Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 5 Apr 2013 11:58:27 +0200
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: Re: CVE Request: glibc getaddrinfo() stack overflow

On Wed, Apr 03, 2013 at 01:10:21PM +0200, Marcus Meissner wrote:
> Hi,
> 
> A customer reported a glibc crash, which turned out to be a stack overflow in
> getaddrinfo().
> 
> getaddrinfo() uses:
> 	struct sort_result results[nresults];
> with nresults controlled by the nameservice chain (DNS or /etc/hosts).
> 
> This will be visible mostly on threaded applications with smaller stacksizes,
> or operating near out of stack.
> 
> Reproducer I tried:
> 	$ for i in `seq 1 10000000`; do echo "ff00::$i a1" >>/etc/hosts; done
> 	$ ulimit -s 1024
> 	$ telnet a1
> 	Segmentation fault
> 	(clean out /etc/hosts again )
> 
> 
> I am not sure you can usually push this amount of addresses via DNS for all
> setups.
> 
> Andreas is currently pushing the patch to glibc GIT.
> 
> Reference:
> https://bugzilla.novell.com/show_bug.cgi?id=813121

Upstream GLIBC commit is:
http://sourceware.org/git/?p=glibc.git;a=commit;h=1cef1b19089528db11f221e938f60b9b048945d7

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.