From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 124182 invoked by alias); 14 Jul 2015 21:54:50 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 124137 invoked by uid 48); 14 Jul 2015 21:54:45 -0000 From: "rhollida at ciena dot com" To: glibc-bugs@sourceware.org Subject: [Bug network/18665] In send_dg, the recvfrom function is NOT always using the buffer size of a newly created buffer. Date: Tue, 14 Jul 2015 21:54:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: network X-Bugzilla-Version: 2.20 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: rhollida at ciena dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-07/txt/msg00106.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=18665 --- Comment #4 from Robert --- Overview: A condition occurs when the recvfrom function receives data using a newly created buffer but does not use the newly created buffer size then the buffer is accessed and causes the program to crash. In send_dg in res_send.c -referencing lines in res_send.c from glibc-2.21 Conditions that create the crash. 1. Receive a packet that fills up the buffer, 2048 bytes, used in the recvfrom function on line 1282. 2. The aligned_resplen calculation, on line 1243, becomes 0. (buffer size - packet size received = 0) 3. The condition on line 1268 is met; *thisanssizp < *thisresplenp, (the calculated size left < the received size), 0 < 2048,. and a new buffer is created at line 1271 with buffer size MAXPACKET; 4. The recvfrom function on line, 1282, now uses the newly created buffer to receive DNS data, ISSUE: The recvfrom function is NOT using the buffer size from the newly created buffer, but from the aligned_resplen calculation which was 0. The recvfrom function is reading 0 bytes into the new buffer, and should be reading MAXPACKET bytes into the buffer. 5. The res_queriematch function attempts to use the data read into the buffer: thisansp, at location: thisansp + thisanssizp, these are invalid pointers, and cause the program to crash. -- You are receiving this mail because: You are on the CC list for the bug.