-Fix reply buffer mismanagement in resolver (#730856)
This commit is contained in:
Patsy Franklin
parent
666dd833b0
commit
bedea83172
52
glibc-rh730856.patch
Normal file
52
glibc-rh730856.patch
Normal file
@ -0,0 +1,52 @@
|
||||
diff -Nrup a/resolv/res_query.c b/resolv/res_query.c
|
||||
--- a/resolv/res_query.c 2012-05-11 13:46:06.442619026 -0400
|
||||
+++ b/resolv/res_query.c 2012-05-11 16:19:35.195340660 -0400
|
||||
@@ -122,6 +122,7 @@ __libc_res_nquery(res_state statp,
|
||||
int *resplen2)
|
||||
{
|
||||
HEADER *hp = (HEADER *) answer;
|
||||
+ HEADER *hp2;
|
||||
int n, use_malloc = 0;
|
||||
u_int oflags = statp->_flags;
|
||||
|
||||
@@ -239,26 +240,25 @@ __libc_res_nquery(res_state statp,
|
||||
/* __libc_res_nsend might have reallocated the buffer. */
|
||||
hp = (HEADER *) *answerp;
|
||||
|
||||
- /* We simplify the following tests by assigning HP to HP2. It
|
||||
- is easy to verify that this is the same as ignoring all
|
||||
- tests of HP2. */
|
||||
- HEADER *hp2 = answerp2 ? (HEADER *) *answerp2 : hp;
|
||||
-
|
||||
- if (n < (int) sizeof (HEADER) && answerp2 != NULL
|
||||
- && *resplen2 > (int) sizeof (HEADER))
|
||||
+ /* We simplify the following tests by assigning HP to HP2 or
|
||||
+ vice versa. It is easy to verify that this is the same as
|
||||
+ ignoring all tests of HP or HP2. */
|
||||
+ if (answerp2 == NULL || *resplen2 < (int) sizeof (HEADER))
|
||||
{
|
||||
- /* Special case of partial answer. */
|
||||
- assert (n == 0 || hp != hp2);
|
||||
- hp = hp2;
|
||||
+ hp2 = hp;
|
||||
}
|
||||
- else if (answerp2 != NULL && *resplen2 < (int) sizeof (HEADER)
|
||||
- && n > (int) sizeof (HEADER))
|
||||
+ else
|
||||
{
|
||||
- /* Special case of partial answer. */
|
||||
- assert (hp != hp2);
|
||||
- hp2 = hp;
|
||||
+ hp2 = (HEADER *) *answerp2;
|
||||
+ if (n < (int) sizeof (HEADER))
|
||||
+ {
|
||||
+ hp = hp2;
|
||||
+ }
|
||||
}
|
||||
|
||||
+ /* Make sure both hp and hp2 are defined */
|
||||
+ assert((hp != NULL) && (hp2 != NULL));
|
||||
+
|
||||
if ((hp->rcode != NOERROR || ntohs(hp->ancount) == 0)
|
||||
&& (hp2->rcode != NOERROR || ntohs(hp2->ancount) == 0)) {
|
||||
#ifdef DEBUG
|
||||
@ -28,7 +28,7 @@
|
||||
Summary: The GNU libc libraries
|
||||
Name: glibc
|
||||
Version: %{glibcversion}
|
||||
Release: 24%{?dist}.6
|
||||
Release: 24%{?dist}.7
|
||||
# GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
|
||||
# Things that are linked directly into dynamically linked programs
|
||||
# and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
|
||||
@ -58,6 +58,7 @@ Patch14: %{name}-rh767696.patch
|
||||
Patch15: %{name}-rh552960-2.patch
|
||||
Patch16: %{name}-rh769993.patch
|
||||
Patch17: %{name}-rh794797.patch
|
||||
Patch18: %{name}-rh730856.patch
|
||||
|
||||
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
Obsoletes: glibc-profile < 2.4
|
||||
@ -293,6 +294,7 @@ rm -rf %{glibcportsdir}
|
||||
#%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
|
||||
# A lot of programs still misuse memcpy when they have to use
|
||||
# memmove. The memcpy implementation below is not tolerant at
|
||||
@ -1145,6 +1147,9 @@ rm -f *.filelist*
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed May 9 2012 Patsy Franklin <patsy@redhat.com> - 2.14.90-24.fc16.7
|
||||
- Fix reply buffer mismanagement in resolver. (#730856)
|
||||
|
||||
* Mon Feb 20 2012 Jeff Law <law@redhat.com> - 2.14.90-24.fc16.6
|
||||
- Avoid "nargs" integer overflow which could be used to bypass FORTIFY_SOURCE (#794797)
|
||||
- Disable 552960/769421 patches again, they're still not right.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user