| Fetched from gentoo glibc patchball |
| Original patch filename: 10_all_glibc-CVE-2015-7547.patch |
| Based on: https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html |
| |
| Fixes: |
| CVE-2015-7547 - glibc getaddrinfo stack-based buffer overflow. |
| |
| Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> |
| |
| --- a/resolv/nss_dns/dns-host.c |
| +++ b/resolv/nss_dns/dns-host.c |
| @@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname, |
| int h_namelen = 0; |
| |
| if (ancount == 0) |
| - return NSS_STATUS_NOTFOUND; |
| + { |
| + *h_errnop = HOST_NOT_FOUND; |
| + return NSS_STATUS_NOTFOUND; |
| + } |
| |
| while (ancount-- > 0 && cp < end_of_message && had_error == 0) |
| { |
| @@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname, |
| /* Special case here: if the resolver sent a result but it only |
| contains a CNAME while we are looking for a T_A or T_AAAA record, |
| we fail with NOTFOUND instead of TRYAGAIN. */ |
| - return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND; |
| + if (canon != NULL) |
| + { |
| + *h_errnop = HOST_NOT_FOUND; |
| + return NSS_STATUS_NOTFOUND; |
| + } |
| + |
| + *h_errnop = NETDB_INTERNAL; |
| + return NSS_STATUS_TRYAGAIN; |
| } |
| |
| |
| @@ -1242,8 +1252,15 @@ gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2, |
| &pat, &buffer, &buflen, |
| errnop, h_errnop, ttlp, |
| &first); |
| + /* Use the second response status in some cases. */ |
| if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND) |
| status = status2; |
| + /* Do not return a truncated second response (unless it was |
| + unavoidable e.g. unrecoverable TRYAGAIN). */ |
| + if (status == NSS_STATUS_SUCCESS |
| + && (status2 == NSS_STATUS_TRYAGAIN |
| + && *errnop == ERANGE && *h_errnop != NO_RECOVERY)) |
| + status = NSS_STATUS_TRYAGAIN; |
| } |
| |
| return status; |
| --- a/resolv/res_query.c |
| +++ b/resolv/res_query.c |
| @@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp, |
| { |
| free (*answerp2); |
| *answerp2 = NULL; |
| + *nanswerp2 = 0; |
| *answerp2_malloced = 0; |
| } |
| } |
| @@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp, |
| { |
| free (*answerp2); |
| *answerp2 = NULL; |
| + *nanswerp2 = 0; |
| *answerp2_malloced = 0; |
| } |
| |
| @@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp, |
| { |
| free (*answerp2); |
| *answerp2 = NULL; |
| + *nanswerp2 = 0; |
| *answerp2_malloced = 0; |
| } |
| if (saved_herrno != -1) |
| --- a/resolv/res_send.c |
| +++ b/resolv/res_send.c |
| @@ -639,11 +639,7 @@ send_vc(res_state statp, |
| { |
| const HEADER *hp = (HEADER *) buf; |
| const HEADER *hp2 = (HEADER *) buf2; |
| - u_char *ans = *ansp; |
| - int orig_anssizp = *anssizp; |
| - // XXX REMOVE |
| - // int anssiz = *anssizp; |
| - HEADER *anhp = (HEADER *) ans; |
| + HEADER *anhp = (HEADER *) *ansp; |
| struct sockaddr *nsap = get_nsaddr (statp, ns); |
| int truncating, connreset, n; |
| /* On some architectures compiler might emit a warning indicating |
| @@ -767,35 +763,6 @@ send_vc(res_state statp, |
| assert (anscp != NULL || ansp2 == NULL); |
| thisresplenp = &resplen; |
| } else { |
| - if (*anssizp != MAXPACKET) { |
| - /* No buffer allocated for the first |
| - reply. We can try to use the rest |
| - of the user-provided buffer. */ |
| -#if __GNUC_PREREQ (4, 7) |
| - DIAG_PUSH_NEEDS_COMMENT; |
| - DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized"); |
| -#endif |
| -#if _STRING_ARCH_unaligned |
| - *anssizp2 = orig_anssizp - resplen; |
| - *ansp2 = *ansp + resplen; |
| -#else |
| - int aligned_resplen |
| - = ((resplen + __alignof__ (HEADER) - 1) |
| - & ~(__alignof__ (HEADER) - 1)); |
| - *anssizp2 = orig_anssizp - aligned_resplen; |
| - *ansp2 = *ansp + aligned_resplen; |
| -#endif |
| -#if __GNUC_PREREQ (4, 7) |
| - DIAG_POP_NEEDS_COMMENT; |
| -#endif |
