[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150127171045.GX4574@brightrain.aerifal.cx>
Date: Tue, 27 Jan 2015 12:10:46 -0500
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: gethostbyname buffer overflow (glibc)
On Tue, Jan 27, 2015 at 05:59:36PM +0100, Daniel Cegiełka wrote:
> eg from:
>
> http://www.openwall.com/lists/oss-security/2015/01/27/9
>
> # gcc ghost.c && ./a.out
> should not happen
>
>
> retval = gethostbyname_r(name, &resbuf, temp.buffer,
> sizeof(temp.buffer), &result, &herrno);
>
> if (strcmp(temp.canary, CANARY) != 0) {
> puts("vulnerable");
> exit(EXIT_SUCCESS);
> }
> if (retval == ERANGE) {
> puts("not vulnerable");
> exit(EXIT_SUCCESS);
> }
> puts("should not happen");
> exit(EXIT_FAILURE);
>
> Double exit. Is something wrong with gethostbyname_r() in musl?
I'm not sure what you mean by "double exit". As far as I can tell,
musl just detects errors in a different order, and returns ENOENT (2)
rather than ERANGE because the name is not valid.
Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
