Bug 16071 - Segmentation fault in getaddrinfo() when processing entry mapping to long list of AF_INET address structures
Summary: Segmentation fault in getaddrinfo() when processing entry mapping to long lis...
Alias: None
Product: glibc
Classification: Unclassified
Component: network (show other bugs)
Version: 2.18
: P2 normal
Target Milestone: ---
Assignee: Siddhesh Poyarekar
Depends on: CVE-2015-5277
Blocks: CVE-2013-4458
  Show dependency treegraph
Reported: 2013-10-22 05:27 UTC by Siddhesh Poyarekar
Modified: 2014-06-23 09:49 UTC (History)
1 user (show)

See Also:
Last reconfirmed:
fweimer: security-


Note You need to log in before you can comment on or make changes to this bug.
Description Siddhesh Poyarekar 2013-10-22 05:27:15 UTC
Adding a large number of IPv4 entries for a host in /etc/hosts and then querying it results in a segmentation fault.

How reproducible:


Steps to Reproduce:
  1. Create 50K ' host-fubar' entries, and 50K '::1 host-fubar' entries in '/etc/hosts'.
  2. Call getaddrinfo for 'node' = "host-fubar", no 'flags' set, and AF_INET in 'hints->ai_family'.

Actual results:


Expected results:


Patch coming up.
Comment 1 Siddhesh Poyarekar 2013-10-30 10:50:40 UTC
Fixed in master:

commit 977f4b31b7ca4a4e498c397f3fd70510694bbd86
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Wed Oct 30 16:13:37 2013 +0530

    Fix reads for sizes larger than INT_MAX in AF_INET lookup
    Currently for AF_INET lookups from the hosts file, buffer sizes larger
    than INT_MAX silently overflow and may result in access beyond bounds
    of a buffer.  This happens when the number of results in an AF_INET
    lookup in /etc/hosts are very large.
    There are two aspects to the problem.  One problem is that the size
    computed from the buffer size is stored into an int, which results in
    overflow for large sizes.  Additionally, even if this size was
    expanded, the function used to read content into the buffer (fgets)
    accepts only int sizes.  As a result, the fix is to have a function
    wrap around fgets that calls it multiple times with int sizes if

 ChangeLog                 |  8 ++++++++
 NEWS                      |  2 +-
 nss/nss_files/files-XXX.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++--------
 3 files changed, 60 insertions(+), 9 deletions(-)
Comment 2 Florian Weimer 2014-06-13 12:36:26 UTC
Siddhesh, is this triggerable without editing /etc/hosts?  In other words, does this cross a security boundary?
Comment 3 Siddhesh Poyarekar 2014-06-23 09:48:43 UTC
This specific problem is only triggered by editing /etc/hosts.  Given that the root cause was related to reading in the file, I'd say this does not have an impact outside of /etc/hosts, so it should not be a security issue.