* A stack-based buffer overflow was found in libresolv when invoked from
libnss_dns, allowing specially crafted DNS responses to seize control
of execution flow in the DNS client. The buffer overflow occurs in
the functions send_dg (send datagram) and send_vc (send TCP) for the
NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
family. The use of AF_UNSPEC triggers the low-level resolver code to
send out two parallel queries for A and AAAA. A mismanagement of the
buffers used for those queries could result in the response of a query
writing beyond the alloca allocated buffer created by
_nss_dns_gethostbyname4_r. Buffer management is simplified to remove
the overflow. Thanks to the Google Security Team and Red Hat for
reporting the security impact of this issue, and Robert Holiday of
Ciena for reporting the related bug 18665. (CVE-2015-7547)
See also:
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.htmlhttps://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
DNSSEC defines a number of response types that one me expect when the
DO bit is set. We don't process any of them, but since we do allow
setting the DO bit, skip them without logging an error since it is
only a nuisance.
Tested on x86_64.
[BZ #14841]
* resolv/gethnamaddr.c (getanswer): Skip logging if
RES_USE_DNSSEC is set.
* resolv/nss_dns/dns-host.c (getanswer_r): Likewise.
The code in gethnamaddr.c for gethostbyaddr used and set this macro to
allow multiple PTR records to be added as aliases. This was useful
for gethostbyaddr since it returns a hostent structure, which can
return aliases.
The gethnamaddr.c source however is unused in glibc since pretty much
forever. Instead, the DNS lookup bits for gethostbyaddr (as well as
getnameinfo) are implemented in dns-hosts.c and in that implementation
all but one (the first one) of the multiple PTR records are ignored.
Since gethnamaddr.c is essentially dead code, ignore that
implementation and replace the MULTI_PTRS_ARE_ALIASES bit with a
comment mentioning that bind adds PTR records as aliases while we
don't.
limit
[BZ #14307]
* sysdeps/posix/getaddrinfo.c (gaih_inet): Increase the size of
the temporary buffer used to invoke __gethostbyname2_r,
__gethostbyaddr_r and gethostbyname4_r to make room for struct
host_data / struct gaih_addrtuple.
* resolv/nss_dns/dns-host.c (global scope): Move definition of
implementation constants MAX_NR_ALIASES and MAX_NR_ADDRS to
header file nss/nsswitch.h.
* nss/nsswitch.h (global scope): Add definition of implementation
constants MAX_NR_ALIASES and MAX_NR_ADDRS (moved from
resolv/nss_dns/dns-host.c).
[BZ #13928] A DNS request consists of multiple resources combined into
a single hostent, including multiple CNAME records that may have been
assigned different TTL values. In such a case, nscd should take the
least TTL among all of the resources as the timeout for the hostent
before it is reloaded in its cache so that the hostent remains stale
in the database for the least amount of time.
With big DNS answers like the one you get for goodtimesdot.com you can
get a truncated address list if IPv6 mapping is enabled. Instead tell
the caller to resize the buffer.
ESRCH return value.
(_nss_dns_gethostbyname4_r): Likewise.
* resolv/res_init.c (__res_vinit): Initialize nscount to zero.
* sysdeps/posix/getaddrinfo.c (gaih_inet): In case we use
gethostbyname4_r, we don't have a separate IPv6 status, so copy
the no_data variable.
* include/resolv.h: Remove hidden proto declarations for __ns_*
functions. Add them for __dn_count_labels and __p_secstodate.
* include/arpa/nameser.h: Add a number of hidden proto declarations.
Define ns_msg_getflags macro here.
* resolv/res_debug.c: Add hidden definition for __dn_count_labels
and __p_secstodate.
* resolv/Versions: Export functions from <arpa/nameser.h> from
libresolv in version GLIBC_2.9.
* resolv/ns_name.c: Integrate changes from bind 9.5.0. Add necessary
hidden definitions.
* resolv/ns_netint.c: Likewise.
* resolv/ns_parse.c: Likewise.
* resolv/ns_print.c: Likewise.
* resolv/ns_samedomain.c: Likewise.
* resolv/ns_ttl.c: Likewise.
* resolv/arpa/nameser_compat.h: Likewise.
* resolv/arpa/nameser.h: Likewise. Remove macros which redirect
function calls.
* resolv/nss_dns/dns-canon.c (_nss_dns_getcanonname_r): Use __ns_get16
instead of ns_get16.
* resolv/nss_dns/dns-host.c (getanswer_r): Use __ns_get16 and
__ns_get32 instead of ns_get16 and ns_get32 respectively.
(gaih_getanswer_slice): Likewise.
* resolv/Makefile (libresolv-routines): Add ns_date.
* resolv/ns_date.c: New file.
Use it instead of locally defined resplen2 variable.
