c-ares:fix CVE-2022-4904 buffer overflow in config_sortlist() due to …

…missing string length check Source: c-ares/c-ares@9903253 MR: 125266 Type: Security Fix Disposition: Backport from c-ares/c-ares@9903253 ChangeID: 33b40926ed3ed7620434f30ff30874e241a3257c Description: Add str len check in config_sortlist to avoid stack overflow (openembedded#497) In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse the input str and initialize a sortlist configuration. However, ares_set_sortlist has not any checks about the validity of the input str. It is very easy to create an arbitrary length stack overflow with the unchecked `memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` statements in the config_sortlist call, which could potentially cause severe security impact in practical programs. This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the potential stack overflows. fixes openembedded#496 Fix By: @hopper-vul Upstream-Status: Backport [c-ares/c-ares@9903253] CVE: CVE-2022-4904 Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
MontaVista-OpenSourceTechnology · Mar 23, 2023 · 0699307 · 0699307
1 parent 74689a2
commit 0699307
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 1 deletion.
diff --git a/meta-networking/recipes-support/c-ares/c-ares/CVE-2022-4904.patch b/meta-networking/recipes-support/c-ares/c-ares/CVE-2022-4904.patch
@@ -0,0 +1,48 @@
+From 2aa53d00147001301482d26c1ad1b12cdd1dc6b4 Mon Sep 17 00:00:00 2001
+From: Vivek Kumbhar <vkumbhar@mvista.com>
+Date: Tue, 21 Mar 2023 03:52:30 +0000
+Subject: [PATCH] CVE-2022-4904
+
+---
+ ares_init.c            | 4 ++++
+ test/ares-test-init.cc | 2 ++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/ares_init.c b/ares_init.c
+index f7b700b..5aad7c8 100644
+--- a/ares_init.c
++++ b/ares_init.c
+@@ -2065,6 +2065,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+       q = str;
+       while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
+         q++;
++      if (q-str >= 16)
++        return ARES_EBADSTR;
+       memcpy(ipbuf, str, q-str);
+       ipbuf[q-str] = '\0';
+       /* Find the prefix */
+@@ -2073,6 +2075,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+           const char *str2 = q+1;
+           while (*q && *q != ';' && !ISSPACE(*q))
+             q++;
++          if (q-str >= 32)
++            return ARES_EBADSTR;
+           memcpy(ipbufpfx, str, q-str);
+           ipbufpfx[q-str] = '\0';
+           str = str2;
+diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc
+index 66570ac..cd65e77 100644
+--- a/test/ares-test-init.cc
++++ b/test/ares-test-init.cc
+@@ -265,6 +265,8 @@ TEST_F(DefaultChannelTest, SetAddresses) {
+
+ TEST_F(DefaultChannelTest, SetSortlistFailures) {
+   EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4"));
++  EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16"));
++  EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*"));
+   EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk"));
+   EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123"));
+ }
+-- 
+2.18.2
+
diff --git a/meta-networking/recipes-support/c-ares/c-ares_1.13.0.bb b/meta-networking/recipes-support/c-ares/c-ares_1.13.0.bb
@@ -7,12 +7,13 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=f4b026880834eb01c035c5e5cb47ccac"
 SRCREV = "3be1924221e1326df520f8498d704a5c4c8d0cce"
 PV = "1.13.0+gitr${SRCPV}"
 
-PR .= ".1"
+PR .= ".2"
 
 SRC_URI = "\
     git://github.com/c-ares/c-ares.git \
     file://cmake-install-libcares.pc.patch \
     file://0001-CVE-2021-3672.patch \
+    file://CVE-2022-4904.patch \
 "
 
 S = "${WORKDIR}/git"