[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAPLrYET+_akiOs3+Cruf=5ri-Cf-Kot457x_XL34WtnQZdjjAA@mail.gmail.com>
Date: Tue, 27 Jan 2015 18:23:32 +0100
From: Daniel Cegiełka <daniel.cegielka@...il.com>
To: musl@...ts.openwall.com
Subject: Re: gethostbyname buffer overflow (glibc)
2015-01-27 18:10 GMT+01:00 Rich Felker <dalias@...c.org>:
> On Tue, Jan 27, 2015 at 05:59:36PM +0100, Daniel Cegiełka wrote:
>> eg from:
>>
>> http://www.openwall.com/lists/oss-security/2015/01/27/9
>>
>> # gcc ghost.c && ./a.out
>> should not happen
>>
>>
>> retval = gethostbyname_r(name, &resbuf, temp.buffer,
>> sizeof(temp.buffer), &result, &herrno);
>>
>> if (strcmp(temp.canary, CANARY) != 0) {
>> puts("vulnerable");
>> exit(EXIT_SUCCESS);
>> }
>> if (retval == ERANGE) {
>> puts("not vulnerable");
>> exit(EXIT_SUCCESS);
>> }
>> puts("should not happen");
>> exit(EXIT_FAILURE);
>>
>> Double exit. Is something wrong with gethostbyname_r() in musl?
>
> I'm not sure what you mean by "double exit".
ghost.c return EXIT_FAILURE instead EXIT_SUCCESS, which is checked in
two cases (only)...
> As far as I can tell,
> musl just detects errors in a different order, and returns ENOENT (2)
> rather than ERANGE because the name is not valid.
... and yes, ghost.c should also check the other errors.
thx
> Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
