This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/20010] New: getaddrinfo: Stack overflow in hostent translation (CVE-2016-3706)
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 27 Apr 2016 09:27:44 +0000
- Subject: [Bug network/20010] New: getaddrinfo: Stack overflow in hostent translation (CVE-2016-3706)
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=20010
Bug ID: 20010
Summary: getaddrinfo: Stack overflow in hostent translation
(CVE-2016-3706)
Product: glibc
Version: 2.24
Status: NEW
Severity: normal
Priority: P2
Component: network
Assignee: fweimer at redhat dot com
Reporter: fweimer at redhat dot com
Target Milestone: ---
Flags: security+
When converting a struct hostent response to struct gaih_addrtuple, the
gethosts macro (which is called from gaih_inet) uses alloca, without malloc
fallback for large responses. This code path is used with AF_INET and AF_INET6
queries, not AF_UNSPEC queries.
In essence, this is an incomplete fix for CVE-2013-4458 (bug 16072). The
buffer passed to the NSS module is relocated to the heap, but data from it is
still copied to the stack.
Over DNS, at most 4095 addresses can arrive, and per address, a net 40 bytes of
stack space are needed, so with usual stack sizes and system configurations,
the bug cannot be triggered over the network.
--
You are receiving this mail because:
You are on the CC list for the bug.