This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/20031] New: nss_hesiod: Heap overflow in get_txt_records
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 02 May 2016 08:28:40 +0000
- Subject: [Bug network/20031] New: nss_hesiod: Heap overflow in get_txt_records
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=20031
Bug ID: 20031
Summary: nss_hesiod: Heap overflow in get_txt_records
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: network
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
Target Milestone: ---
Flags: security-
When a completely empty TXT record is received (which is not a valid DNS
resource record, nss_hesiod allocates a zero-sized object, and then writes a
NUL terminator to it:
if (!(list[j] = malloc(rr.dlen)))
goto cleanup;
dst = list[j++];
edst = dst + rr.dlen;
erdata = rr.data + rr.dlen;
cp = rr.data;
while (cp < erdata) {
n = (unsigned char) *cp++;
if (cp + n > eom || dst + n > edst) {
__set_errno(EMSGSIZE);
goto cleanup;
}
memcpy(dst, cp, n);
cp += n;
dst += n;
}
if (cp != erdata) {
__set_errno(EMSGSIZE);
goto cleanup;
}
*dst = '\0';
==6340== Invalid write of size 1
==6340== at 0x8BD69F0: get_txt_records.isra.0 (hesiod.c:437)
==6340== by 0x8BD6D60: hesiod_resolve (hesiod.c:225)
==6340== by 0x8BD7883: lookup (hesiod-pwd.c:60)
==6340== by 0x8BD7A1A: _nss_hesiod_getpwuid_r (hesiod-pwd.c:109)
==6340== by 0x5303E6B: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:315)
==6340== by 0x530362D: getpwuid (getXXbyYY.c:116)
==6340== by 0x401C3D: test_pwd (tst-hesiod.c:198)
==6340== by 0x401C3D: main (tst-hesiod.c:272)
==6340== Address 0x5778890 is 0 bytes after a block of size 0 alloc'd
==6340== at 0x4A07C50: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6340== by 0x8BD6856: get_txt_records.isra.0 (hesiod.c:417)
==6340== by 0x8BD6D60: hesiod_resolve (hesiod.c:225)
==6340== by 0x8BD7883: lookup (hesiod-pwd.c:60)
==6340== by 0x8BD7A1A: _nss_hesiod_getpwuid_r (hesiod-pwd.c:109)
==6340== by 0x5303E6B: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:315)
==6340== by 0x530362D: getpwuid (getXXbyYY.c:116)
==6340== by 0x401C3D: test_pwd (tst-hesiod.c:198)
==6340== by 0x401C3D: main (tst-hesiod.c:272)
This is technically a heap overflow. It is not a security vulnerability
because nss_hesiod, by its design, treats DNS data as trusted.
--
You are receiving this mail because:
You are on the CC list for the bug.