* [2.26 COMMITTED] CVE-2018-19591: if_nametoindex: Fix descriptor for overlong name [BZ #23927]
@ 2018-01-01 0:00 Florian Weimer
0 siblings, 0 replies; only message in thread
From: Florian Weimer @ 2018-01-01 0:00 UTC (permalink / raw)
To: libc-stable
(cherry picked from commit d527c860f5a3f0ed687bd03f0cb464612dc23408)
2018-11-27 Florian Weimer <fweimer@redhat.com>
[BZ #23927]
CVE-2018-19591
* sysdeps/unix/sysv/linux/if_index.c (__if_nametoindex): Avoid
descriptor leak in case of ENODEV error.
diff --git a/NEWS b/NEWS
index 3c708d2903..f6d26425ff 100644
--- a/NEWS
+++ b/NEWS
@@ -82,6 +82,10 @@ Security related changes:
architecture could write beyond the target buffer, resulting in a buffer
overflow. Reported by Andreas Schwab.
+ CVE-2018-19591: A file descriptor leak in if_nametoindex can lead to a
+ denial of service due to resource exhaustion when processing getaddrinfo
+ calls with crafted host names. Reported by Guido Vranken.
+
The following bugs are resolved with this release:
[16750] ldd: Never run file directly.
@@ -158,6 +162,7 @@ The following bugs are resolved with this release:
[23562] signal: Use correct type for si_band in siginfo_t
[23579] libc: Errors misreported in preadv2
[23709] Fix CPU string flags for Haswell-type CPUs
+ [23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
\f
Version 2.26
diff --git a/sysdeps/unix/sysv/linux/if_index.c b/sysdeps/unix/sysv/linux/if_index.c
index a874634d52..b620d21936 100644
--- a/sysdeps/unix/sysv/linux/if_index.c
+++ b/sysdeps/unix/sysv/linux/if_index.c
@@ -38,11 +38,6 @@ __if_nametoindex (const char *ifname)
return 0;
#else
struct ifreq ifr;
- int fd = __opensock ();
-
- if (fd < 0)
- return 0;
-
if (strlen (ifname) >= IFNAMSIZ)
{
__set_errno (ENODEV);
@@ -50,6 +45,12 @@ __if_nametoindex (const char *ifname)
}
strncpy (ifr.ifr_name, ifname, sizeof (ifr.ifr_name));
+
+ int fd = __opensock ();
+
+ if (fd < 0)
+ return 0;
+
if (__ioctl (fd, SIOCGIFINDEX, &ifr) < 0)
{
int saved_errno = errno;
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2018-11-27 20:49 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-01 0:00 [2.26 COMMITTED] CVE-2018-19591: if_nametoindex: Fix descriptor for overlong name [BZ #23927] Florian Weimer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).