CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]

diff --git a/ChangeLog b/ChangeLog
index 7c3e625c609948358287f8f6b165fcfbd4378763..26dcfc715c48928d88388d0fcd8929da6a272489 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-04-21  Arjun Shankar  <arjun.is@lostca.se>
+
+       [BZ #18287]
+       * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+       based on padding.  (CVE-2015-1781)
+
 2015-04-20  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
 
        * nptl/pthread_cond_timedwait.c: Change include bits/libc-vdso.h to just

diff --git a/NEWS b/NEWS
index 2bbd6a3f8bd93419d976f92186a189c978c3c4e9..ccc4d135b9edcee6bc5c90f4774d15b07ccb3917 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -16,7 +16,14 @@ Version 2.22
   17969, 17978, 17987, 17991, 17996, 17998, 17999, 18019, 18020, 18029,
   18030, 18032, 18036, 18038, 18039, 18042, 18043, 18046, 18047, 18068,
   18080, 18093, 18100, 18104, 18110, 18111, 18128, 18138, 18185, 18197,
-  18206, 18210, 18211, 18247.
+  18206, 18210, 18211, 18247, 18287.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+  requests has been fixed.  If the NSS functions were called with a
+  misaligned buffer, the buffer length change due to pointer alignment was
+  not taken into account.  This could result in application crashes or,
+  potentially arbitrary code execution, using crafted, but syntactically
+  valid DNS responses.  (CVE-2015-1781)
 
 * A powerpc and powerpc64 optimization for TLS, similar to TLS descriptors
   for LD and GD on x86 and x86-64, has been implemented.  You will need

diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index b16b0ddf110907a0086b86612e544d3dc75182b8..d8c55791591750567f00e616e5d7b378dec934a0 100644 (file)
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
   int have_to_map = 0;
   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
   buffer += pad;
-  if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
+  buflen = buflen > pad ? buflen - pad : 0;
+  if (__glibc_unlikely (buflen < sizeof (struct host_data)))
     {
       /* The buffer is too small.  */
     too_small: