libc libraries
Name: glibc Name: glibc
Version: %{glibcversion} Version: %{glibcversion}
Release: 24%{?dist} Release: 25%{?dist}
# GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries. # GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
# Things that are linked directly into dynamically linked programs # Things that are linked directly into dynamically linked programs
# and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional # and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
@ -106,6 +106,8 @@ Patch35 : %{name}-rh788989.patch
Patch36 : %{name}-rh795498.patch Patch36 : %{name}-rh795498.patch
# Posted upstream (bz 13705) # Posted upstream (bz 13705)
Patch37 : %{name}-rh760935.patch Patch37 : %{name}-rh760935.patch
# Approved upstream, waiting for privs to commit
Patch38 : %{name}-rh798471.patch
@ -363,6 +365,7 @@ rm -rf %{glibcportsdir}
%patch35 -p1 %patch35 -p1
%patch36 -p1 %patch36 -p1
%patch37 -p1 %patch37 -p1
%patch38 -p1
# A lot of programs still misuse memcpy when they have to use # A lot of programs still misuse memcpy when they have to use
# memmove. The memcpy implementation below is not tolerant at # memmove. The memcpy implementation below is not tolerant at
@ -1215,6 +1218,9 @@ rm -f *.filelist*
%endif %endif
%changelog %changelog
* Wed Feb 29 2012 Jeff Law <law@redhat.com> - 2.15-25
- Fix out of bounds memory access in resolver (#798471)
* Fri Feb 24 2012 Jeff Law <law@redhat.com> - 2.15-24 * Fri Feb 24 2012 Jeff Law <law@redhat.com> - 2.15-24
- Fix bogus underflow (#760935) - Fix bogus underflow (#760935)
- Correctly handle dns request where large numbers of A and AAA records - Correctly handle dns request where large numbers of A and AAA records