aboutsummaryrefslogtreecommitdiffstats
path: root/main/musl/CVE-2017-15650.patch
blob: 7ac52fccd58d9c6e171a4a5315724cbb78a9a0a0 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
From 45ca5d3fcb6f874bf5ba55d0e9651cef68515395 Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Wed, 18 Oct 2017 14:50:03 -0400
Subject: in dns parsing callback, enforce MAXADDRS to preclude overflow

MAXADDRS was chosen not to need enforcement, but the logic used to
compute it assumes the answers received match the RR types of the
queries. specifically, it assumes that only one replu contains A
record answers. if the replies to both the A and the AAAA query have
their answer sections filled with A records, MAXADDRS can be exceeded
and clobber the stack of the calling function.

this bug was found and reported by Felix Wilhelm.
---
 src/network/lookup_name.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c
index 066be4d..209c20f 100644
--- a/src/network/lookup_name.c
+++ b/src/network/lookup_name.c
@@ -111,6 +111,7 @@ static int dns_parse_callback(void *c, int rr, const void *data, int len, const
 {
 	char tmp[256];
 	struct dpc_ctx *ctx = c;
+	if (ctx->cnt >= MAXADDRS) return -1;
 	switch (rr) {
 	case RR_A:
 		if (len != 4) return -1;
-- 
cgit v0.11.2