(res_nsend): Adjust for __libc_res_nsend interface change.
(send_vc): Initialize *resplen2 if necessary. Read length of
package into an appropriately aligned variable. Store converted length
in new variable and use it appropriately.
Add branch prediction help.
* resolv/res_query.c (__libc_res_nquery): Take additional parameter
and pass it on to __libc_res_nsend. Adjust all callers.
(__libc_res_nsearch): Likewise.
(__libc_res_nqeurydomain): Likewise.
* resolv/nss_dns/dns-host.c: Adjust for __libc_res_nsearch interface
change.
(_nss_dns_gethostbyname4): Don't unconditionally allocate tmp array.
Define resplen2 variable and pass it to __libc_res_nsearch and then
to gaih_getanswer.
(getanswer_r): In case of incorrect DNS data don't overread buffer.
Add branch prediction.
(gaih_getanswer_slice): Likewise. Check for invalid data types.
(gaih_getanswer): Don't decode second slice if first one failed due
to a too small buffer. Don't let not found status of second
decoder shadow results of the first.
* resolv/gethnamaddr.c (gethostbyname2): Adjust for __libc_res_nsearch
and __libc_res_nquery interface changes
(gethostbyaddr): Adjust for __libc_res_nquery interface change.
* include/resolv.h: Adjust prototypes for __libc_res_nquery,
__libc_res_nsearch, and __libc_res_nsend.
* resolv/nss_dns/dns-canon.c: Adjust for __libc_res_nquery interface
change.
* resolv/nss_dns/dns-network.c: Adjust for __libc_res_nquery and
__libc_res_nsearch interface changes.
no answers return NSS_STATUS_NOTFOUND.
(gaih_getanswer): Don't call gaih_getanswer_slice if the answer
buffer does not have any content.
* nscd/servicescache.c: Likewise.
prototypes.
* include/arpa/nameser_compat.h: Define T_UNSPEC.
* nis/Versions (libnss_nis): Export _nss_nis_gethostbyname4_r.
(libnss_nisplus): Export _nss_nisplus_gethostbyname4_r.
* nis/nss_nis/nis-hosts.c (LINE_PARSER): Change to also handle
af==AF_UNSPEC.
(_nss_nis_gethostbyname4_r): New function.
* nis/nss_nisplus/nisplus-hosts.c (_nss_nisplus_parse_hostent):
Change to also handle af==AF_UNSPEC.
(get_tablename): New function. Use it to avoid duplication.
(_nss_nisplus_gethostbyname4_r): New function.
* nscd/aicache.c (addhstaiX): Use gethostbyname4_r function is
available.
* nss/Versions (libnss_files): Export _nss_files_gethostbyname4_r.
* nss/nss.h: Define struct gaih_addrtuple.
* nss/nss_files/files-hosts.c (LINE_PARSER): Change to also handle
af==AF_UNSPEC.
(_nss_files_gethostbyname4_r): New function.
* resolv/Versions (libnss_dns): Export _nss_dns_gethostbyname4_r.
* resolv/gethnmaddr.c: Adjust __libc_res_nsearch and __libc_res_nquery
calls.
* resolv/res_query.c (__libc_res_nquery): Take two additional
parameters for second answer buffer. Handle type=T_UNSPEC to mean
look up IPv4 and IPv6.
Change all callers.
* resolv/res_send.c (__libc_res_nsend): Take five aditional parameters
for an additional query and answer buffer. Pass to send_vc and
send_dg.
(send_vc): Send possibly two requests and receive two answers.
(send_dg): Likewise.
* resolv/nss_dns/dns-host.c: Adjust calls to __libc_res_nsearch and
__libc_res_nquery.
(_nss_dns_gethostbyname4_r): New function.
(gaih_getanswer_slice): Likewise.
(gaih_getanswer): Likewise.
* resolv/nss_dns/dns-canon.c (_nss_dns_getcanonname_r): Adjust
__libc_res_nquery call.
* resolv/nss_dns/dns-network.c (_nss_dns_getnetbyaddr_r): Likewise.
(_nss_dns_getnetbyname_r): Adjust __libc_res_nsearch call.
* sysdeps/posix/getaddrinfo.c: Use gethostbyname4_r function is
available.
2008-02-25 Jakub Jelinek <jakub@redhat.com>
[BZ #5790]
* resolv/nss_dns/dns-host.c (_nss_dns_gethostbyaddr2_r): Don't
overwrite *h_errnop/*errnop values from getanswer_r in case of
failure.
_nss_dns_getnetbyaddr2_r.
* resolv/nss_dns/dns-host.c: Define _nss_dns_getnetbyaddr2_r. Pass
extra parameter to getanswer_r.
