Infinite loop in res_mkquery with malformed domain name (#2255506)
This commit is contained in:
parent
ca9e6ac795
commit
d6f60005eb
139
glibc-rh2255506.patch
Normal file
139
glibc-rh2255506.patch
Normal file
@ -0,0 +1,139 @@
|
|||||||
|
commit 3e0853ab9a1609707ec8de453891b3c79ea556bc
|
||||||
|
Author: Florian Weimer <fweimer@redhat.com>
|
||||||
|
Date: Wed Jan 3 16:40:32 2024 +0100
|
||||||
|
|
||||||
|
Revert "resolve: Remove __res_context_query alloca usage"
|
||||||
|
|
||||||
|
This reverts commit 40c0add7d48739f5d89ebba255c1df26629a76e2.
|
||||||
|
The change causes an infinite loop with malformed domain
|
||||||
|
names.
|
||||||
|
|
||||||
|
diff --git a/resolv/res_query.c b/resolv/res_query.c
|
||||||
|
index 1b148a2a05b8641c..049de91b95a2bd0c 100644
|
||||||
|
--- a/resolv/res_query.c
|
||||||
|
+++ b/resolv/res_query.c
|
||||||
|
@@ -80,7 +80,6 @@
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <shlib-compat.h>
|
||||||
|
-#include <scratch_buffer.h>
|
||||||
|
|
||||||
|
#if PACKETSZ > 65536
|
||||||
|
#define MAXPACKET PACKETSZ
|
||||||
|
@@ -115,14 +114,11 @@ __res_context_query (struct resolv_context *ctx, const char *name,
|
||||||
|
struct __res_state *statp = ctx->resp;
|
||||||
|
UHEADER *hp = (UHEADER *) answer;
|
||||||
|
UHEADER *hp2;
|
||||||
|
- int n;
|
||||||
|
-
|
||||||
|
- /* It requires 2 times QUERYSIZE for type == T_QUERY_A_AND_AAAA. */
|
||||||
|
- struct scratch_buffer buf;
|
||||||
|
- scratch_buffer_init (&buf);
|
||||||
|
- _Static_assert (2 * QUERYSIZE <= sizeof (buf.__space.__c),
|
||||||
|
- "scratch_buffer too small");
|
||||||
|
- u_char *query1 = buf.data;
|
||||||
|
+ int n, use_malloc = 0;
|
||||||
|
+
|
||||||
|
+ size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;
|
||||||
|
+ u_char *buf = alloca (bufsize);
|
||||||
|
+ u_char *query1 = buf;
|
||||||
|
int nquery1 = -1;
|
||||||
|
u_char *query2 = NULL;
|
||||||
|
int nquery2 = 0;
|
||||||
|
@@ -133,28 +129,37 @@ __res_context_query (struct resolv_context *ctx, const char *name,
|
||||||
|
if (type == T_QUERY_A_AND_AAAA)
|
||||||
|
{
|
||||||
|
n = __res_context_mkquery (ctx, QUERY, name, class, T_A, NULL,
|
||||||
|
- query1, buf.length);
|
||||||
|
+ query1, bufsize);
|
||||||
|
if (n > 0)
|
||||||
|
{
|
||||||
|
if ((statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0)
|
||||||
|
{
|
||||||
|
/* Use RESOLV_EDNS_BUFFER_SIZE because the receive
|
||||||
|
buffer can be reallocated. */
|
||||||
|
- n = __res_nopt (ctx, n, query1, buf.length,
|
||||||
|
+ n = __res_nopt (ctx, n, query1, bufsize,
|
||||||
|
RESOLV_EDNS_BUFFER_SIZE);
|
||||||
|
if (n < 0)
|
||||||
|
goto unspec_nomem;
|
||||||
|
}
|
||||||
|
|
||||||
|
nquery1 = n;
|
||||||
|
- query2 = buf.data + n;
|
||||||
|
+ /* Align the buffer. */
|
||||||
|
+ int npad = ((nquery1 + __alignof__ (HEADER) - 1)
|
||||||
|
+ & ~(__alignof__ (HEADER) - 1)) - nquery1;
|
||||||
|
+ if (n > bufsize - npad)
|
||||||
|
+ {
|
||||||
|
+ n = -1;
|
||||||
|
+ goto unspec_nomem;
|
||||||
|
+ }
|
||||||
|
+ int nused = n + npad;
|
||||||
|
+ query2 = buf + nused;
|
||||||
|
n = __res_context_mkquery (ctx, QUERY, name, class, T_AAAA,
|
||||||
|
- NULL, query2, buf.length - n);
|
||||||
|
+ NULL, query2, bufsize - nused);
|
||||||
|
if (n > 0
|
||||||
|
&& (statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0)
|
||||||
|
/* Use RESOLV_EDNS_BUFFER_SIZE because the receive
|
||||||
|
buffer can be reallocated. */
|
||||||
|
- n = __res_nopt (ctx, n, query2, buf.length,
|
||||||
|
+ n = __res_nopt (ctx, n, query2, bufsize,
|
||||||
|
RESOLV_EDNS_BUFFER_SIZE);
|
||||||
|
nquery2 = n;
|
||||||
|
}
|
||||||
|
@@ -164,7 +169,7 @@ __res_context_query (struct resolv_context *ctx, const char *name,
|
||||||
|
else
|
||||||
|
{
|
||||||
|
n = __res_context_mkquery (ctx, QUERY, name, class, type, NULL,
|
||||||
|
- query1, buf.length);
|
||||||
|
+ query1, bufsize);
|
||||||
|
|
||||||
|
if (n > 0
