oss-sec mailing list archives
Re: CVE Request: glibc getaddrinfo() stack overflow
From: Marcus Meissner <meissner () suse de>
Date: Fri, 5 Apr 2013 11:58:27 +0200
On Wed, Apr 03, 2013 at 01:10:21PM +0200, Marcus Meissner wrote:
Hi,
A customer reported a glibc crash, which turned out to be a stack overflow in
getaddrinfo().
getaddrinfo() uses:
struct sort_result results[nresults];
with nresults controlled by the nameservice chain (DNS or /etc/hosts).
This will be visible mostly on threaded applications with smaller stacksizes,
or operating near out of stack.
Reproducer I tried:
$ for i in `seq 1 10000000`; do echo "ff00::$i a1" >>/etc/hosts; done
$ ulimit -s 1024
$ telnet a1
Segmentation fault
(clean out /etc/hosts again )
I am not sure you can usually push this amount of addresses via DNS for all
setups.
Andreas is currently pushing the patch to glibc GIT.
Reference:
https://bugzilla.novell.com/show_bug.cgi?id=813121
Upstream GLIBC commit is: http://sourceware.org/git/?p=glibc.git;a=commit;h=1cef1b19089528db11f221e938f60b9b048945d7 Ciao, Marcus
Current thread:
- CVE Request: glibc getaddrinfo() stack overflow Marcus Meissner (Apr 03)
- Re: CVE Request: glibc getaddrinfo() stack overflow Florian Weimer (Apr 03)
- Re: CVE Request: glibc getaddrinfo() stack overflow Sebastian Krahmer (Apr 03)
- Re: CVE Request: glibc getaddrinfo() stack overflow Florian Weimer (Apr 03)
- Re: CVE Request: glibc getaddrinfo() stack overflow Sebastian Krahmer (Apr 03)
- Re: CVE Request: glibc getaddrinfo() stack overflow Kurt Seifried (Apr 03)
- Re: CVE Request: glibc getaddrinfo() stack overflow Marcus Meissner (Apr 05)
- Re: CVE Request: glibc getaddrinfo() stack overflow Florian Weimer (Apr 03)