Re: valunerability of glibc

[Andreas Schwab]

Tomohiro 'Tomo-p' KATO <address@hidden> writes:

|>  Dear Sir.
|> 
|>   Hello.
|> 
|>   I found some valunerabilities of glibc. Some pointers of buffer is 
incremented
|>  but length is not changed. It may cause buffer-overflow.

Thanks for your patches.

|> -- cut here ---- cut here ---- cut here ---- cut here ---- cut here ---- cut 
here --
|> diff -urN glibc-2.2.4.orig/glibc-compat/nss_dns/dns-host.c glibc-2.2.4/glibc-
|> compat/nss_dns/dns-host.c
|> --- glibc-2.2.4.orig/glibc-compat/nss_dns/dns-host.c Thu Jan 11 02:00:56 2001
|> +++ glibc-2.2.4/glibc-compat/nss_dns/dns-host.c      Fri Jul  5 04:23:14 2002
|> diff -urN glibc-2.2.4.orig/glibc-compat/nss_dns/dns-network.c 
glibc-2.2.4/glibc-
|> compat/nss_dns/dns-network.c
|> --- glibc-2.2.4.orig/glibc-compat/nss_dns/dns-network.c      Thu Jan 11 
02:00:56 2001
|> +++ glibc-2.2.4/glibc-compat/nss_dns/dns-network.c   Thu Jun 27 22:26:37 2002

These files are not part of glibc.

|> diff -urN glibc-2.2.4.orig/resolv/nss_dns/dns-network.c 
glibc-2.2.4/resolv/nss_dns/dns-
|> network.c
|> --- glibc-2.2.4.orig/resolv/nss_dns/dns-network.c    Tue Jul 10 03:57:48 2001
|> +++ glibc-2.2.4/resolv/nss_dns/dns-network.c Thu Jun 27 22:26:36 2002
|> @@ -328,7 +328,9 @@
|>          }
|>        cp += n;
|>        *alias_pointer++ = bp;
|> -      bp += strlen (bp) + 1;
|> +      n = strlen(bp) + 1;
|> +      bp += n;
|> +      linebuflen -= n;
|>        result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
|>        ++have_answer;
|>      }

This patch has already been checked into CVS, it will be included in the
next glibc release.

Andreas.

-- 
Andreas Schwab, SuSE Labs, address@hidden
SuSE Linux AG, Deutschherrnstr. 15-19, D-90429 Nürnberg
Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."