[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
valunerability of glibc
From: |
Tomohiro 'Tomo-p' KATO |
Subject: |
valunerability of glibc |
Date: |
Fri, 05 Jul 2002 13:45:09 +0900 |
Dear Sir.
Hello.
I found some valunerabilities of glibc. Some pointers of buffer is incremented
but length is not changed. It may cause buffer-overflow.
I show a patch to fix these valunerabilities. It is made by NISHIMURA Daisuke
<address@hidden> and me at Vine Linux (see http://www.vinelinux.org/)
security team.
Regards,
Tomohiro 'Tomo-p' KATO <address@hidden>
-- cut here ---- cut here ---- cut here ---- cut here ---- cut here ---- cut
here --
diff -urN glibc-2.2.4.orig/glibc-compat/nss_dns/dns-host.c glibc-2.2.4/glibc-
compat/nss_dns/dns-host.c
--- glibc-2.2.4.orig/glibc-compat/nss_dns/dns-host.c Thu Jan 11 02:00:56 2001
+++ glibc-2.2.4/glibc-compat/nss_dns/dns-host.c Fri Jul 5 04:23:14 2002
@@ -424,7 +424,7 @@
linebuflen -= n;
/* Get canonical name. */
n = strlen (tbuf) + 1; /* For the \0. */
- if ((size_t) n > buflen || n >= MAXHOSTNAMELEN)
+ if ((size_t) n > linebuflen || n >= MAXHOSTNAMELEN)
{
++had_error;
continue;
@@ -447,7 +447,7 @@
cp += n;
/* Get canonical name. */
n = strlen (tbuf) + 1; /* For the \0. */
- if ((size_t) n > buflen || n >= MAXHOSTNAMELEN)
+ if ((size_t) n > linebuflen || n >= MAXHOSTNAMELEN)
{
++had_error;
continue;
@@ -542,7 +542,12 @@
linebuflen -= nn;
}
- bp += sizeof (align) - ((u_long) bp % sizeof (align));
+ {
+ register int nn;
+ nn = sizeof (align) - ((u_long) bp % sizeof (align));
+ bp += nn;
+ linebuflen -= nn;
+ }
if (n >= linebuflen)
{
diff -urN glibc-2.2.4.orig/glibc-compat/nss_dns/dns-network.c glibc-2.2.4/glibc-
compat/nss_dns/dns-network.c
--- glibc-2.2.4.orig/glibc-compat/nss_dns/dns-network.c Thu Jan 11 02:00:56 2001
+++ glibc-2.2.4/glibc-compat/nss_dns/dns-network.c Thu Jun 27 22:26:37 2002
@@ -283,7 +283,9 @@
}
cp += n;
*alias_pointer++ = bp;
- bp += strlen (bp) + 1;
+ n = strlen(bp) + 1;
+ bp += n;
+ linebuflen -= n;
result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
++have_answer;
}
diff -urN glibc-2.2.4.orig/resolv/nss_dns/dns-network.c
glibc-2.2.4/resolv/nss_dns/dns-
network.c
--- glibc-2.2.4.orig/resolv/nss_dns/dns-network.c Tue Jul 10 03:57:48 2001
+++ glibc-2.2.4/resolv/nss_dns/dns-network.c Thu Jun 27 22:26:36 2002
@@ -328,7 +328,9 @@
}
cp += n;
*alias_pointer++ = bp;
- bp += strlen (bp) + 1;
+ n = strlen(bp) + 1;
+ bp += n;
+ linebuflen -= n;
result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
++have_answer;
}
-- cut here ---- cut here ---- cut here ---- cut here ---- cut here ---- cut
here --
-- ________________________________
_/_/ Tomohiro "Tomo-p" KATO
_/_/ e-mail : address@hidden
_/_/ http://www.teamgedoh.net/
- valunerability of glibc,
Tomohiro 'Tomo-p' KATO <=