From patchwork Thu Mar 23 13:21:30 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: kmeaw@kmeaw.com
X-Patchwork-Id: 19710
Received: (qmail 89312 invoked by alias); 23 Mar 2017 13:21:33 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 89295 invoked by uid 89); 23 Mar 2017 13:21:32 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00, GIT_PATCH_0,
	GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RP_MATCHES_RCVD,
	SPF_HELO_PASS,
	SPF_PASS autolearn=ham version=3.3.2 spammy=H*MI:20170323132130,
	scanned, family
X-HELO: kmeaw.com
Date: Thu, 23 Mar 2017 16:21:30 +0300
From: kmeaw@kmeaw.com
To: libc-alpha@sourceware.org
Subject: [PATCH][BZ 21295] getaddrinfo: do not overwrite IPv6 IPs with IPv4
	when using AF_UNSPEC
Message-ID: <20170323132130.GA25347@kmeaw.com>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)

CVE-2016-3706 patch introduces a regression which disrupts connectivity
from IPv6-only to dual-stack hosts. This is caused by
convert_hostent_to_gaih_addrtuple which frees the result opposed to
appending to it (prior to the CVE patch in gaih_inet).

This change replaces free(*result) call with a loop which looks for the
pointer to the end of the linked list (&(*result)->next), so successive
calls append the result to the list instead of overwriting it.

Bugzilla entry #21295 describes a way to reproduce the issue.
---
 ChangeLog                   | 5 +++++
 sysdeps/posix/getaddrinfo.c | 8 ++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

--
2.12.0

diff --git a/ChangeLog b/ChangeLog
index 7809c3dc2b..56179d6164 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2017-03-23  Dmitry Bilunov  <kmeaw@kmeaw.com>
+
+       * sysdeps/posix/getaddrinfo.c (onvert_hostent_to_gaih_addrtuple):
+       do not overwrite list of IPv6 addresses with IPv4; merge them instead.
+
 2017-03-22  Zack Weinberg  <zackw@panix.com>

        * stdio-common/bug25.c: Include stdlib.h.
diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
index eed7264850..cf1d99b2e2 100644
--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
@@ -190,16 +190,16 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,

 /* Convert struct hostent to a list of struct gaih_addrtuple objects.
    h_name is not copied, and the struct hostent object must not be
-   deallocated prematurely.  *RESULT must be NULL or a pointer to an
-   object allocated using malloc, which is freed.  */
+   deallocated prematurely.  *RESULT must be NULL or a pointer to a
+   linked-list, which is scanned to the end.  */
 static bool
 convert_hostent_to_gaih_addrtuple (const struct addrinfo *req,
                                   int family,
                                   struct hostent *h,
                                   struct gaih_addrtuple **result)
 {
-  free (*result);
-  *result = NULL;
+  while (*result)
+    result = &(*result)->next;

   /* Count the number of addresses in h->h_addr_list.  */
   size_t count = 0;