54 lines
1.8 KiB
Diff
54 lines
1.8 KiB
Diff
|
From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001
|
||
|
From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
|
||
|
Date: Wed, 18 Jan 2023 22:14:26 +0800
|
||
|
Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid
|
||
|
stack overflow (#497)
|
||
|
|
||
|
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
|
||
|
the input str and initialize a sortlist configuration.
|
||
|
|
||
|
However, ares_set_sortlist has not any checks about the validity of the input str.
|
||
|
It is very easy to create an arbitrary length stack overflow with the unchecked
|
||
|
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
|
||
|
statements in the config_sortlist call, which could potentially cause severe
|
||
|
security impact in practical programs.
|
||
|
|
||
|
This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
|
||
|
potential stack overflows.
|
||
|
|
||
|
fixes #496
|
||
|
|
||
|
Fix By: @hopper-vul
|
||
|
Resolves: CVE-2022-4904
|
||
|
|
||
|
Signed-off-by: rpm-build <rpm-build>
|
||
|
---
|
||
|
deps/cares/src/lib/ares_init.c | 4 ++++
|
||
|
1 file changed, 4 insertions(+)
|
||
|
|
||
|
diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
|
||
|
index de5d86c..d5858f6 100644
|
||
|
--- a/deps/cares/src/lib/ares_init.c
|
||
|
+++ b/deps/cares/src/lib/ares_init.c
|
||
|
@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
|
||
|
q = str;
|
||
|
while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
|
||
|
q++;
|
||
|
+ if (q-str >= 16)
|
||
|
+ return ARES_EBADSTR;
|
||
|
memcpy(ipbuf, str, q-str);
|
||
|
ipbuf[q-str] = '\0';
|
||
|
/* Find the prefix */
|
||
|
@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
|
||
|
const char *str2 = q+1;
|
||
|
while (*q && *q != ';' && !ISSPACE(*q))
|
||
|
q++;
|
||
|
+ if (q-str >= 32)
|
||
|
+ return ARES_EBADSTR;
|
||
|
memcpy(ipbufpfx, str, q-str);
|
||
|
ipbufpfx[q-str] = '\0';
|
||
|
str = str2;
|
||
|
--
|
||
|
2.39.2
|
||
|
|