|
 |
e67796 |
commit bd77dd7e73e3530203be1c52c8a29d08270cb25d
|
|
|
e67796 |
Author: Florian Weimer <fweimer@redhat.com>
|
|
|
e67796 |
Date: Wed Sep 13 14:10:56 2023 +0200
|
|
|
e67796 |
|
|
|
e67796 |
CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode
|
|
|
e67796 |
|
|
|
e67796 |
Without passing alt_dns_packet_buffer, __res_context_search can only
|
|
|
e67796 |
store 2048 bytes (what fits into dns_packet_buffer). However,
|
|
|
e67796 |
the function returns the total packet size, and the subsequent
|
|
|
e67796 |
DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end
|
|
|
e67796 |
of the stack-allocated buffer.
|
|
|
e67796 |
|
|
|
e67796 |
Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa
|
|
|
e67796 |
stub resolver option") and bug 30842.
|
|
|
e67796 |
|
|
|
e67796 |
Conflicts:
|
|
|
e67796 |
resolv/nss_dns/dns-host.c
|
|
|
e67796 |
(missing dns_packet_buffer cleanup downstream)
|
|
|
e67796 |
|
|
|
e67796 |
diff --git a/resolv/Makefile b/resolv/Makefile
|
|
|
e67796 |
index ab8ad49b5318ad41..4f4eaf060443c128 100644
|
|
|
e67796 |
--- a/resolv/Makefile
|
|
|
e67796 |
+++ b/resolv/Makefile
|
|
|
e67796 |
@@ -58,6 +58,7 @@ tests += \
|
|
|
e67796 |
tst-resolv-edns \
|
|
|
e67796 |
tst-resolv-network \
|
|
|
e67796 |
tst-resolv-noaaaa \
|
|
|
e67796 |
+ tst-resolv-noaaaa-vc \
|
|
|
e67796 |
tst-resolv-nondecimal \
|
|
|
e67796 |
tst-resolv-res_init-multi \
|
|
|
e67796 |
tst-resolv-search \
|
|
|
e67796 |
@@ -202,6 +203,7 @@ $(objpfx)tst-resolv-res_init-multi: $(objpfx)libresolv.so \
|
|
|
e67796 |
$(objpfx)tst-resolv-res_init-thread: $(libdl) $(objpfx)libresolv.so \
|
|
|
e67796 |
$(shared-thread-library)
|
|
|
e67796 |
$(objpfx)tst-resolv-noaaaa: $(objpfx)libresolv.so $(shared-thread-library)
|
|
|
e67796 |
+$(objpfx)tst-resolv-noaaaa-vc: $(objpfx)libresolv.so $(shared-thread-library)
|
|
|
e67796 |
$(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library)
|
|
|
e67796 |
$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
|
|
|
e67796 |
$(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library)
|
|
|
e67796 |
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
|
|
|
e67796 |
index ff0a0b6f7f1f4703..f678c7d7caa3a026 100644
|
|
|
e67796 |
--- a/resolv/nss_dns/dns-host.c
|
|
|
e67796 |
+++ b/resolv/nss_dns/dns-host.c
|
|
|
e67796 |
@@ -392,7 +392,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
|
|
|
e67796 |
else
|
|
|
e67796 |
{
|
|
|
e67796 |
n = __res_context_search (ctx, name, C_IN, T_A,
|
|
|
e67796 |
- host_buffer.buf->buf, 2048, NULL,
|
|
|
e67796 |
+ host_buffer.buf->buf, 2048, &host_buffer.ptr,
|
|
|
e67796 |
NULL, NULL, NULL, NULL);
|
|
|
e67796 |
if (n >= 0)
|
|
|
e67796 |
status = gaih_getanswer_noaaaa (host_buffer.buf, n,
|
|
|
e67796 |
diff --git a/resolv/tst-resolv-noaaaa-vc.c b/resolv/tst-resolv-noaaaa-vc.c
|
|
|
e67796 |
new file mode 100644
|
|
|
e67796 |
index 0000000000000000..9f5aebd99f2d74a2
|
|
|
e67796 |
--- /dev/null
|
|
|
e67796 |
+++ b/resolv/tst-resolv-noaaaa-vc.c
|
|
|
e67796 |
@@ -0,0 +1,129 @@
|
|
|
e67796 |
+/* Test the RES_NOAAAA resolver option with a large response.