(_nss_dns_getnetbyaddr_r): Now a wrapper around
_nss_dns_getnetbyaddr2_r.
2007-10-15 Ulrich Drepper <drepper@redhat.com>
[BZ #3425]
* resolv/nss_dns/dns-host.c (getanswer_r): Fail with
NSS_STATUS_NOTFOUND if the server replied with only a CNAME and no
address record to T_A/T_AAAA requests.
* intl/dcigettext.c (_nl_find_msg): Add a cast.
* nis/nis_clone_dir.c (nis_clone_directory): Use char * for ADDR.
* nis/nis_clone_obj.c (nis_clone_object): Likewise.
* nis/nis_clone_res.c (nis_clone_result): Likewise.
* resolv/nss_dns/dns-network.c (getanswer_r): Use const unsigned char *
for END_OF_MESSAGE and CP.
* resolv/res_send.c (send_dg): Add else branch for case impossible
unless `poll' is buggy.
* crypt/crypt_util.c (__setkey_r): Add a cast.
* locale/programs/linereader.c (get_toplvl_escape): Use size_t for
NBYTES, and unsigned char * for BYTES.
* locale/programs/charmap.c (charmap_new_char): Use size_t and
unsighed char * for NBYTES, BYTES parameters.
* sysdeps/generic/dl-hash.h (_dl_elf_hash): Take const char * argument
and cast it.
* sysdeps/i386/i686/dl-hash.h (_dl_elf_hash): Likewise.
* sunrpc/create_xid.c (_create_xid): Don't use unsigned long for RES.
* sunrpc/svcauth_des.c (_svcauth_des): Fix cast type.
* sunrpc/auth_des.c (authdes_create): Don't use u_char for PKEY_DATA.
(authdes_marshal): Don't use unsigned int for LEN.
* sunrpc/xdr.c (xdr_hyper): Don't use unsigned long for T2.
(xdr_u_hyper): Likewise.
(xdr_u_short): Don't use u_long for L.
* sunrpc/xdr_intXX_t.c (xdr_int64_t): Don't use uint32_t for T2.
* inet/rexec.c (rexec_af): Use socklen_t.
* sunrpc/key_call.c (getkeyserv_handle): Likewise.
* sunrpc/rtime.c (rtime): Likewise.
* resolv/res_send.c (send_vc, send_dg): Likewise.
* nis/nis_callback.c (__nis_create_callback): Likewise.
* sysdeps/generic/libc-start.c: Use unsigned int for nthreads ptr.
* sysdeps/posix/getaddrinfo.c (gaih_inet): Fix type of ADDR local.
* libio/libio.h (_IO_BE): Add parenthesis around EXPR.
* intl/dcigettext.c (INTVARDEF, INTUSE): Macros removed.
(_nl_default_dirname): Use libc_hidden_data_def instead of INTVARDEF.
(libc_freeres_fn, DCIGETTEXT): Don't use INTUSE.
* intl/bindtextdom.c (INTUSE): Macro removed.
(_nl_default_dirname): Use libc_hidden_proto.
(set_binding_values): Don't use INTUSE.
* include/libintl.h (_libc_intl_domainname_internal): Decl removed.
(_libc_intl_domainname): Use libc_hidden_proto.
* posix/regex_internal.h (gettext): Remove INTUSE on it.
* locale/SYS_libc.c (_libc_intl_domainname): Use libc_hidden_data_def
rather than INTDEF.
* include/libintl.h (_): Don't use *_internal name.
* ctype/ctype-extn.c (__ctype_tolower, __ctype_toupper): Use int32_t,
not uint32_t.
* locale/lc-ctype.c (_nl_postload_ctype): Likewise for assignments.
* iconv/gconv_open.c (__gconv_open): Remove useless cast.
[BZ #721]
* sysdeps/i386/dl-machine.h (ELF_MACHINE_NO_RELA): Define this outside
of [RESOLVE_MAP].
* sysdeps/sh/dl-machine.h (ELF_MACHINE_NO_REL): Likewise.
* sysdeps/powerpc/powerpc32/dl-machine.h
(elf_machine_rel, elf_machine_rel_relative): Removed.
* sysdeps/powerpc/powerpc64/dl-machine.h
(elf_machine_rel, elf_machine_rel_relative): Removed.
2005-02-03 Alexandre Oliva <aoliva@redhat.com>
[BZ #721]
* elf/dynamic-link.h: Don't declare nested auto functions that are
not going to be defined.
2004-07-23 Jakub Jelinek <jakub@redhat.com>
[BZ #284]
* include/features.h (_POSIX_SOURCE, _POSIX_C_SOURCE): Define
if _XOPEN_SOURCE >= 500 even if __STRICT_ANSI__ is defined.
2005-02-16 Roland McGrath <roland@redhat.com>