This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/19791] New: res_query.c:262 asserts when dns contains unreachable entries
- From: "ppadmavilasom at vmware dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 09 Mar 2016 01:48:31 +0000
- Subject: [Bug network/19791] New: res_query.c:262 asserts when dns contains unreachable entries
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=19791
Bug ID: 19791
Summary: res_query.c:262 asserts when dns contains unreachable
entries
Product: glibc
Version: 2.23
Status: NEW
Severity: normal
Priority: P2
Component: network
Assignee: unassigned at sourceware dot org
Reporter: ppadmavilasom at vmware dot com
Target Milestone: ---
Created attachment 9077
--> https://sourceware.org/bugzilla/attachment.cgi?id=9077&action=edit
Patch to check answerp2's contents as well before deciding to use it
uname
res_query.c:262: __libc_res_nquery: Assertion `(hp != ((void *)0)) && (hp2 !=
((void *)0))' failed.
This can be triggered by disabling ipv6, then adding an ipv6 dns and using the
proof of concept here:
https://github.com/fjserna/CVE-2015-7547/blob/master/CVE-2015-7547-client.c
Removing the ipv6 dns entry removes the issue. This is also true for an ipv4
dns entry with ipv4 disabled.
while debugging, it seems hp and hp2 are getting overwritten by NULL because at
line 248, - if (answerp2 == NULL || *resplen2 < (int) sizeof (HEADER)),
answerp2 is not NULL but *answerp2 is NULL. This will cause the else condition
to execute and set both hp and hp2 to NULL as shown below.
//else
hp2 = (HEADER *) *answerp2;
if (n < (int) sizeof (HEADER))
{
hp = hp2;
}
Applying the fix to include *answerp2 as well in the check at line 248 seems to
fix the issue.
if (answerp2 == NULL || *answerp2 == NULL || *resplen2 < (int) sizeof (HEADER))
--
You are receiving this mail because:
You are on the CC list for the bug.