diff mbox

[BZ,18665] Assignment of wrong buffer size for buffer used for receiving dns reply message causes segmentation fault.

Message ID 9B8F4BBDF8AAA54693083BC8753AE3A70AB41D4510@ONWVEXCHMB05.ciena.com
State New
Headers show

Commit Message

Holliday, Robert Aug. 5, 2015, 7:03 p.m. UTC
NOTE: this issue is referencing the send_dg function in res_send.c from glibc-2.22.

A condition occurs when the recvfrom function, on line 1258, receives data using a newly created buffer, on line 1247, but
does not use the newly created buffer's size. This will cause the program using the send_dg function
to segmentation fault if the calculated aligned_resplen is 0, and is the size used in the recvfrom function, where by
after the buffer is accessed such as in the res_queriesmatch function on line 1331.

When the thisanssizp pointer variable on line 1233 is updated, thisanssizp = anssizp2, i.e assigned a new address,
this change causes the thisanssizp pointer variable used in the recvfrom function on line 1258 to use the
wrong size if a new buffer is created after the thisanssizp address has been changed at line 1233.

The size of the buffer used will be what was stored at the address assigned at line 1233, and not the size of the newly 
created buffer.

The program will segmentation fault if the calculated size of the buffer used is 0. The recvfrom function will
not crash, but any further accesses to the buffer where the bytes read was 0 from the recvfrom function
will cause the program to segmentation fault. 

The patch correctly assigns the size of the new buffer created to the variable that is used to store the size.

2015-08-05 Robert Holliday <rhollida@ciena.com>

               [BZ 18665]
               * resolv/res_send.c: Assign packet size to correct variable.

Conditions that create the crash.
1. Receive a packet that fills up the buffer, 2048 bytes, used in the recvfrom function on line 1258.
2. The aligned_resplen calculation, on line 1219, becomes 0. (buffer size - packet size received = 0)
3. The condition on line 1244 is met;  *thisanssizp < *thisresplenp, (the calculated size left < the received size), 0 < 2048,.
   and a new buffer is created at line 1247 with buffer size MAXPACKET; 
4. The recvfrom function on line, 1258, now uses the newly created buffer to receive DNS data,

   ISSUE: The recvfrom function is NOT using the buffer size from the newly created buffer, 
       but from the aligned_resplen calculation which was 0.
       The recvfrom function is reading 0 bytes into the new buffer, and should be reading MAXPACKET bytes into the buffer.

5. The res_queriematch function attempts to use the data read into the buffer: thisansp, at location: thisansp + thisanssizp, 
   these are invalid pointers, and cause the program to crash.
diff mbox


diff -iu /glibc/res_send.c /glibc/res_send-original.c 
--- /glibc/res_send.c               2015-08-05 10:53:22.188786000 -0700
+++ /glibc/res_send-original.c      2015-08-04 23:42:22.000000000 -0700
@@ -1246,7 +1246,7 @@ 
                     ) {
                        u_char *newp = malloc (MAXPACKET);
                        if (newp != NULL) {
-                               *thisanssizp = MAXPACKET;
+                               *anssizp = MAXPACKET;
                                *thisansp = ans = newp;
                                if (thisansp == ansp2)
                                  *ansp2_malloced = 1;