From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001 From: hopper-vul <118949689+hopper-vul@users.noreply.github.com> Date: Wed, 18 Jan 2023 22:14:26 +0800 Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid stack overflow (#497) In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse the input str and initialize a sortlist configuration. However, ares_set_sortlist has not any checks about the validity of the input str. It is very easy to create an arbitrary length stack overflow with the unchecked `memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` statements in the config_sortlist call, which could potentially cause severe security impact in practical programs. This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the potential stack overflows. fixes #496 Fix By: @hopper-vul Resolves: CVE-2022-4904 Signed-off-by: rpm-build --- deps/cares/src/lib/ares_init.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c index de5d86c..d5858f6 100644 --- a/deps/cares/src/lib/ares_init.c +++ b/deps/cares/src/lib/ares_init.c @@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, q = str; while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) q++; + if (q-str >= 16) + return ARES_EBADSTR; memcpy(ipbuf, str, q-str); ipbuf[q-str] = '\0'; /* Find the prefix */ @@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, const char *str2 = q+1; while (*q && *q != ';' && !ISSPACE(*q)) q++; + if (q-str >= 32) + return ARES_EBADSTR; memcpy(ipbufpfx, str, q-str); ipbufpfx[q-str] = '\0'; str = str2; -- 2.39.2