Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ares_parse_a_reply / ares_parse_aaaa_reply seem to have new behavior #371

Closed
mmomtchev opened this issue Nov 12, 2020 · 3 comments
Closed

Comments

@mmomtchev
Copy link

mmomtchev commented Nov 12, 2020

According to the manual when calling ares_parse_a_reply(), the caller is to expect that no more than naddrttls will be written to addrttls and naddrttls will be set to the number of records written. However this is not what is happening - unless I have missed something very obvious - naddrttls is set to the total number of records present. I have the feeling that this behavior is very recent?
Can you confirm this? Is it a documentation problem and was the change of behavior intended?

@bradh352
Copy link
Member

Looks like this was an oversight in PR #257

mmomtchev added a commit to mmomtchev/node that referenced this issue Nov 12, 2020
Due to a recent c-ares bug, Node was exposed to
a security vulnerability due to reading beyond the
end of the array of DNS responses when they were
more than 256
c-ares team will fix this bug, but in the meantime,
this will plug the security hole

Fixes: https://github.com/nodejs/node/issues/36063
Refs: c-ares/c-ares#371
Refs: c-ares/c-ares@0d252eb
targos pushed a commit to nodejs/node that referenced this issue Nov 16, 2020
Original commit message:

  If there are more ttls returned than the maximum provided by the requestor, then
  the *naddrttls response would be larger than the actual number of elements in
  the addrttls array.

  This bug could lead to invalid memory accesses in applications using c-ares.

  This behavior appeared to break with PR c-ares/c-ares#257

  Fixes: c-ares/c-ares#371
  Reported By: Momtchil Momtchev (@mmomtchev)
  Fix By: Brad House (@bradh352)

Refs: https://github.com/nodejs/node/issues/36063

Signed-off-by: Michael Dawson <mdawson@devrus.com>

CVE-ID: CVE-2020-8277
PR-URL: nodejs-private/node-private#231
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
nxhack added a commit to nxhack/packages that referenced this issue Nov 16, 2020
Fix CVE-2020-8277 : Denial of Service through DNS request

c-ares/c-ares#371
c-ares/c-ares@0d252eb

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
@vitlav
Copy link

vitlav commented Nov 16, 2020

Is it possible make a release with CVE-2020-8277 fix?

@bradh352
Copy link
Member

release prep is underway for c-ares 1.17.0. @bagder will be doing final sign-off.

nxhack added a commit to nxhack/packages that referenced this issue Nov 17, 2020
Update to 1.17.0
Fix CVE-2020-8277 : Denial of Service through DNS request

c-ares/c-ares#371
c-ares/c-ares@0d252eb

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
nxhack added a commit to nxhack/packages that referenced this issue Nov 17, 2020
Fix CVE-2020-8277 : Denial of Service through DNS request

c-ares/c-ares#371
c-ares/c-ares@0d252eb

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
sergepetrenko pushed a commit to tarantool/c-ares that referenced this issue Jul 29, 2022
If there are more ttls returned than the maximum provided by the requestor, then
the *naddrttls response would be larger than the actual number of elements in
the addrttls array.

This bug could lead to invalid memory accesses in applications using c-ares.

This behavior appeared to break with PR c-ares#257

Fixes: c-ares#371
Reported By: Momtchil Momtchev (@mmomtchev)
Fix By: Brad House (@bradh352)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants