From: Ian Jackson Date: Tue, 27 Jan 2015 17:59:18 +0000 (+0000) Subject: Apply https://sourceware.org/git/?p=glibc.git;a=commit;h=d5dd6189d506068ed11c8bfa1e1e... X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=eglibc.git;a=commitdiff_plain;h=refs%2Fheads%2Fdgit%2Fsqueeze-lts Apply https://sourceware.org/git/?p=glibc.git;a=commit;h=d5dd6189d506068ed11c8bfa1e1e9bffde04decd to fix CVE-2015-0235. --- diff --git a/ChangeLog b/ChangeLog index 49dcad6..8d5bba6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,17 @@ +2013-05-21 Andreas Schwab + + [BZ #15014] + * nss/getXXbyYY_r.c (INTERNAL (REENTRANT_NAME)) + [HANDLE_DIGITS_DOTS]: Set any_service when digits-dots parsing was + successful. + * nss/digits_dots.c (__nss_hostname_digits_dots): Remove + redundant variable declarations and reallocation of buffer when + parsing as IPv6 address. Always set NSS status when called from + reentrant functions. Use NETDB_INTERNAL instead of TRY_AGAIN when + buffer too small. Correct computation of needed size. + * nss/Makefile (tests): Add test-digits-dots. + * nss/test-digits-dots.c: New test. + 2010-05-31 Petr Baudis [BZ #11149] diff --git a/debian/changelog b/debian/changelog index 00bf45f..8ecd114 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +eglibc (2.11.3-4+deb6u3~~iwj1) unstable; urgency=low + + * Apply + https://sourceware.org/git/?p=glibc.git;a=commit;h=d5dd6189d506068ed11c8bfa1e1e9bffde04decd + to fix CVE-2015-0235. + + -- Ian Jackson Tue, 27 Jan 2015 17:58:53 +0000 + eglibc (2.11.3-4+deb6u3) squeeze-lts; urgency=medium * Non-maintainer upload by the Squeeze LTS Team. diff --git a/nss/Makefile b/nss/Makefile index d6f38e1..8197563 100644 --- a/nss/Makefile +++ b/nss/Makefile @@ -46,7 +46,7 @@ routines-$(OPTION_EGLIBC_INET) += digits_dots others := getent install-bin := getent -tests-$(OPTION_EGLIBC_INET) += test-netdb +tests-$(OPTION_EGLIBC_INET) += test-netdb test-digits-dots xtests-$(OPTION_EGLIBC_INET) += bug-erange include ../Makeconfig diff --git a/nss/digits_dots.c b/nss/digits_dots.c index 9576dd5..4b0b61c 100644 --- a/nss/digits_dots.c +++ b/nss/digits_dots.c @@ -47,7 +47,10 @@ __nss_hostname_digits_dots (const char *name, struct hostent *resbuf, { if (h_errnop) *h_errnop = NETDB_INTERNAL; - *result = NULL; + if (buffer_size == NULL) + *status = NSS_STATUS_TRYAGAIN; + else + *result = NULL; return -1; } @@ -84,14 +87,16 @@ __nss_hostname_digits_dots (const char *name, struct hostent *resbuf, } size_needed = (sizeof (*host_addr) - + sizeof (*h_addr_ptrs) + strlen (name) + 1); + + sizeof (*h_addr_ptrs) + + sizeof (*h_alias_ptr) + strlen (name) + 1); if (buffer_size == NULL) { if (buflen < size_needed) { + *status = NSS_STATUS_TRYAGAIN; if (h_errnop != NULL) - *h_errnop = TRY_AGAIN; + *h_errnop = NETDB_INTERNAL; __set_errno (ERANGE); goto done; } @@ -110,7 +115,7 @@ __nss_hostname_digits_dots (const char *name, struct hostent *resbuf, *buffer_size = 0; __set_errno (save); if (h_errnop != NULL) - *h_errnop = TRY_AGAIN; + *h_errnop = NETDB_INTERNAL; *result = NULL; goto done; } @@ -150,7 +155,9 @@ __nss_hostname_digits_dots (const char *name, struct hostent *resbuf, if (! ok) { *h_errnop = HOST_NOT_FOUND; - if (buffer_size) + if (buffer_size == NULL) + *status = NSS_STATUS_NOTFOUND; + else *result = NULL; goto done; } @@ -191,7 +198,7 @@ __nss_hostname_digits_dots (const char *name, struct hostent *resbuf, if (buffer_size == NULL) *status = NSS_STATUS_SUCCESS; else - *result = resbuf; + *result = resbuf; goto done; } @@ -202,15 +209,6 @@ __nss_hostname_digits_dots (const char *name, struct hostent *resbuf, if ((isxdigit (name[0]) && strchr (name, ':') != NULL) || name[0] == ':') { - const char *cp; - char *hostname; - typedef unsigned char host_addr_t[16]; - host_addr_t *host_addr; - typedef char *host_addr_list_t[2]; - host_addr_list_t *h_addr_ptrs; - size_t size_needed; - int addr_size; - switch (af) { default: @@ -226,7 +224,10 @@ __nss_hostname_digits_dots (const char *name, struct hostent *resbuf, /* This is not possible. We cannot represent an IPv6 address in an `struct in_addr' variable. */ *h_errnop = HOST_NOT_FOUND; - *result = NULL; + if (buffer_size == NULL) + *status = NSS_STATUS_NOTFOUND; + else + *result = NULL; goto done; case AF_INET6: @@ -234,42 +235,6 @@ __nss_hostname_digits_dots (const char *name, struct hostent *resbuf, break; } - size_needed = (sizeof (*host_addr) - + sizeof (*h_addr_ptrs) + strlen (name) + 1); - - if (buffer_size == NULL && buflen < size_needed) - { - if (h_errnop != NULL) - *h_errnop = TRY_AGAIN; - __set_errno (ERANGE); - goto done; - } - else if (buffer_size != NULL && *buffer_size < size_needed) - { - char *new_buf; - *buffer_size = size_needed; - new_buf = realloc (*buffer, *buffer_size); - - if (new_buf == NULL) - { - save = errno; - free (*buffer); - __set_errno (save); - *buffer = NULL; - *buffer_size = 0; - *result = NULL; - goto done; - } - *buffer = new_buf; - } - - memset (*buffer, '\0', size_needed); - - host_addr = (host_addr_t *) *buffer; - h_addr_ptrs = (host_addr_list_t *) - ((char *) host_addr + sizeof (*host_addr)); - hostname = (char *) h_addr_ptrs + sizeof (*h_addr_ptrs); - for (cp = name;; ++cp) { if (!*cp) @@ -282,7 +247,9 @@ __nss_hostname_digits_dots (const char *name, struct hostent *resbuf, if (inet_pton (AF_INET6, name, host_addr) <= 0) { *h_errnop = HOST_NOT_FOUND; - if (buffer_size) + if (buffer_size == NULL) + *status = NSS_STATUS_NOTFOUND; + else *result = NULL; goto done; } diff --git a/nss/getXXbyYY_r.c b/nss/getXXbyYY_r.c index 16dadd7..7c902a9 100644 --- a/nss/getXXbyYY_r.c +++ b/nss/getXXbyYY_r.c @@ -178,6 +178,9 @@ INTERNAL (REENTRANT_NAME) (ADD_PARAMS, LOOKUP_TYPE *resbuf, char *buffer, case -1: return errno; case 1: +#ifdef NEED_H_ERRNO + any_service = true; +#endif goto done; } #endif diff --git a/nss/test-digits-dots.c b/nss/test-digits-dots.c new file mode 100644 index 0000000..1efa344 --- /dev/null +++ b/nss/test-digits-dots.c @@ -0,0 +1,38 @@ +/* Copyright (C) 2013 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +/* Testcase for BZ #15014 */ + +#include +#include +#include + +static int +do_test (void) +{ + char buf[32]; + struct hostent *result = NULL; + struct hostent ret; + int h_err = 0; + int err; + + err = gethostbyname_r ("1.2.3.4", &ret, buf, sizeof (buf), &result, &h_err); + return err == ERANGE && h_err == NETDB_INTERNAL ? EXIT_SUCCESS : EXIT_FAILURE; +} + +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c"