Skip to content

Commit

Permalink
c-ares:fix CVE-2022-4904 buffer overflow in config_sortlist() due to …
Browse files Browse the repository at this point in the history
…missing string length check

Source: c-ares/c-ares@9903253
MR: 125266
Type: Security Fix
Disposition: Backport from c-ares/c-ares@9903253
ChangeID: 33b40926ed3ed7620434f30ff30874e241a3257c
Description:

Add str len check in config_sortlist to avoid stack overflow (openembedded#497)
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
the input str and initialize a sortlist configuration.

However, ares_set_sortlist has not any checks about the validity of the input str.
It is very easy to create an arbitrary length stack overflow with the unchecked
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
statements in the config_sortlist call, which could potentially cause severe
security impact in practical programs.

This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
potential stack overflows.

fixes openembedded#496

Fix By: @hopper-vul

Upstream-Status: Backport [c-ares/c-ares@9903253]
CVE: CVE-2022-4904
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
  • Loading branch information
VKumbhar24 authored and jpuhlman committed Mar 23, 2023
1 parent 74689a2 commit 0699307
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 1 deletion.
48 changes: 48 additions & 0 deletions meta-networking/recipes-support/c-ares/c-ares/CVE-2022-4904.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
From 2aa53d00147001301482d26c1ad1b12cdd1dc6b4 Mon Sep 17 00:00:00 2001
From: Vivek Kumbhar <vkumbhar@mvista.com>
Date: Tue, 21 Mar 2023 03:52:30 +0000
Subject: [PATCH] CVE-2022-4904

---
ares_init.c | 4 ++++
test/ares-test-init.cc | 2 ++
2 files changed, 6 insertions(+)

diff --git a/ares_init.c b/ares_init.c
index f7b700b..5aad7c8 100644
--- a/ares_init.c
+++ b/ares_init.c
@@ -2065,6 +2065,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
q = str;
while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
q++;
+ if (q-str >= 16)
+ return ARES_EBADSTR;
memcpy(ipbuf, str, q-str);
ipbuf[q-str] = '\0';
/* Find the prefix */
@@ -2073,6 +2075,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
const char *str2 = q+1;
while (*q && *q != ';' && !ISSPACE(*q))
q++;
+ if (q-str >= 32)
+ return ARES_EBADSTR;
memcpy(ipbufpfx, str, q-str);
ipbufpfx[q-str] = '\0';
str = str2;
diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc
index 66570ac..cd65e77 100644
--- a/test/ares-test-init.cc
+++ b/test/ares-test-init.cc
@@ -265,6 +265,8 @@ TEST_F(DefaultChannelTest, SetAddresses) {

TEST_F(DefaultChannelTest, SetSortlistFailures) {
EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4"));
+ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16"));
+ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*"));
EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk"));
EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123"));
}
--
2.18.2

3 changes: 2 additions & 1 deletion meta-networking/recipes-support/c-ares/c-ares_1.13.0.bb
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,13 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=f4b026880834eb01c035c5e5cb47ccac"
SRCREV = "3be1924221e1326df520f8498d704a5c4c8d0cce"
PV = "1.13.0+gitr${SRCPV}"

PR .= ".1"
PR .= ".2"

SRC_URI = "\
git://github.com/c-ares/c-ares.git \
file://cmake-install-libcares.pc.patch \
file://0001-CVE-2021-3672.patch \
file://CVE-2022-4904.patch \
"

S = "${WORKDIR}/git"
Expand Down

0 comments on commit 0699307

Please sign in to comment.