From patchwork Mon Dec 15 16:44:34 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 4257 Received: (qmail 9065 invoked by alias); 15 Dec 2014 16:44:44 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 9048 invoked by uid 89); 15 Dec 2014 16:44:42 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-3.1 required=5.0 tests=AWL, BAYES_00, SPF_HELO_PASS, T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-HELO: mx1.redhat.com Message-ID: <548F0FF2.4060506@redhat.com> Date: Mon, 15 Dec 2014 17:44:34 +0100 From: Florian Weimer User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: GNU C Library CC: Roland McGrath Subject: [PATCH] Fix endless loop in nss_dns getnetbyname [BZ #17630] The outer loop never advanced the alias pointer in case of a parse error. I think this patch restores the original intent, but I'm not sure. Tested on x86_64-redhat-linux-gnu. I have requested CVE assignment on oss-security. From ac3dc70d931d9eb427085e67514a6dbef7142902 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Mon, 15 Dec 2014 17:41:13 +0100 Subject: [PATCH] Avoid infinite loop in nss_dns getnetbyname [BZ #17630] 2014-12-15 Florian Weimer [BZ #17630] * resolv/nss_dns/dns-network.c (getanswer_r): Iterate over alias names. diff --git a/NEWS b/NEWS index a324c10..39f326e 100644 --- a/NEWS +++ b/NEWS @@ -13,8 +13,8 @@ Version 2.21 15884, 16469, 16617, 16619, 16657, 16740, 16857, 17192, 17266, 17344, 17363, 17370, 17371, 17411, 17460, 17475, 17485, 17501, 17506, 17508, 17522, 17555, 17570, 17571, 17572, 17573, 17574, 17581, 17582, 17583, - 17584, 17585, 17589, 17594, 17601, 17608, 17616, 17625, 17633, 17634, - 17647, 17653, 17664, 17665, 17668, 17682. + 17584, 17585, 17589, 17594, 17601, 17608, 17616, 17625, 17630, 17633, + 17634, 17647, 17653, 17664, 17665, 17668, 17682. * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag under certain input conditions resulting in the execution of a shell for @@ -25,6 +25,9 @@ Version 2.21 * CVE-2012-3406 printf-style functions could run into a stack overflow when processing format strings with a large number of format specifiers. +* The nss_dns implementation of getnetbyname could run into an infinite loop + if the DNS response contained a PTR record of an unexpected format. + * The minimum GCC version that can be used to build this version of the GNU C Library is GCC 4.6. Older GCC versions, and non-GNU compilers, can still be used to compile programs using the GNU C Library. diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c index 0a77c8b..08cf0a6 100644 --- a/resolv/nss_dns/dns-network.c +++ b/resolv/nss_dns/dns-network.c @@ -398,8 +398,8 @@ getanswer_r (const querybuf *answer, int anslen, struct netent *result, case BYNAME: { - char **ap = result->n_aliases++; - while (*ap != NULL) + char **ap; + for (ap = result->n_aliases; *ap != NULL; ++ap) { /* Check each alias name for being of the forms: 4.3.2.1.in-addr.arpa = net 1.2.3.4 -- 2.1.0