forked from openwrt/packages
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix CVE-2020-8277 : Denial of Service through DNS request c-ares/c-ares#371 c-ares/c-ares@0d252eb Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
- Loading branch information
Showing
2 changed files
with
51 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
From 0d252eb3b2147179296a3bdb4ef97883c97c54d3 Mon Sep 17 00:00:00 2001 | ||
From: bradh352 <brad@brad-house.com> | ||
Date: Thu, 12 Nov 2020 10:24:40 -0500 | ||
Subject: [PATCH] ares_parse_{a,aaaa}_reply could return larger *naddrttls than | ||
passed in | ||
|
||
If there are more ttls returned than the maximum provided by the requestor, then | ||
the *naddrttls response would be larger than the actual number of elements in | ||
the addrttls array. | ||
|
||
This bug could lead to invalid memory accesses in applications using c-ares. | ||
|
||
This behavior appeared to break with PR #257 | ||
|
||
Fixes: #371 | ||
Reported By: Momtchil Momtchev (@mmomtchev) | ||
Fix By: Brad House (@bradh352) | ||
--- | ||
src/lib/ares_parse_a_reply.c | 3 ++- | ||
src/lib/ares_parse_aaaa_reply.c | 3 ++- | ||
2 files changed, 4 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/ares_parse_a_reply.c b/ares_parse_a_reply.c | ||
index d8a9e9b5..e71c993f 100644 | ||
--- a/ares_parse_a_reply.c | ||
+++ b/ares_parse_a_reply.c | ||
@@ -197,7 +197,8 @@ int ares_parse_a_reply(const unsigned char *abuf, int alen, | ||
|
||
if (naddrttls) | ||
{ | ||
- *naddrttls = naddrs; | ||
+ /* Truncated to at most *naddrttls entries */ | ||
+ *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs; | ||
} | ||
|
||
ares__freeaddrinfo_cnames(ai.cnames); | ||
diff --git a/ares_parse_aaaa_reply.c b/ares_parse_aaaa_reply.c | ||
index 0d39bfa8..346d4307 100644 | ||
--- a/ares_parse_aaaa_reply.c | ||
+++ b/ares_parse_aaaa_reply.c | ||
@@ -200,7 +200,8 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen, | ||
|
||
if (naddrttls) | ||
{ | ||
- *naddrttls = naddrs; | ||
+ /* Truncated to at most *naddrttls entries */ | ||
+ *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs; | ||
} | ||
|
||
ares__freeaddrinfo_cnames(ai.cnames); |