Add str len check in config_sortlist to avoid stack overflow

[hopper-vul]

In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse the input str and initialize a sortlist configuration.

However, ares_set_sortlist has not any checks about the validity of the input str. It is very easy to create an arbitrary length stack overflow with the unchecked memcpy(ipbuf, str, q-str); and memcpy(ipbufpfx, str, q-str); statements in the config_sortlist call, which could potentially cause severe security impact in practical programs.

This commit add necessary check for ipbuf and ipbufpfx which avoid the potential stack overflows.

fixes #496

Signed-off-by: hopper-vul hopper.vul@gmail.com

[bradh352]

I'm not aware of any users of this interface, but in general it just looks broken to me.

It looks like via the documentation its supposed to only take ip addresses or ip addresses with subnet masks, however looking at the pre-existing test cases, its accepting garbage and actively being tested to ensure it accepts garbage ???

[hopper-vul]

Yes, the str in document are constrained by "The provided sortstr string that holds a space separated list of IP-address-netmask pairs", but adding a few checks to avoid potential security bugs isn't a bad thing overall.

In current change, if it detects overflow (or means bad input string), it will return with a ARES_EBADSTR. Thus, i added the two test cases with the minimal invalid strings input in the SetSortlistFailures test (which i think it is to trigger some failures) to test whether the added checks work.

[mmuehlenhoff]

JFTR, this was assigned CVE-2022-4904 (via https://bugzilla.redhat.com/show_bug.cgi?id=2168631)