This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH][BZ #16072] Fix stack overflow due to large AF_INET6 requests
- From: Siddhesh Poyarekar <siddhesh at redhat dot com>
- To: "Carlos O'Donell" <carlos at redhat dot com>
- Cc: libc-alpha at sourceware dot org
- Date: Thu, 24 Oct 2013 08:22:20 +0530
- Subject: Re: [PATCH][BZ #16072] Fix stack overflow due to large AF_INET6 requests
- Authentication-results: sourceware.org; auth=none
- References: <20131022071550 dot GG11038 at spoyarek dot pnq dot redhat dot com> <20131022125104 dot GI11038 at spoyarek dot pnq dot redhat dot com> <52681C52 dot 4070509 at redhat dot com>
On Wed, Oct 23, 2013 at 02:58:26PM -0400, Carlos O'Donell wrote:
> > - tmpbuf = extend_alloca (tmpbuf, tmpbuflen, 2 * tmpbuflen); \
> > + if (!malloc_tmpbuf && __libc_use_alloca (alloca_used + 2 * tmpbuflen)) \
>
> __glibc_likely? Who has huge /etc/hosts files?
>
OK.
> > + tmpbuf = extend_alloca_account (tmpbuf, tmpbuflen, 2 * tmpbuflen, \
> > + alloca_used); \
> > + else \
> > + { \
> > + char *newp = realloc (malloc_tmpbuf ? tmpbuf : NULL, \
> > + 2 * tmpbuflen); \
>
> realloc has no limit making it possible to DoS the system.
>
> Should we consider a fixed size constant as the upper limit for this malloc?
>
> See:
> https://sourceware.org/glibc/wiki/Style_and_Conventions#Alloca_vs._Malloc
> "If the size of the buffer is directly or indirectly under user control,
> consider imposing a maximum to help make denial-of-service attacks more
> difficult. "
>
This size is controlled by the size of the DNS response or the
response generated from /etc/hosts. Unless an attacker has control of
the DNS server (or access to modify /etc/hosts), I don't see this to
be a problem.
Siddhesh