blob: 7ed5789f2d6f3d02247f475a5acb5f42991e6d72 (
plain) (
tree)
|
|
From f17988489a32f6c1308474bd7b408299646e0777 Mon Sep 17 00:00:00 2001
From: mancha <mancha1@hush.com>
Date: Fri, 25 Oct 2013
Subject: CVE-2013-4458
Stack overflow in getaddrinfo (AF_INET6 case) with many
results has been fixed. Different from CVE-2013-1914.
---
This patch was adapted for glibc 2.17 based on:
https://sourceware.org/git/?p=glibc.git;a=commit;h=7cbcdb369958
---
getaddrinfo.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
@@ -196,7 +196,22 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
&rc, &herrno, NULL, &localcanon)); \
if (rc != ERANGE || herrno != NETDB_INTERNAL) \
break; \
- tmpbuf = extend_alloca (tmpbuf, tmpbuflen, 2 * tmpbuflen); \
+ if (!malloc_tmpbuf && __libc_use_alloca (alloca_used + 2 * tmpbuflen)) \
+ tmpbuf = extend_alloca_account (tmpbuf, tmpbuflen, 2 * tmpbuflen, \
+ alloca_used); \
+ else \
+ { \
+ char *newp = realloc (malloc_tmpbuf ? tmpbuf : NULL, \
+ 2 * tmpbuflen); \
+ if (newp == NULL) \
+ { \
+ result = -EAI_MEMORY; \
+ goto free_and_return; \
+ } \
+ tmpbuf = newp; \
+ malloc_tmpbuf = true; \
+ tmpbuflen = 2 * tmpbuflen; \
+ } \
} \
if (status == NSS_STATUS_SUCCESS && rc == 0) \
h = &th; \
@@ -208,7 +223,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
{ \
__set_h_errno (herrno); \
_res.options |= old_res_options & RES_USE_INET6; \
- return -EAI_SYSTEM; \
+ result = -EAI_SYSTEM; \
+ goto free_and_return; \
} \
if (herrno == TRY_AGAIN) \
no_data = EAI_AGAIN; \
|