diff --git a/backport-add-str-len-check-in-config_sortlist-to-avoid-stack-overflow.patch b/backport-add-str-len-check-in-config_sortlist-to-avoid-stack-overflow.patch new file mode 100644 index 0000000000000000000000000000000000000000..99599a4d4c74a76a67fff7e4cc11eb78eb139cbc --- /dev/null +++ b/backport-add-str-len-check-in-config_sortlist-to-avoid-stack-overflow.patch @@ -0,0 +1,62 @@ +From ac596026e77244481fd68736ae7f15855803a08a Mon Sep 17 00:00:00 2001 +From: hopper-vul +Date: Tue, 13 Dec 2022 19:54:21 +0800 +Subject: [PATCH] Add str len check in config_sortlist to avoid stack overflow + +In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse +the input str and initialize a sortlist configuration. + +However, ares_set_sortlist has not any checks about the validity of the input str. +It is very easy to create an arbitrary length stack overflow with the unchecked +`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` +statements in the config_sortlist call, which could potentially cause severe +security impact in practical programs. + +This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the +potential stack overflows. + +fixes #496 + +Signed-off-by: hopper-vul +--- + src/lib/ares_init.c | 4 ++++ + test/ares-test-init.cc | 2 ++ + 2 files changed, 6 insertions(+) + +diff --git a/src/lib/ares_init.c b/src/lib/ares_init.c +index de5d86c..d5858f6 100644 +--- a/src/lib/ares_init.c ++++ b/src/lib/ares_init.c +@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + q = str; + while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 16) ++ return ARES_EBADSTR; + memcpy(ipbuf, str, q-str); + ipbuf[q-str] = '\0'; + /* Find the prefix */ +@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str2 = q+1; + while (*q && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 32) ++ return ARES_EBADSTR; + memcpy(ipbufpfx, str, q-str); + ipbufpfx[q-str] = '\0'; + str = str2; +diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc +index ff6c6c6..c3cb948 100644 +--- a/test/ares-test-init.cc ++++ b/test/ares-test-init.cc +@@ -270,6 +270,8 @@ TEST_F(DefaultChannelTest, SetAddresses) { + + TEST_F(DefaultChannelTest, SetSortlistFailures) { + EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123")); + } +-- +2.33.0 diff --git a/c-ares.spec b/c-ares.spec index de0adbb19af37d9eacc75c03a62ebe62b565b768..22138a6bcb4f9bc1f04bb42d18cd626650466e1e 100644 --- a/c-ares.spec +++ b/c-ares.spec @@ -1,6 +1,6 @@ Name: c-ares Version: 1.18.1 -Release: 3 +Release: 4 Summary: A C library for asynchronous DNS requests License: MIT @@ -11,6 +11,7 @@ BuildRequires: gcc autoconf automake libtool g++ # Patch0 from Redhat is applied for stopping overriding AC_CONFIG_MACRO_DIR Patch0: 0000-Use-RPM-compiler-options.patch Patch1: backport-disable-live-tests.patch +Patch2: backport-add-str-len-check-in-config_sortlist-to-avoid-stack-overflow.patch %description This is c-ares, an asynchronous resolver library. It is intended for applications @@ -58,6 +59,12 @@ make %{?_smp_mflags} %{_mandir}/man3/* %changelog +* Fri Feb 10 2023 xingwei - 1.18.1-4 +- Type:cves +- CVE:CVE-2022-4904 +- SUG:NA +- DESC:fix CVE-2022-4904 + * Thu Jun 09 2022 gaihuiying - 1.18.1-3 - Type:bugfix - Id:NA