From patchwork Wed Aug 5 19:03:43 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Holliday, Robert" X-Patchwork-Id: 8025 Received: (qmail 98191 invoked by alias); 5 Aug 2015 19:03:49 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 98182 invoked by uid 89); 5 Aug 2015 19:03:49 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=0.7 required=5.0 tests=AWL, BAYES_50, RCVD_IN_DNSWL_LOW, SPF_PASS autolearn=ham version=3.3.2 X-HELO: mx0b-00103a01.pphosted.com From: "Holliday, Robert" To: "libc-alpha@sourceware.org" Date: Wed, 5 Aug 2015 15:03:43 -0400 Subject: [PATCH][BZ 18665] Assignment of wrong buffer size for buffer used for receiving dns reply message causes segmentation fault. Message-ID: <9B8F4BBDF8AAA54693083BC8753AE3A70AB41D4510@ONWVEXCHMB05.ciena.com> MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-08-05_10:2015-08-05, 2015-08-05, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1506180000 definitions=main-1508050296 NOTE: this issue is referencing the send_dg function in res_send.c from glibc-2.22. A condition occurs when the recvfrom function, on line 1258, receives data using a newly created buffer, on line 1247, but does not use the newly created buffer's size. This will cause the program using the send_dg function to segmentation fault if the calculated aligned_resplen is 0, and is the size used in the recvfrom function, where by after the buffer is accessed such as in the res_queriesmatch function on line 1331. When the thisanssizp pointer variable on line 1233 is updated, thisanssizp = anssizp2, i.e assigned a new address, this change causes the thisanssizp pointer variable used in the recvfrom function on line 1258 to use the wrong size if a new buffer is created after the thisanssizp address has been changed at line 1233. The size of the buffer used will be what was stored at the address assigned at line 1233, and not the size of the newly created buffer. The program will segmentation fault if the calculated size of the buffer used is 0. The recvfrom function will not crash, but any further accesses to the buffer where the bytes read was 0 from the recvfrom function will cause the program to segmentation fault. The patch correctly assigns the size of the new buffer created to the variable that is used to store the size. 2015-08-05 Robert Holliday                [BZ 18665]                * resolv/res_send.c: Assign packet size to correct variable. Conditions that create the crash. 1. Receive a packet that fills up the buffer, 2048 bytes, used in the recvfrom function on line 1258. 2. The aligned_resplen calculation, on line 1219, becomes 0. (buffer size - packet size received = 0) 3. The condition on line 1244 is met;  *thisanssizp < *thisresplenp, (the calculated size left < the received size), 0 < 2048,.    and a new buffer is created at line 1247 with buffer size MAXPACKET; 4. The recvfrom function on line, 1258, now uses the newly created buffer to receive DNS data,    ISSUE: The recvfrom function is NOT using the buffer size from the newly created buffer,        but from the aligned_resplen calculation which was 0.        The recvfrom function is reading 0 bytes into the new buffer, and should be reading MAXPACKET bytes into the buffer. 5. The res_queriematch function attempts to use the data read into the buffer: thisansp, at location: thisansp + thisanssizp,    these are invalid pointers, and cause the program to crash. diff -iu /glibc/res_send.c /glibc/res_send-original.c --- /glibc/res_send.c               2015-08-05 10:53:22.188786000 -0700 +++ /glibc/res_send-original.c      2015-08-04 23:42:22.000000000 -0700 @@ -1246,7 +1246,7 @@                      ) {                         u_char *newp = malloc (MAXPACKET);                         if (newp != NULL) { -                               *thisanssizp = MAXPACKET; +                               *anssizp = MAXPACKET;                                 *thisansp = ans = newp;                                 if (thisansp == ansp2)                                   *ansp2_malloced = 1;