diff mbox

[COMMITTED,2.19] CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]

Message ID 1440795541-14843-1-git-send-email-aurelien@aurel32.net
State New
Headers show

Commit Message

Aurelien Jarno Aug. 28, 2015, 8:59 p.m. UTC
From: Arjun Shankar <arjun.is@lostca.se>

(cherry picked from commit 2959eda9272a033863c271aff62095abd01bd4e3)
---
 ChangeLog                 |  6 ++++++
 NEWS                      | 10 +++++++++-
 resolv/nss_dns/dns-host.c |  3 ++-
 3 files changed, 17 insertions(+), 2 deletions(-)
diff mbox

Patch

diff --git a/ChangeLog b/ChangeLog
index b88cd04..0eb6c3f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@ 
+2015-04-21  Arjun Shankar  <arjun.is@lostca.se>
+
+	[BZ #18287]
+	* resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+	based on padding.  (CVE-2015-1781)
+
 2014-12-11  Andreas Schwab  <schwab@suse.de>
 
 	[BZ #16657]
diff --git a/NEWS b/NEWS
index 6f240cd..7f9388f 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,15 @@  Version 2.19.1
 * The following bugs are resolved with this release:
 
   15946, 16545, 16574, 16623, 16657, 16695, 16878, 16882, 16885, 16916,
-  16932, 16943, 16958, 17048, 17069, 17137, 17213, 17263, 17325, 17555.
+  16932, 16943, 16958, 17048, 17069, 17137, 17213, 17263, 17325, 17555,
+  18287.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+  requests has been fixed.  If the NSS functions were called with a
+  misaligned buffer, the buffer length change due to pointer alignment was
+  not taken into account.  This could result in application crashes or,
+  potentially arbitrary code execution, using crafted, but syntactically
+  valid DNS responses.  (CVE-2015-1781)
 
 * Reverted change of ABI data structures for s390 and s390x:
   On s390 and s390x the size of struct ucontext and jmp_buf was increased in
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index f0b4b17..f36d28b 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -615,7 +615,8 @@  getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
   int have_to_map = 0;
   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
   buffer += pad;
-  if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0))
+  buflen = buflen > pad ? buflen - pad : 0;
+  if (__builtin_expect (buflen < sizeof (struct host_data), 0))
     {
       /* The buffer is too small.  */
     too_small: