Bug 798471 - out of bounds access
Summary: out of bounds access
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: glibc
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jeff Law
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-28 23:26 UTC by Serge Pavlovsky
Modified: 2016-11-24 15:37 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-29 16:49:08 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Serge Pavlovsky 2012-02-28 23:26:08 UTC 
Description of problem:
out of bounds access

Version-Release number of selected component (if applicable):
/usr/src/debug/glibc-2.14-394-g8f3b1ff/resolv/res_query.c



static int
__libc_res_nquerydomain(res_state statp,   
                        const char *name,  
                        const char *domain,
                        int class, int type,    /* class and type of query */
                        u_char *answer,         /* buffer to put answer */  
                        int anslen,                     /* size of answer */
                        u_char **answerp, 
                        u_char **answerp2,
                        int *nanswerp2,
                        int *resplen2)
{
        char nbuf[MAXDNAME];
        const char *longname = nbuf;
(1)        size_t n, d;

#ifdef DEBUG
        if (statp->options & RES_DEBUG)
                printf(";; res_nquerydomain(%s, %s, %d, %d)\n",  
                       name, domain?domain:"<Nil>", class, type);
#endif
        if (domain == NULL) {
                /*
                 * Check for trailing '.';
                 * copy without '.' if present.
                 */
                n = strlen(name);   
                if (n >= MAXDNAME) {
                        RES_SET_H_ERRNO(statp, NO_RECOVERY);
                        return (-1);
                }   
(2)                n--;
(3)                if (n >= 0 && name[n] == '.') {
                        strncpy(nbuf, name, n);
                        nbuf[n] = '\0';
                } else
                        longname = name;
-------
1) size_t is unsigned
2) n becomes ulong_max on empty name
3) unsigned always >= 0
Comment 1 Serge Pavlovsky 2012-02-28 23:38:29 UTC 
and fix is: replace 2 and 3 with if(n-- > 0 && ...
Comment 2 Jeff Law 2012-02-29 04:36:41 UTC 
Good find.  There's some security implications here, though they look fairly difficult to exploit.
Comment 3 Jeff Law 2012-02-29 16:49:08 UTC 
I installed a fix for this into rawhide & f17.
Note You need to log in before you can comment on or make changes to this bug.