|
|
|
e67796 |
+ Copyright (C) 2022-2023 Free Software Foundation, Inc.
|
|
|
e67796 |
+ This file is part of the GNU C Library.
|
|
|
e67796 |
+
|
|
|
e67796 |
+ The GNU C Library is free software; you can redistribute it and/or
|
|
|
e67796 |
+ modify it under the terms of the GNU Lesser General Public
|
|
|
e67796 |
+ License as published by the Free Software Foundation; either
|
|
|
e67796 |
+ version 2.1 of the License, or (at your option) any later version.
|
|
|
e67796 |
+
|
|
|
e67796 |
+ The GNU C Library is distributed in the hope that it will be useful,
|
|
|
e67796 |
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
e67796 |
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
e67796 |
+ Lesser General Public License for more details.
|
|
|
e67796 |
+
|
|
|
e67796 |
+ You should have received a copy of the GNU Lesser General Public
|
|
|
e67796 |
+ License along with the GNU C Library; if not, see
|
|
|
e67796 |
+ <https://www.gnu.org/licenses/>. */
|
|
|
e67796 |
+
|
|
|
e67796 |
+#include <errno.h>
|
|
|
e67796 |
+#include <netdb.h>
|
|
|
e67796 |
+#include <resolv.h>
|
|
|
e67796 |
+#include <stdbool.h>
|
|
|
e67796 |
+#include <stdlib.h>
|
|
|
e67796 |
+#include <support/check.h>
|
|
|
e67796 |
+#include <support/check_nss.h>
|
|
|
e67796 |
+#include <support/resolv_test.h>
|
|
|
e67796 |
+#include <support/support.h>
|
|
|
e67796 |
+#include <support/xmemstream.h>
|
|
|
e67796 |
+
|
|
|
e67796 |
+/* Used to keep track of the number of queries. */
|
|
|
e67796 |
+static volatile unsigned int queries;
|
|
|
e67796 |
+
|
|
|
e67796 |
+/* If true, add a large TXT record at the start of the answer section. */
|
|
|
e67796 |
+static volatile bool stuff_txt;
|
|
|
e67796 |
+
|
|
|
e67796 |
+static void
|
|
|
e67796 |
+response (const struct resolv_response_context *ctx,
|
|
|
e67796 |
+ struct resolv_response_builder *b,
|
|
|
e67796 |
+ const char *qname, uint16_t qclass, uint16_t qtype)
|
|
|
e67796 |
+{
|
|
|
e67796 |
+ /* If not using TCP, just force its use. */
|
|
|
e67796 |
+ if (!ctx->tcp)
|
|
|
e67796 |
+ {
|
|
|
e67796 |
+ struct resolv_response_flags flags = {.tc = true};
|
|
|
e67796 |
+ resolv_response_init (b, flags);
|
|
|
e67796 |
+ resolv_response_add_question (b, qname, qclass, qtype);
|
|
|
e67796 |
+ return;
|
|
|
e67796 |
+ }
|
|
|
e67796 |
+
|
|
|
e67796 |
+ /* The test needs to send four queries, the first three are used to
|
|
|
e67796 |
+ grow the NSS buffer via the ERANGE handshake. */
|
|
|
e67796 |
+ ++queries;
|
|
|
e67796 |
+ TEST_VERIFY (queries <= 4);
|
|
|
e67796 |
+
|
|
|
e67796 |
+ /* AAAA queries are supposed to be disabled. */
|
|
|
e67796 |
+ TEST_COMPARE (qtype, T_A);
|
|
|
e67796 |
