-
Notifications
You must be signed in to change notification settings - Fork 591
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential stack overflow in ares_set_sortlist #496
Comments
hopper-vul
added a commit
to hopper-vul/c-ares
that referenced
this issue
Dec 13, 2022
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse the input str and initialize a sortlist configuration. However, ares_set_sortlist has not any checks about the validity of the input str. It is very easy to create an arbitrary length stack overflow with the unchecked `memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` statements in the config_sortlist call, which could potentially cause severe security impact in practical programs. This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the potential stack overflows. fixes c-ares#496 Signed-off-by: hopper-vul <hopper.vul@gmail.com>
bradh352
pushed a commit
that referenced
this issue
Jan 18, 2023
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse the input str and initialize a sortlist configuration. However, ares_set_sortlist has not any checks about the validity of the input str. It is very easy to create an arbitrary length stack overflow with the unchecked `memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` statements in the config_sortlist call, which could potentially cause severe security impact in practical programs. This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the potential stack overflows. fixes #496 Fix By: @hopper-vul
This got assigned CVE-2022-4904 by Red Hat CNA. |
halstead
pushed a commit
to openembedded/meta-openembedded
that referenced
this issue
Apr 4, 2023
Backport based on c-ares/c-ares#496 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
halstead
pushed a commit
to openembedded/meta-openembedded
that referenced
this issue
Apr 5, 2023
Backport based on c-ares/c-ares#496 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
amstewart
pushed a commit
to ni/meta-openembedded
that referenced
this issue
Apr 7, 2023
Backport based on c-ares/c-ares#496 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
jpuhlman
pushed a commit
to MontaVista-OpenSourceTechnology/meta-openembedded
that referenced
this issue
Apr 10, 2023
Source: meta-openembedded MR: 124675, 125263 Type: Security Fix Disposition: Merged from meta-openembedded ChangeID: 092e125 Description: Backport based on c-ares/c-ares#496 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In
ares_set_sortlist
, it callsconfig_sortlist(..., sortstr)
to parsethe input str and initialize a sortlist configuration.
However,
ares_set_sortlist
has not any checks about the validity of the input str.It is very easy to create an arbitrary length stack overflow with the unchecked
memcpy(ipbuf, str, q-str);
andmemcpy(ipbufpfx, str, q-str);
statements in the config_sortlist call, which could potentially cause severe
security impact in practical programs.
For example, the litter case could produce a stack overflow:
As
ares_set_sortlist
is a public interface of a widely-used library,i think it is necessary to add some checks to forbid further severe security bugs.
The text was updated successfully, but these errors were encountered: