From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 20547 invoked by alias); 30 Oct 2013 10:50:46 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 20487 invoked by uid 48); 30 Oct 2013 10:50:42 -0000 From: "siddhesh at redhat dot com" To: glibc-bugs@sourceware.org Subject: [Bug network/16071] Segmentation fault in getaddrinfo() when processing entry mapping to long list of AF_INET address structures Date: Wed, 30 Oct 2013 10:50:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: network X-Bugzilla-Version: 2.18 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: siddhesh at redhat dot com X-Bugzilla-Status: RESOLVED X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: siddhesh at redhat dot com X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2013-10/txt/msg00365.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=16071 Siddhesh Poyarekar changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #1 from Siddhesh Poyarekar --- Fixed in master: commit 977f4b31b7ca4a4e498c397f3fd70510694bbd86 Author: Siddhesh Poyarekar Date: Wed Oct 30 16:13:37 2013 +0530 Fix reads for sizes larger than INT_MAX in AF_INET lookup Currently for AF_INET lookups from the hosts file, buffer sizes larger than INT_MAX silently overflow and may result in access beyond bounds of a buffer. This happens when the number of results in an AF_INET lookup in /etc/hosts are very large. There are two aspects to the problem. One problem is that the size computed from the buffer size is stored into an int, which results in overflow for large sizes. Additionally, even if this size was expanded, the function used to read content into the buffer (fgets) accepts only int sizes. As a result, the fix is to have a function wrap around fgets that calls it multiple times with int sizes if necessary. ChangeLog | 8 ++++++++ NEWS | 2 +- nss/nss_files/files-XXX.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++-------- 3 files changed, 60 insertions(+), 9 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug.