diff --git a/backport-add-str-len-check-in-config_sortlist-to-avoid-stack-overflow.patch b/backport-add-str-len-check-in-config_sortlist-to-avoid-stack-overflow.patch new file mode 100644 index 0000000000000000000000000000000000000000..dcc11ad4f16a48e0388903e4be8f7961045d15cd --- /dev/null +++ b/backport-add-str-len-check-in-config_sortlist-to-avoid-stack-overflow.patch @@ -0,0 +1,62 @@ +From ac596026e77244481fd68736ae7f15855803a08a Mon Sep 17 00:00:00 2001 +From: hopper-vul +Date: Tue, 13 Dec 2022 19:54:21 +0800 +Subject: [PATCH] Add str len check in config_sortlist to avoid stack overflow + +In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse +the input str and initialize a sortlist configuration. + +However, ares_set_sortlist has not any checks about the validity of the input str. +It is very easy to create an arbitrary length stack overflow with the unchecked +`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` +statements in the config_sortlist call, which could potentially cause severe +security impact in practical programs. + +This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the +potential stack overflows. + +fixes #496 + +Signed-off-by: hopper-vul +--- + ares_init.c | 4 ++++ + test/ares-test-init.cc | 2 ++ + 2 files changed, 6 insertions(+) + +diff --git a/ares_init.c b/ares_init.c +index dffa518..e1fa82f 100644 +--- a/ares_init.c ++++ b/ares_init.c +@@ -2210,6 +2210,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + q = str; + while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 16) ++ return ARES_EBADSTR; + memcpy(ipbuf, str, q-str); + ipbuf[q-str] = '\0'; + /* Find the prefix */ +@@ -2218,6 +2220,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str2 = q+1; + while (*q && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 32) ++ return ARES_EBADSTR; + memcpy(ipbufpfx, str, q-str); + ipbufpfx[q-str] = '\0'; + str = str2; +diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc +index ff6c6c6..c3cb948 100644 +--- a/test/ares-test-init.cc ++++ b/test/ares-test-init.cc +@@ -270,6 +270,8 @@ TEST_F(DefaultChannelTest, SetAddresses) { + + TEST_F(DefaultChannelTest, SetSortlistFailures) { + EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123")); + } +-- +2.33.0 \ No newline at end of file diff --git a/c-ares.spec b/c-ares.spec index 34fe5a5f3e732bf72aafdb1f158beffa8d7617b3..f46eb09c5fba6948a4c1fc66664b1091a4653fd5 100644 --- a/c-ares.spec +++ b/c-ares.spec @@ -1,6 +1,6 @@ Name: c-ares Version: 1.16.1 -Release: 3 +Release: 4 Summary: A C library for asynchronous DNS requests License: MIT @@ -16,6 +16,7 @@ Patch3: 0003-Avoid-buffer-overflow-in-RC4-loop-comparison-336.patch Patch4: CVE-2020-8277.patch Patch5: backport-001-CVE-2021-3672.patch Patch6: backport-002-CVE-2021-3672.patch +Patch7: backport-add-str-len-check-in-config_sortlist-to-avoid-stack-overflow.patch %description This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple @@ -58,6 +59,12 @@ make %{?_smp_mflags} %{_mandir}/man3/* %changelog +* Fri Feb 10 2023 xingwei - 1.16.1-4 +- Type:cves +- CVE:CVE-2022-4904 +- SUG:NA +- DESC:fix CVE-2022-4904 + * Thu Aug 12 2021 gaihuiying - 1.16.1-3 - fix CVE-2021-3672