Fix endless loop in nss_dns getnetbyname [BZ #17630]

Message ID	548F0FF2.4060506@redhat.com
State	New
Headers	show Return-Path: <libc-alpha-return-55444-incoming=patchwork.ozlabs.org@sourceware.org> DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:cc :subject:content-type; q=dns; s=default; b=uaN2I5RFnba50wpN5t/58 4lpoHTe2reciJollA9bt6Hcg/mj+T0DecpNrIA9kNaOfnF6uVkmvOwfr4DGC7sRK LdxyhPxW935lqfntM/Vvm+bCvyOd5XLxf+SOc1p+uGFidLXG1DsGk/AIuYdU/uGM Q/akM+te6AdT3WadbfYX3s= Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk Sender: libc-alpha-owner@sourceware.org Message-ID: <548F0FF2.4060506@redhat.com> Date: Mon, 15 Dec 2014 17:44:34 +0100 From: Florian Weimer <fweimer@redhat.com> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: GNU C Library <libc-alpha@sourceware.org> CC: Roland McGrath <roland@hack.frob.com> Subject: [PATCH] Fix endless loop in nss_dns getnetbyname [BZ #17630] Content-Type: multipart/mixed; boundary="------------000107080701010008060704"

Message ID

548F0FF2.4060506@redhat.com

State

New

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:cc
	:subject:content-type; q=dns; s=default; b=uaN2I5RFnba50wpN5t/58
	4lpoHTe2reciJollA9bt6Hcg/mj+T0DecpNrIA9kNaOfnF6uVkmvOwfr4DGC7sRK
	LdxyhPxW935lqfntM/Vvm+bCvyOd5XLxf+SOc1p+uGFidLXG1DsGk/AIuYdU/uGM
	Q/akM+te6AdT3WadbfYX3s=
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
Sender: libc-alpha-owner@sourceware.org
Message-ID: <548F0FF2.4060506@redhat.com>
Date: Mon, 15 Dec 2014 17:44:34 +0100
From: Florian Weimer <fweimer@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: GNU C Library <libc-alpha@sourceware.org>
CC: Roland McGrath <roland@hack.frob.com>
Subject: [PATCH] Fix endless loop in nss_dns getnetbyname [BZ #17630]
Content-Type: multipart/mixed;
	boundary="------------000107080701010008060704"

The outer loop never advanced the alias pointer in case of a parse error. I think this patch restores the original intent, but I'm not sure. Tested on x86_64-redhat-linux-gnu. I have requested CVE assignment on oss-security.

Comments

Siddhesh Poyarekar Dec. 16, 2014, 8:47 a.m. UTC | #1

On Mon, Dec 15, 2014 at 05:44:34PM +0100, Florian Weimer wrote:
> The outer loop never advanced the alias pointer in case of a parse error.  I
> think this patch restores the original intent, but I'm not sure.
> 
> Tested on x86_64-redhat-linux-gnu.
> 
> I have requested CVE assignment on oss-security.
> 
> -- 
> Florian Weimer / Red Hat Product Security

> From ac3dc70d931d9eb427085e67514a6dbef7142902 Mon Sep 17 00:00:00 2001
> From: Florian Weimer <fweimer@redhat.com>
> Date: Mon, 15 Dec 2014 17:41:13 +0100
> Subject: [PATCH] Avoid infinite loop in nss_dns getnetbyname [BZ #17630]
> 
> 2014-12-15  Florian Weimer  <fweimer@redhat.com>
> 
> 	[BZ #17630]
> 	* resolv/nss_dns/dns-network.c (getanswer_r): Iterate over alias
> 	names.
> 

Looks good to me.