+ TEST_COMPARE (qclass, C_IN);
|
|
|
e67796 |
+ TEST_COMPARE_STRING (qname, "example.com");
|
|
|
e67796 |
+
|
|
|
e67796 |
+ struct resolv_response_flags flags = {};
|
|
|
e67796 |
+ resolv_response_init (b, flags);
|
|
|
e67796 |
+ resolv_response_add_question (b, qname, qclass, qtype);
|
|
|
e67796 |
+
|
|
|
e67796 |
+ resolv_response_section (b, ns_s_an);
|
|
|
e67796 |
+
|
|
|
e67796 |
+ if (stuff_txt)
|
|
|
e67796 |
+ {
|
|
|
e67796 |
+ resolv_response_open_record (b, qname, qclass, T_TXT, 60);
|
|
|
e67796 |
+ int zero = 0;
|
|
|
e67796 |
+ for (int i = 0; i <= 15000; ++i)
|
|
|
e67796 |
+ resolv_response_add_data (b, &zero, sizeof (zero));
|
|
|
e67796 |
+ resolv_response_close_record (b);
|
|
|
e67796 |
+ }
|
|
|
e67796 |
+
|
|
|
e67796 |
+ for (int i = 0; i < 200; ++i)
|
|
|
e67796 |
+ {
|
|
|
e67796 |
+ resolv_response_open_record (b, qname, qclass, qtype, 60);
|
|
|
e67796 |
+ char ipv4[4] = {192, 0, 2, i + 1};
|
|
|
e67796 |
+ resolv_response_add_data (b, &ipv4, sizeof (ipv4));
|
|
|
e67796 |
+ resolv_response_close_record (b);
|
|
|
e67796 |
+ }
|
|
|
e67796 |
+}
|
|
|
e67796 |
+
|
|
|
e67796 |
+static int
|
|
|
e67796 |
+do_test (void)
|
|
|
e67796 |
+{
|
|
|
e67796 |
+ struct resolv_test *obj = resolv_test_start
|
|
|
e67796 |
+ ((struct resolv_redirect_config)
|
|
|
e67796 |
+ {
|
|
|
e67796 |
+ .response_callback = response
|
|
|
e67796 |
+ });
|
|
|
e67796 |
+
|
|
|
e67796 |
+ _res.options |= RES_NOAAAA;
|
|
|
e67796 |
+
|
|
|
e67796 |
+ for (int do_stuff_txt = 0; do_stuff_txt < 2; ++do_stuff_txt)
|
|
|
e67796 |
+ {
|
|
|
e67796 |
+ queries = 0;
|
|
|
e67796 |
+ stuff_txt = do_stuff_txt;
|
|
|
e67796 |
+
|
|
|
e67796 |
+ struct addrinfo *ai = NULL;
|
|
|
e67796 |
+ int ret;
|
|
|
e67796 |
+ ret = getaddrinfo ("example.com", "80",
|
|
|
e67796 |
+ &(struct addrinfo)
|
|
|
e67796 |
+ {
|
|
|
e67796 |
+ .ai_family = AF_UNSPEC,
|
|
|
e67796 |
+ .ai_socktype = SOCK_STREAM,
|
|
|
e67796 |
+ }, &ai;;
|
|
|
e67796 |
+
|
|
|
e67796 |
+ char *expected_result;
|
|
|
e67796 |
+ {
|
|
|
e67796 |
+ struct xmemstream mem;
|
|
|
e67796 |
+ xopen_memstream (&mem;;
|
|
|
e67796 |
+ for (int i = 0; i < 200; ++i)
|
|
|
e67796 |
+ fprintf (mem.out, "address: STREAM/TCP 192.0.2.%d 80\n", i + 1);
|
|
|
e67796 |
+ xfclose_memstream (&mem;;
|
|
|
e67796 |
+ expected_result = mem.buffer;
|
|
|
e67796 |
+ }
|
|
|
e67796 |
+
|
|
|
e67796 |
+ check_addrinfo ("example.com", ai, ret, expected_result);
|
|
|
e67796 |
+
|
|
|
e67796 |
+ free (expected_result);
|
|
|
e67796 |
+ freeaddrinfo (ai);
|
|
|
e67796 |
+ }
|
|
|
e67796 |
+
|
|
|
e67796 |
+ resolv_test_end (obj);
|
|
|
e67796 |
+ return 0;
|
|
|
e67796 |
+}
|
|
|
e67796 |
+
|
|
|
e67796 |
+#include <support/test-driver.c>
|