Bug 798471

Summary: out of bounds access
Product: [Fedora] Fedora Reporter: Serge Pavlovsky <pal666>
Component: glibcAssignee: Jeff Law <law>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: fweimer, jakub, law, schwab
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-29 16:49:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Serge Pavlovsky 2012-02-28 23:26:08 UTC 
Description of problem:
out of bounds access

Version-Release number of selected component (if applicable):
/usr/src/debug/glibc-2.14-394-g8f3b1ff/resolv/res_query.c



static int
__libc_res_nquerydomain(res_state statp,   
                        const char *name,  
                        const char *domain,
                        int class, int type,    /* class and type of query */
                        u_char *answer,         /* buffer to put answer */  
                        int anslen,                     /* size of answer */
                        u_char **answerp, 
                        u_char **answerp2,
                        int *nanswerp2,
                        int *resplen2)
{
        char nbuf[MAXDNAME];
        const char *longname = nbuf;
(1)        size_t n, d;

#ifdef DEBUG
        if (statp->options & RES_DEBUG)
                printf(";; res_nquerydomain(%s, %s, %d, %d)\n",  
                       name, domain?domain:"<Nil>", class, type);
#endif
        if (domain == NULL) {
                /*
                 * Check for trailing '.';
                 * copy without '.' if present.
                 */
                n = strlen(name);   
                if (n >= MAXDNAME) {
                        RES_SET_H_ERRNO(statp, NO_RECOVERY);
                        return (-1);
                }   
(2)                n--;
(3)                if (n >= 0 && name[n] == '.') {
                        strncpy(nbuf, name, n);
                        nbuf[n] = '\0';
                } else
                        longname = name;
-------
1) size_t is unsigned
2) n becomes ulong_max on empty name
3) unsigned always >= 0
Comment 1 Serge Pavlovsky 2012-02-28 23:38:29 UTC 
and fix is: replace 2 and 3 with if(n-- > 0 && ...
Comment 2 Jeff Law 2012-02-29 04:36:41 UTC 
Good find.  There's some security implications here, though they look fairly difficult to exploit.
Comment 3 Jeff Law 2012-02-29 16:49:08 UTC 
I installed a fix for this into rawhide & f17.