Siddhesh

> diff --git a/NEWS b/NEWS
> index a324c10..39f326e 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -13,8 +13,8 @@ Version 2.21
>    15884, 16469, 16617, 16619, 16657, 16740, 16857, 17192, 17266, 17344,
>    17363, 17370, 17371, 17411, 17460, 17475, 17485, 17501, 17506, 17508,
>    17522, 17555, 17570, 17571, 17572, 17573, 17574, 17581, 17582, 17583,
> -  17584, 17585, 17589, 17594, 17601, 17608, 17616, 17625, 17633, 17634,
> -  17647, 17653, 17664, 17665, 17668, 17682.
> +  17584, 17585, 17589, 17594, 17601, 17608, 17616, 17625, 17630, 17633,
> +  17634, 17647, 17653, 17664, 17665, 17668, 17682.
>  
>  * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
>    under certain input conditions resulting in the execution of a shell for
> @@ -25,6 +25,9 @@ Version 2.21
>  * CVE-2012-3406 printf-style functions could run into a stack overflow when
>    processing format strings with a large number of format specifiers.
>  
> +* The nss_dns implementation of getnetbyname could run into an infinite loop
> +  if the DNS response contained a PTR record of an unexpected format.
> +
>  * The minimum GCC version that can be used to build this version of the GNU
>    C Library is GCC 4.6.  Older GCC versions, and non-GNU compilers, can
>    still be used to compile programs using the GNU C Library.
> diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
> index 0a77c8b..08cf0a6 100644
> --- a/resolv/nss_dns/dns-network.c
> +++ b/resolv/nss_dns/dns-network.c
> @@ -398,8 +398,8 @@ getanswer_r (const querybuf *answer, int anslen, struct netent *result,
>  
>  	case BYNAME:
>  	  {
> -	    char **ap = result->n_aliases++;
> -	    while (*ap != NULL)
> +	    char **ap;
> +	    for (ap = result->n_aliases; *ap != NULL; ++ap)
>  	      {
>  		/* Check each alias name for being of the forms:
>  		   4.3.2.1.in-addr.arpa		= net 1.2.3.4
> -- 
> 2.1.0
>

From ac3dc70d931d9eb427085e67514a6dbef7142902 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 15 Dec 2014 17:41:13 +0100
Subject: [PATCH] Avoid infinite loop in nss_dns getnetbyname [BZ #17630]

2014-12-15  Florian Weimer  <fweimer@redhat.com>

	[BZ #17630]
	* resolv/nss_dns/dns-network.c (getanswer_r): Iterate over alias
	names.

diff --git a/NEWS b/NEWS
index a324c10..39f326e 100644
--- a/NEWS
+++ b/NEWS
@@ -13,8 +13,8 @@  Version 2.21
   15884, 16469, 16617, 16619, 16657, 16740, 16857, 17192, 17266, 17344,
   17363, 17370, 17371, 17411, 17460, 17475, 17485, 17501, 17506, 17508,
   17522, 17555, 17570, 17571, 17572, 17573, 17574, 17581, 17582, 17583,
-  17584, 17585, 17589, 17594, 17601, 17608, 17616, 17625, 17633, 17634,
-  17647, 17653, 17664, 17665, 17668, 17682.
+  17584, 17585, 17589, 17594, 17601, 17608, 17616, 17625, 17630, 17633,
+  17634, 17647, 17653, 17664, 17665, 17668, 17682.
 
 * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
   under certain input conditions resulting in the execution of a shell for
@@ -25,6 +25,9 @@  Version 2.21
 * CVE-2012-3406 printf-style functions could run into a stack overflow when
   processing format strings with a large number of format specifiers.
 
+* The nss_dns implementation of getnetbyname could run into an infinite loop
+  if the DNS response contained a PTR record of an unexpected format.
+
 * The minimum GCC version that can be used to build this version of the GNU
   C Library is GCC 4.6.  Older GCC versions, and non-GNU compilers, can
   still be used to compile programs using the GNU C Library.
diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
index 0a77c8b..08cf0a6 100644
--- a/resolv/nss_dns/dns-network.c
+++ b/resolv/nss_dns/dns-network.c
@@ -398,8 +398,8 @@  getanswer_r (const querybuf *answer, int anslen, struct netent *result,
 
 	case BYNAME:
 	  {
-	    char **ap = result->n_aliases++;
-	    while (*ap != NULL)
+	    char **ap;
+	    for (ap = result->n_aliases; *ap != NULL; ++ap)
 	      {
 		/* Check each alias name for being of the forms:
 		   4.3.2.1.in-addr.arpa		= net 1.2.3.4
-- 
2.1.0

Fix endless loop in nss_dns getnetbyname [BZ #17630]

Commit Message

Comments

Patch