forked from pool/glibc
Andreas Schwab
a7a5db5322
- getaddrinfo-overflow.patch: Fix stack overflow due to large AF_INET6 requests (CVE-2013-4458, bnc#847227) OBS-URL: https://build.opensuse.org/request/show/205246 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=318
45 lines
1.7 KiB
Diff
45 lines
1.7 KiB
Diff
2013-10-25 Siddhesh Poyarekar <siddhesh@redhat.com>
|
|
|
|
[BZ #16072]
|
|
* sysdeps/posix/getaddrinfo.c (gethosts): Allocate tmpbuf on
|
|
heap for large requests.
|
|
|
|
Index: glibc-2.18/sysdeps/posix/getaddrinfo.c
|
|
===================================================================
|
|
--- glibc-2.18.orig/sysdeps/posix/getaddrinfo.c
|
|
+++ glibc-2.18/sysdeps/posix/getaddrinfo.c
|
|
@@ -197,7 +197,22 @@ gaih_inet_serv (const char *servicename,
|
|
&rc, &herrno, NULL, &localcanon)); \
|
|
if (rc != ERANGE || herrno != NETDB_INTERNAL) \
|
|
break; \
|
|
- tmpbuf = extend_alloca (tmpbuf, tmpbuflen, 2 * tmpbuflen); \
|
|
+ if (!malloc_tmpbuf && __libc_use_alloca (alloca_used + 2 * tmpbuflen)) \
|
|
+ tmpbuf = extend_alloca_account (tmpbuf, tmpbuflen, 2 * tmpbuflen, \
|
|
+ alloca_used); \
|
|
+ else \
|
|
+ { \
|
|
+ char *newp = realloc (malloc_tmpbuf ? tmpbuf : NULL, \
|
|
+ 2 * tmpbuflen); \
|
|
+ if (newp == NULL) \
|
|
+ { \
|
|
+ result = -EAI_MEMORY; \
|
|
+ goto free_and_return; \
|
|
+ } \
|
|
+ tmpbuf = newp; \
|
|
+ malloc_tmpbuf = true; \
|
|
+ tmpbuflen = 2 * tmpbuflen; \
|
|
+ } \
|
|
} \
|
|
if (status == NSS_STATUS_SUCCESS && rc == 0) \
|
|
h = &th; \
|
|
@@ -209,7 +224,8 @@ gaih_inet_serv (const char *servicename,
|
|
{ \
|
|
__set_h_errno (herrno); \
|
|
_res.options |= old_res_options & RES_USE_INET6; \
|
|
- return -EAI_SYSTEM; \
|
|
+ result = -EAI_SYSTEM; \
|
|
+ goto free_and_return; \
|
|
} \
|
|
if (herrno == TRY_AGAIN) \
|
|
no_data = EAI_AGAIN; \
|