This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/19825] New: resolv: send_vc can return uninitialized data in second response to getaddrinfo
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 15 Mar 2016 12:19:44 +0000
- Subject: [Bug network/19825] New: resolv: send_vc can return uninitialized data in second response to getaddrinfo
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=19825
Bug ID: 19825
Summary: resolv: send_vc can return uninitialized data in
second response to getaddrinfo
Product: glibc
Version: 2.24
Status: NEW
Severity: normal
Priority: P2
Component: network
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
Target Milestone: ---
Flags: security?
When handling a T_UNSPEC query, send_vc sometimes fails to set *resplen2 to
zero after detecting an error condition. A short TCP reply can result in
getaddrinfo trying to parse an uninitialized portion of the response buffer.
This can only happen with a malformed reply or a TCP disconnect at the right
time. With a protocol-compliant, trusted recursive resolver, this is less of
an issue because even if it crashes due to an unrelated, it will have passed
the entire TCP response to the kernel.
With a non-compliant/malicious recursive resolver, it 16 bytes of uninitialized
memory could be returned by getaddrinfo as an IPv6 address. Longer leaks
require a very specific structure of the uninitialzed buffer contents, as far
as I can see.
send_dg may be similarly affected, but the issue looks more difficult to
trigger there.
--
You are receiving this mail because:
You are on the CC list for the bug.