From 899478c2bfa00c5df8d8bedb52effbb065700278 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Thu, 6 Dec 2018 15:39:50 +0100 Subject: inet/tst-if_index-long: New test case for CVE-2018-19591 [BZ #23927] --- ChangeLog | 7 ++++++ inet/Makefile | 2 +- inet/tst-if_index-long.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 inet/tst-if_index-long.c diff --git a/ChangeLog b/ChangeLog index 266cd67..8e52b40 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,12 @@ 2018-12-07 Florian Weimer + [BZ #23927] + CVE-2018-19591 + * inet/tst-if_index-long.c: New file. + * inet/Makefile (tests): Add tst-if_index-long. + +2018-12-07 Florian Weimer + * support/check.h (support_record_failure_is_failed): Declare. * support/descriptors.h: New file. * support/support_descriptors.c: Likewise. diff --git a/inet/Makefile b/inet/Makefile index 09f5ba7..7782913 100644 --- a/inet/Makefile +++ b/inet/Makefile @@ -52,7 +52,7 @@ aux := check_pf check_native ifreq tests := htontest test_ifindex tst-ntoa tst-ether_aton tst-network \ tst-gethnm test-ifaddrs bug-if1 test-inet6_opt tst-ether_line \ tst-getni1 tst-getni2 tst-inet6_rth tst-checks tst-checks-posix \ - tst-sockaddr test-hnto-types + tst-sockaddr test-hnto-types tst-if_index-long # tst-deadline must be linked statically so that we can access # internal functions. diff --git a/inet/tst-if_index-long.c b/inet/tst-if_index-long.c new file mode 100644 index 0000000..3dc7487 --- /dev/null +++ b/inet/tst-if_index-long.c @@ -0,0 +1,61 @@ +/* Check for descriptor leak in if_nametoindex with a long interface name. + Copyright (C) 2018 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +/* This test checks for a descriptor leak in case of a long interface + name (CVE-2018-19591, bug 23927). */ + +#include +#include +#include +#include +#include +#include +#include + +static int +do_test (void) +{ + struct support_descriptors *descrs = support_descriptors_list (); + + /* Prepare a name which is just as long as required for trigging the + bug. */ + char name[IFNAMSIZ + 1]; + memset (name, 'A', IFNAMSIZ); + name[IFNAMSIZ] = '\0'; + TEST_COMPARE (strlen (name), IFNAMSIZ); + struct ifreq ifr; + TEST_COMPARE (strlen (name), sizeof (ifr.ifr_name)); + + /* Test directly via if_nametoindex. */ + TEST_COMPARE (if_nametoindex (name), 0); + TEST_COMPARE (errno, ENODEV); + support_descriptors_check (descrs); + + /* Same test via getaddrinfo. */ + char *host = xasprintf ("fea0::%%%s", name); + struct addrinfo hints = { .ai_flags = AI_NUMERICHOST, }; + struct addrinfo *ai; + TEST_COMPARE (getaddrinfo (host, NULL, &hints, &ai), EAI_NONAME); + support_descriptors_check (descrs); + + support_descriptors_free (descrs); + + return 0; +} + +#include -- cgit v1.1