This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/18665] In send_dg, the recvfrom function is NOT always using the buffer size of a newly created buffer.
- From: "rhollida at ciena dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 14 Jul 2015 21:54:45 +0000
- Subject: [Bug network/18665] In send_dg, the recvfrom function is NOT always using the buffer size of a newly created buffer.
- Auto-submitted: auto-generated
- References: <bug-18665-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=18665
--- Comment #4 from Robert <rhollida at ciena dot com> ---
Overview:
A condition occurs when the recvfrom function receives data using a newly
created buffer but
does not use the newly created buffer size then the buffer is accessed and
causes the program to
crash.
In send_dg in res_send.c
-referencing lines in res_send.c from glibc-2.21
Conditions that create the crash.
1. Receive a packet that fills up the buffer, 2048 bytes, used in the recvfrom
function on line 1282.
2. The aligned_resplen calculation, on line 1243, becomes 0. (buffer size -
packet size received = 0)
3. The condition on line 1268 is met; *thisanssizp < *thisresplenp, (the
calculated size left < the received size), 0 < 2048,.
and a new buffer is created at line 1271 with buffer size MAXPACKET;
4. The recvfrom function on line, 1282, now uses the newly created buffer to
receive DNS data,
ISSUE: The recvfrom function is NOT using the buffer size from the newly
created buffer,
but from the aligned_resplen calculation which was 0.
The recvfrom function is reading 0 bytes into the new buffer, and should
be reading MAXPACKET bytes into the buffer.
5. The res_queriematch function attempts to use the data read into the buffer:
thisansp, at location: thisansp + thisanssizp,
these are invalid pointers, and cause the program to crash.
--
You are receiving this mail because:
You are on the CC list for the bug.