From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 57320 invoked by alias); 27 Nov 2018 20:37:36 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 57298 invoked by uid 89); 27 Nov 2018 20:37:36 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 27 Nov 2018 20:37:34 +0000 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A98D57F3E1 for ; Tue, 27 Nov 2018 20:37:33 +0000 (UTC) Received: from oldenburg.str.redhat.com (ovpn-116-38.ams2.redhat.com [10.36.116.38]) by smtp.corp.redhat.com (Postfix) with ESMTP id 761845C3FA for ; Tue, 27 Nov 2018 20:37:33 +0000 (UTC) Received: by oldenburg.str.redhat.com (Postfix, from userid 1000) id 05B924399457D; Tue, 27 Nov 2018 21:37:24 +0100 (CET) Date: Mon, 01 Jan 2018 00:00:00 -0000 To: libc-stable@sourceware.org Subject: [2.28 COMMITTED] CVE-2018-19591: if_nametoindex: Fix descriptor for overlong name [BZ #23927] User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20181127203725.05B924399457D@oldenburg.str.redhat.com> From: fweimer@redhat.com (Florian Weimer) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Tue, 27 Nov 2018 20:37:33 +0000 (UTC) X-IsSubscribed: yes X-SW-Source: 2018-11/txt/msg00028.txt.bz2 (cherry picked from commit d527c860f5a3f0ed687bd03f0cb464612dc23408) 2018-11-27 Florian Weimer [BZ #23927] CVE-2018-19591 * sysdeps/unix/sysv/linux/if_index.c (__if_nametoindex): Avoid descriptor leak in case of ENODEV error. diff --git a/NEWS b/NEWS index e5ca5903ec..5290e21da9 100644 --- a/NEWS +++ b/NEWS @@ -25,7 +25,13 @@ The following bugs are resolved with this release: [23717] Fix stack overflow in stdlib/tst-setcontext9 [23821] si_band in siginfo_t has wrong type long int on sparc64 [23822] ia64 static libm.a is missing exp2f, log2f and powf symbols + [23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591) +Security related changes: + + CVE-2018-19591: A file descriptor leak in if_nametoindex can lead to a + denial of service due to resource exhaustion when processing getaddrinfo + calls with crafted host names. Reported by Guido Vranken. Version 2.28 diff --git a/sysdeps/unix/sysv/linux/if_index.c b/sysdeps/unix/sysv/linux/if_index.c index e3d08982d9..782fc5e175 100644 --- a/sysdeps/unix/sysv/linux/if_index.c +++ b/sysdeps/unix/sysv/linux/if_index.c @@ -38,11 +38,6 @@ __if_nametoindex (const char *ifname) return 0; #else struct ifreq ifr; - int fd = __opensock (); - - if (fd < 0) - return 0; - if (strlen (ifname) >= IFNAMSIZ) { __set_errno (ENODEV); @@ -50,6 +45,12 @@ __if_nametoindex (const char *ifname) } strncpy (ifr.ifr_name, ifname, sizeof (ifr.ifr_name)); + + int fd = __opensock (); + + if (fd < 0) + return 0; + if (__ioctl (fd, SIOCGIFINDEX, &ifr) < 0) { int saved_errno = errno;