Skip to content

net: sockets: getaddrinfo() buffer overflow, etc. fixes #6158

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 13, 2018
Merged

net: sockets: getaddrinfo() buffer overflow, etc. fixes #6158

merged 1 commit into from
Feb 13, 2018

Conversation

pfalcon
Copy link
Contributor

@pfalcon pfalcon commented Feb 12, 2018

The existing implementation assumed DNS resolv callback will be
called just once, but that's not always the case (apparently,
for multi-homes hosts or something). So, apply array bounds
checking. In this case, port number wasn't set in each entry too,
so rework how it's done.

The issues discovered while resolving archive.ubuntu.com.

Signed-off-by: Paul Sokolovsky [email protected]

@codecov-io
Copy link

codecov-io commented Feb 12, 2018
edited
Loading

Codecov Report

Merging #6158 into master will decrease coverage by <.01%.
The diff coverage is 0%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #6158      +/-   ##
==========================================
- Coverage   52.88%   52.87%   -0.01%     
==========================================
  Files         412      412              
  Lines       40274    40278       +4     
  Branches     7801     7802       +1     
==========================================
  Hits        21297    21297              
- Misses      15761    15765       +4     
  Partials     3216     3216
Impacted Files Coverage Δ
subsys/net/lib/sockets/getaddrinfo.c 0% <0%> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d0c2be7...3953714. Read the comment docs.

@lpereira lpereira modified the milestones: v1.11.0, v1.10.1 Feb 12, 2018
lpereira
lpereira suggested changes Feb 12, 2018
View reviewed changes
Copy link
Member

@lpereira lpereira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. Please also modify line 34 so that the pointer isn't even calculated if state->idx is out of bounds (it's undefined behavior); I can't seem to be able to comment in that line as it's not part of your patch.

@lpereira lpereira added the priority: high High impact/importance bug label Feb 12, 2018
@pfalcon
Copy link
Contributor Author

pfalcon commented Feb 12, 2018

the pointer isn't even calculated if state->idx is out of bounds (it's undefined behavior);

Are you sure that calculation is undefined behavior? Maybe accessing a pointer calculated in such a manner is undefined behavior?

@lpereira
Copy link
Member

lpereira commented Feb 12, 2018
edited
Loading

Yes, I'm sure. The only exception is calculating the pointer to one element past the end of an array (so it's possible to loop through an array using pointers rather than indices).

See the C11 text, 6.5.6.8:

If both the pointer operand and the result point to elements of the same array object, or
one past the last element of the array object, the evaluation shall not produce an overflow;
otherwise, the behavior is undefined.

@pfalcon
net: sockets: getaddrinfo() buffer overflow, etc. fixes
3953714 
The existing implementation assumed DNS resolv callback will be
called just once, but that's not always the case (apparently,
for multi-homes hosts or something). So, apply array bounds
checking (and do pointer arithmetic only after it, as the C
standard otherwise warns of "undefined behavior"). In such a case,
the port number wasn't set in each entry too, so rework how it's
done.

The issues discovered while resolving archive.ubuntu.com.

Signed-off-by: Paul Sokolovsky <[email protected]>
@pfalcon pfalcon force-pushed the net-getaddrinfo-fixes branch from f94d3ee to 3953714 Compare February 12, 2018 21:16
@pfalcon
Copy link
Contributor Author

pfalcon commented Feb 12, 2018

Updated as suggested.

@lpereira
Copy link
Member

Note for whoever is merging this: this should be backported to 1.10.

@nashif
Copy link
Member

nashif commented Feb 13, 2018

@pfalcon can you backport and submit to 1.10 branch?

@nashif nashif merged commit ede25c1 into zephyrproject-rtos:master Feb 13, 2018
@pfalcon
Copy link
Contributor Author

pfalcon commented Feb 13, 2018

can you backport and submit to 1.10 branch?

Submitted as #6169, thanks.

@pfalcon pfalcon mentioned this pull request Feb 13, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GAnthony GAnthony Awaiting requested review from GAnthony

@jukkar jukkar Awaiting requested review from jukkar

@askawu askawu Awaiting requested review from askawu

1 more reviewer

@lpereira lpereira lpereira approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
area: Networking priority: high High impact/importance bug
Projects
None yet
Milestone
v1.11.0
Development

Successfully merging this pull request may close these issues.
4 participants
@pfalcon @codecov-io @lpereira @nashif