From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001

From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>

Date: Wed, 18 Jan 2023 22:14:26 +0800

Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid

 stack overflow (#497)

In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse

the input str and initialize a sortlist configuration.

However, ares_set_sortlist has not any checks about the validity of the input str.

It is very easy to create an arbitrary length stack overflow with the unchecked

`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`

statements in the config_sortlist call, which could potentially cause severe

security impact in practical programs.

This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the

potential stack overflows.

fixes #496

Fix By: @hopper-vul

Resolves: CVE-2022-4904

Signed-off-by: rpm-build <rpm-build>

---

 deps/cares/src/lib/ares_init.c | 4 ++++

 1 file changed, 4 insertions(+)

diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c

index de5d86c..d5858f6 100644

--- a/deps/cares/src/lib/ares_init.c

+++ b/deps/cares/src/lib/ares_init.c

@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,

       q = str;

       while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))

         q++;

+      if (q-str >= 16)

+        return ARES_EBADSTR;

       memcpy(ipbuf, str, q-str);

       ipbuf[q-str] = '\0';

       /* Find the prefix */

@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,

           const char *str2 = q+1;

           while (*q && *q != ';' && !ISSPACE(*q))

             q++;

+          if (q-str >= 32)

+            return ARES_EBADSTR;

           memcpy(ipbufpfx, str, q-str);

           ipbufpfx[q-str] = '\0';

           str = str2;

-- 

2.39.2