Bug 798471 - out of bounds access
out of bounds access
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: glibc (Show other bugs)
16
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jeff Law
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-28 18:26 EST by Serge Pavlovsky
Modified: 2016-11-24 10:37 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-29 11:49:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Serge Pavlovsky 2012-02-28 18:26:08 EST
Description of problem:
out of bounds access

Version-Release number of selected component (if applicable):
/usr/src/debug/glibc-2.14-394-g8f3b1ff/resolv/res_query.c



static int
__libc_res_nquerydomain(res_state statp,   
                        const char *name,  
                        const char *domain,
                        int class, int type,    /* class and type of query */
                        u_char *answer,         /* buffer to put answer */  
                        int anslen,                     /* size of answer */
                        u_char **answerp, 
                        u_char **answerp2,
                        int *nanswerp2,
                        int *resplen2)
{
        char nbuf[MAXDNAME];
        const char *longname = nbuf;
(1)        size_t n, d;

#ifdef DEBUG
        if (statp->options & RES_DEBUG)
                printf(";; res_nquerydomain(%s, %s, %d, %d)\n",  
                       name, domain?domain:"<Nil>", class, type);
#endif
        if (domain == NULL) {
                /*
                 * Check for trailing '.';
                 * copy without '.' if present.
                 */
                n = strlen(name);   
                if (n >= MAXDNAME) {
                        RES_SET_H_ERRNO(statp, NO_RECOVERY);
                        return (-1);
                }   
(2)                n--;
(3)                if (n >= 0 && name[n] == '.') {
                        strncpy(nbuf, name, n);
                        nbuf[n] = '\0';
                } else
                        longname = name;
-------
1) size_t is unsigned
2) n becomes ulong_max on empty name
3) unsigned always >= 0
Comment 1 Serge Pavlovsky 2012-02-28 18:38:29 EST
and fix is: replace 2 and 3 with if(n-- > 0 && ...
Comment 2 Jeff Law 2012-02-28 23:36:41 EST
Good find.  There's some security implications here, though they look fairly difficult to exploit.
Comment 3 Jeff Law 2012-02-29 11:49:08 EST
I installed a fix for this into rawhide & f17.

Note You need to log in before you can comment on or make changes to this bug.