FYI, https://android-review.googlesource.com/c/platform/bionic/+/1093130
fixes a bug recently found by fuzzing the DNS code we share with
NetBSD.
---------- Forwarded message ---------
Subject: Change in aosp/bionic[master]: [fuzzers] Test for
ns_parserr() and got a heap-buffer-overflow.
Bruce Chen would like Elliott Hughes to review this change.
View Change
Test for ns_parserr() and got a heap-buffer-overflow
In ns_name_skip of ns_name.c, there is a possible out of bounds read due to
a missing bounds check. This could lead to remote denial of service with no
additional execution privileges needed. User interaction is not needed for
exploitation.
Bug: 137346580
Test: built, flashed, booted
Test: ns_parserr_fuzzer test
Change-Id: Ib023bd9b2ae97795d64195de9922a6a32d7b2f37
---
M libc/dns/nameser/ns_name.c
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libc/dns/nameser/ns_name.c b/libc/dns/nameser/ns_name.c
index 3a202c1..c2dc80f 100644
--- a/libc/dns/nameser/ns_name.c
+++ b/libc/dns/nameser/ns_name.c
@@ -692,7 +692,7 @@
{
const u_char *cp;
u_int n;
- int l;
+ int l=0;
cp = *ptrptr;
while (cp < eom && (n = *cp++) != 0) {
@@ -702,7 +702,7 @@
cp += n;
continue;
case NS_TYPE_ELT: /* EDNS0 extended label */
- if ((l = labellen(cp - 1)) < 0) {
+ if (cp < eom && (l = labellen(cp - 1)) < 0) {
errno = EMSGSIZE; /* XXX */
return(-1);
}
To view, visit change 1093130. To unsubscribe, or for help writing
mail filters, visit settings.