| - } else { |
| - /* The first reply did not fit into the |
| - user-provided buffer. Maybe the second |
| - answer will. */ |
| - *anssizp2 = orig_anssizp; |
| - *ansp2 = *ansp; |
| - } |
| - |
| thisanssizp = anssizp2; |
| thisansp = ansp2; |
| thisresplenp = resplen2; |
| @@ -804,10 +771,14 @@ send_vc(res_state statp, |
| anhp = (HEADER *) *thisansp; |
| |
| *thisresplenp = rlen; |
| - if (rlen > *thisanssizp) { |
| - /* Yes, we test ANSCP here. If we have two buffers |
| - both will be allocatable. */ |
| - if (__glibc_likely (anscp != NULL)) { |
| + /* Is the answer buffer too small? */ |
| + if (*thisanssizp < rlen) { |
| + /* If the current buffer is not the the static |
| + user-supplied buffer then we can reallocate |
| + it. */ |
| + if (thisansp != NULL && thisansp != ansp) { |
| + /* Always allocate MAXPACKET, callers expect |
| + this specific size. */ |
| u_char *newp = malloc (MAXPACKET); |
| if (newp == NULL) { |
| *terrno = ENOMEM; |
| @@ -957,8 +928,6 @@ send_dg(res_state statp, |
| { |
| const HEADER *hp = (HEADER *) buf; |
| const HEADER *hp2 = (HEADER *) buf2; |
| - u_char *ans = *ansp; |
| - int orig_anssizp = *anssizp; |
| struct timespec now, timeout, finish; |
| struct pollfd pfd[1]; |
| int ptimeout; |
| @@ -1154,50 +1123,48 @@ send_dg(res_state statp, |
| assert (anscp != NULL || ansp2 == NULL); |
| thisresplenp = &resplen; |
| } else { |
| - if (*anssizp != MAXPACKET) { |
| - /* No buffer allocated for the first |
| - reply. We can try to use the rest |
| - of the user-provided buffer. */ |
| -#if _STRING_ARCH_unaligned |
| - *anssizp2 = orig_anssizp - resplen; |
| - *ansp2 = *ansp + resplen; |
| -#else |
| - int aligned_resplen |
| - = ((resplen + __alignof__ (HEADER) - 1) |
| - & ~(__alignof__ (HEADER) - 1)); |
| - *anssizp2 = orig_anssizp - aligned_resplen; |
| - *ansp2 = *ansp + aligned_resplen; |
| -#endif |
| - } else { |
| - /* The first reply did not fit into the |
| - user-provided buffer. Maybe the second |
| - answer will. */ |
| - *anssizp2 = orig_anssizp; |
| - *ansp2 = *ansp; |
| - } |
| - |
| thisanssizp = anssizp2; |
| thisansp = ansp2; |
| thisresplenp = resplen2; |
| } |
| |
| if (*thisanssizp < MAXPACKET |
| - /* Yes, we test ANSCP here. If we have two buffers |
| - both will be allocatable. */ |
| - && anscp |
| + /* If the current buffer is not the the static |
| + user-supplied buffer then we can reallocate |
| + it. */ |
| + && (thisansp != NULL && thisansp != ansp) |
| #ifdef FIONREAD |
| + /* Is the size too small? */ |
| && (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0 |
| || *thisanssizp < *thisresplenp) |
| #endif |
| ) { |
| + /* Always allocate MAXPACKET, callers expect |
| + this specific size. */ |
| u_char *newp = malloc (MAXPACKET); |
| if (newp != NULL) { |
| - *anssizp = MAXPACKET; |
| - *thisansp = ans = newp; |
| + *thisanssizp = MAXPACKET; |
| + *thisansp = newp; |
| if (thisansp == ansp2) |
| *ansp2_malloced = 1; |
| } |
| } |
| + /* We could end up with truncation if anscp was NULL |
| + (not allowed to change caller's buffer) and the |
| + response buffer size is too small. This isn't a |
| + reliable way to detect truncation because the ioctl |
| + may be an inaccurate report of the UDP message size. |
| + Therefore we use this only to issue debug output. |
| + To do truncation accurately with UDP we need |
| + MSG_TRUNC which is only available on Linux. We |
| + can abstract out the Linux-specific feature in the |
| + future to detect truncation. */ |
| + if (__glibc_unlikely (*thisanssizp < *thisresplenp)) { |
| + Dprint(statp->options & RES_DEBUG, |
| + (stdout, ";; response may be truncated (UDP)\n") |
| + ); |
| + } |
| + |
| HEADER *anhp = (HEADER *) *thisansp; |
| socklen_t fromlen = sizeof(struct sockaddr_in6); |
| assert (sizeof(from) <= fromlen); |
