diff options
author | Carlos O'Donell <carlos@systemhalted.org> | 2016-02-16 21:26:37 -0500 |
---|---|---|
committer | Carlos O'Donell <carlos@systemhalted.org> | 2016-02-16 21:29:32 -0500 |
commit | e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (patch) | |
tree | 67e2907fdad7c2a466e1aa996d48495c6016e3b3 /resolv/res_query.c | |
parent | 2c8f75f79bd6f3f4b3400a9f1a01a75e3086006b (diff) | |
download | glibc-e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca.zip glibc-e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca.tar.gz glibc-e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca.tar.bz2 |
CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).
* A stack-based buffer overflow was found in libresolv when invoked from
libnss_dns, allowing specially crafted DNS responses to seize control
of execution flow in the DNS client. The buffer overflow occurs in
the functions send_dg (send datagram) and send_vc (send TCP) for the
NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
family. The use of AF_UNSPEC triggers the low-level resolver code to
send out two parallel queries for A and AAAA. A mismanagement of the
buffers used for those queries could result in the response of a query
writing beyond the alloca allocated buffer created by
_nss_dns_gethostbyname4_r. Buffer management is simplified to remove
the overflow. Thanks to the Google Security Team and Red Hat for
reporting the security impact of this issue, and Robert Holiday of
Ciena for reporting the related bug 18665. (CVE-2015-7547)
See also:
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
Diffstat (limited to 'resolv/res_query.c')
-rw-r--r-- | resolv/res_query.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/resolv/res_query.c b/resolv/res_query.c index 4a9b3b3..95470a9 100644 --- a/resolv/res_query.c +++ b/resolv/res_query.c @@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp, { free (*answerp2); *answerp2 = NULL; + *nanswerp2 = 0; *answerp2_malloced = 0; } } @@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp, { free (*answerp2); *answerp2 = NULL; + *nanswerp2 = 0; *answerp2_malloced = 0; } @@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp, { free (*answerp2); *answerp2 = NULL; + *nanswerp2 = 0; *answerp2_malloced = 0; } if (saved_herrno != -1) |