|
||||||
|
&& (statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0)
|
||||||
|
@@ -176,25 +181,27 @@ __res_context_query (struct resolv_context *ctx, const char *name,
|
||||||
|
advertise = anslen;
|
||||||
|
else
|
||||||
|
advertise = RESOLV_EDNS_BUFFER_SIZE;
|
||||||
|
- n = __res_nopt (ctx, n, query1, buf.length, advertise);
|
||||||
|
+ n = __res_nopt (ctx, n, query1, bufsize, advertise);
|
||||||
|
}
|
||||||
|
|
||||||
|
nquery1 = n;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (__glibc_unlikely (n <= 0)) {
|
||||||
|
+ if (__glibc_unlikely (n <= 0) && !use_malloc) {
|
||||||
|
/* Retry just in case res_nmkquery failed because of too
|
||||||
|
short buffer. Shouldn't happen. */
|
||||||
|
- if (scratch_buffer_set_array_size (&buf,
|
||||||
|
- T_QUERY_A_AND_AAAA ? 2 : 1,
|
||||||
|
- MAXPACKET)) {
|
||||||
|
- query1 = buf.data;
|
||||||
|
+ bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;
|
||||||
|
+ buf = malloc (bufsize);
|
||||||
|
+ if (buf != NULL) {
|
||||||
|
+ query1 = buf;
|
||||||
|
+ use_malloc = 1;
|
||||||
|
goto again;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (__glibc_unlikely (n <= 0)) {
|
||||||
|
RES_SET_H_ERRNO(statp, NO_RECOVERY);
|
||||||
|
- scratch_buffer_free (&buf);
|
||||||
|
+ if (use_malloc)
|
||||||
|
+ free (buf);
|
||||||
|
return (n);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -217,7 +224,8 @@ __res_context_query (struct resolv_context *ctx, const char *name,
|
||||||
|
answerp2_malloced);
|
||||||
|
}
|
||||||
|
|
||||||
|
- scratch_buffer_free (&buf);
|
||||||
|
+ if (use_malloc)
|
||||||
|
+ free (buf);
|
||||||
|
if (n < 0) {
|
||||||
|
RES_SET_H_ERRNO(statp, TRY_AGAIN);
|
||||||
|
return (n);
|
@ -171,7 +171,7 @@ Version: %{glibcversion}
|
|||||||
# - It allows using the Release number without the %%dist tag in the dependency
|
# - It allows using the Release number without the %%dist tag in the dependency
|
||||||
# generator to make the generated requires interchangeable between Rawhide
|
# generator to make the generated requires interchangeable between Rawhide
|
||||||
# and ELN (.elnYY < .fcXX).
|
# and ELN (.elnYY < .fcXX).
|
||||||
%global baserelease 29
|
%global baserelease 30
|
||||||
Release: %{baserelease}%{?dist}
|
Release: %{baserelease}%{?dist}
|
||||||
|
|
||||||
# In general, GPLv2+ is used by programs, LGPLv2+ is used for
|
# In general, GPLv2+ is used by programs, LGPLv2+ is used for
|
||||||
@ -242,6 +242,7 @@ Patch9: glibc-rh827510.patch
|
|||||||
Patch13: glibc-fedora-localedata-rh61908.patch
|
Patch13: glibc-fedora-localedata-rh61908.patch
|
||||||
Patch17: glibc-cs-path.patch
|
Patch17: glibc-cs-path.patch
|
||||||
Patch23: glibc-python3.patch
|
Patch23: glibc-python3.patch
|
||||||
|
Patch24: glibc-rh2255506.patch
|
||||||
|
|
||||||
##############################################################################
|
##############################################################################
|
||||||
# Continued list of core "glibc" package information:
|
# Continued list of core "glibc" package information:
|
||||||
@ -2212,6 +2213,9 @@ update_gconv_modules_cache ()
|
|||||||
%files -f compat-libpthread-nonshared.filelist -n compat-libpthread-nonshared
|
%files -f compat-libpthread-nonshared.filelist -n compat-libpthread-nonshared
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jan 3 2024 Florian Weimer <fweimer@redhat.com> - 2.38.9000-30
|
||||||
|
- Infinite loop in res_mkquery with malformed domain name (#2255506)
|
||||||
|
|
||||||
* Fri Dec 22 2023 Florian Weimer <fweimer@redhat.com> - 2.38.9000-29
|
* Fri Dec 22 2023 Florian Weimer <fweimer@redhat.com> - 2.38.9000-29
|
||||||
- Auto-sync with upstream branch master,
|
- Auto-sync with upstream branch master,
|
||||||
commit 61bac1a9d2ab80ebcbc51484722e6ea43414bec7:
|
commit 61bac1a9d2ab80ebcbc51484722e6ea43414bec7:
|
||||||
|
Loading…
Reference in New Issue
Block a user