Fix stack overflow in getaddrinfo with many results (#947892, CVE-2013-1914)

2013-08-19 18:25:29 +05:30 · 2013-08-19 18:25:29 +05:30 · f626cf6388
commit f626cf6388
parent c7516dcc05
2 changed files with 56 additions and 1 deletions
--- a/glibc-rh947892.patch
+++ b/glibc-rh947892.patch
@ -0,0 +1,50 @@
+commit 1cef1b19089528db11f221e938f60b9b048945d7
+Author: Andreas Schwab <schwab@suse.de>
+Date:   Thu Mar 21 15:50:27 2013 +0100
+
+    Fix stack overflow in getaddrinfo with many results
+
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index d95c2d1..2309281 100644
+--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
+@@ -2489,11 +2489,27 @@ getaddrinfo (const char *name, const char *service,
+       __typeof (once) old_once = once;
+       __libc_once (once, gaiconf_init);
+       /* Sort results according to RFC 3484.  */
+-      struct sort_result results[nresults];
+-      size_t order[nresults];
+      struct sort_result *results;
+      size_t *order;
+       struct addrinfo *q;
+       struct addrinfo *last = NULL;
+       char *canonname = NULL;
+      bool malloc_results;
+
+      malloc_results
+	= !__libc_use_alloca (nresults * (sizeof (*results) + sizeof (size_t)));
+      if (malloc_results)
+	{
+	  results = malloc (nresults * (sizeof (*results) + sizeof (size_t)));
+	  if (results == NULL)
+	    {
+	      __free_in6ai (in6ai);
+	      return EAI_MEMORY;
+	    }
+	}
+      else
+	results = alloca (nresults * (sizeof (*results) + sizeof (size_t)));
+      order = (size_t *) (results + nresults);
+ 
+       /* Now we definitely need the interface information.  */
+       if (! check_pf_called)
+@@ -2664,6 +2680,9 @@ getaddrinfo (const char *name, const char *service,
+ 
+       /* Fill in the canonical name into the new first entry.  */
+       p->ai_canonname = canonname;
+
+      if (malloc_results)
+	free (results);
+     }
+ 
+   __free_in6ai (in6ai);
--- a/glibc.spec
+++ b/glibc.spec
@ -27,7 +27,7 @@
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: 12%{?dist}
+Release: 13%{?dist}
 # GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
 # Things that are linked directly into dynamically linked programs
 # and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
@ -123,6 +123,7 @@ Patch1006: %{name}-rh977887.patch
 Patch1007: %{name}-rh977887-2.patch
 Patch1008: %{name}-rh984829.patch
 Patch1009: %{name}-rh995841.patch
+Patch1010: %{name}-rh947892.patch

 #
 # Patches submitted, but not yet approved upstream.
@ -433,6 +434,7 @@ package or when debugging this package.
 %patch1008 -p1
 %patch2040 -p1
 %patch1009 -p1
+%patch1010 -p1

 # On powerpc32, hp timing is only available in power4/power6
 # libs, not in base, so pre-power4 dynamic linker is incompatible
@ -1223,6 +1225,9 @@ rm -f *.filelist*
 %endif

 %changelog
+* Mon Aug 19 2013 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.17-13
+- Fix stack overflow in getaddrinfo with many results (#947892, CVE-2013-1914).
+
 * Mon Aug 19 2013 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.17-12
 - Disable pt_chown (#984829, CVE-2013-2207).
 - Fix strcoll flaws (#855399, CVE-2012-4412, CVE-2012-4424).