| commit | bd77dd7e73e3530203be1c52c8a29d08270cb25d | |
| author | Florian Weimer <fweimer@redhat.com> | |
| Wed, 13 Sep 2023 12:10:56 +0000 (13 14:10 +0200) | ||
| committer | Florian Weimer <fweimer@redhat.com> | |
| Wed, 13 Sep 2023 12:10:56 +0000 (13 14:10 +0200) | ||
| tree | b5d84f536d6c48f6ca85b61b42231fe01fc4384a | treesnapshot (tar.gz zip) |
| parent | c8fa383f4cec9cf1c0cc8ec97903c09af10286f4 | commitdiff |
CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode
Without passing alt_dns_packet_buffer, __res_context_search can only
store 2048 bytes (what fits into dns_packet_buffer). However,
the function returns the total packet size, and the subsequent
DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end
of the stack-allocated buffer.
Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa
stub resolver option") and bug 30842.
Without passing alt_dns_packet_buffer, __res_context_search can only
store 2048 bytes (what fits into dns_packet_buffer). However,
the function returns the total packet size, and the subsequent
DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end
of the stack-allocated buffer.
Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa
stub resolver option") and bug 30842.
| NEWS | diffblobblamehistory | |
| resolv/Makefile | diffblobblamehistory | |
| resolv/nss_dns/dns-host.c | diffblobblamehistory | |
| resolv/tst-resolv-noaaaa-vc.c | [new file with mode: 0644] | blob |