1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
Subject: Add str len check in config_sortlist to avoid stack overflow
Origin: https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d
Bug: https://github.com/c-ares/c-ares/issues/496
Bug-Debian: https://bugs.debian.org/1031525
--- a/src/lib/ares_init.c
+++ b/src/lib/ares_init.c
@@ -2198,6 +2198,8 @@
q = str;
while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
q++;
+ if (q-str >= 16)
+ return ARES_EBADSTR;
memcpy(ipbuf, str, q-str);
ipbuf[q-str] = '\0';
/* Find the prefix */
@@ -2206,6 +2208,8 @@
const char *str2 = q+1;
while (*q && *q != ';' && !ISSPACE(*q))
q++;
+ if (q-str >= 32)
+ return ARES_EBADSTR;
memcpy(ipbufpfx, str, q-str);
ipbufpfx[q-str] = '\0';
str = str2;
--- a/test/ares-test-init.cc
+++ b/test/ares-test-init.cc
@@ -270,6 +270,8 @@
TEST_F(DefaultChannelTest, SetSortlistFailures) {
EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4"));
+ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16"));
+ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*"));
EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk"));
EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123"));
}
|
