c9-stream-18
imports/c9-stream-18/nodejs-18.14.2-2.module+el9.2.0.z+18497+a402347c
parent
760994b1fb
commit
036414f3d5
@ -1,6 +1,6 @@
|
||||
SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
||||
SOURCES/icu4c-71_1-src.tgz
|
||||
SOURCES/node-v18.12.1-stripped.tar.gz
|
||||
SOURCES/undici-5.11.0.tar.gz
|
||||
SOURCES/icu4c-72_1-src.tgz
|
||||
SOURCES/node-v18.14.2-stripped.tar.gz
|
||||
SOURCES/undici-5.20.0.tar.gz
|
||||
SOURCES/wasi-sdk-11.0-linux.tar.gz
|
||||
SOURCES/wasi-sdk-14.0-linux.tar.gz
|
||||
|
@ -1,6 +1,6 @@
|
||||
b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
||||
406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz
|
||||
20d62c96ab85808e1043376f0d889f74eb2551df SOURCES/node-v18.12.1-stripped.tar.gz
|
||||
0ea4e5cfe13969896bf41c0d2d029a621917b944 SOURCES/undici-5.11.0.tar.gz
|
||||
a97546f0119c37a3526143bc29fb573a4417ff84 SOURCES/icu4c-72_1-src.tgz
|
||||
f4cd3bd79f9ed923f8fd85ac75cc270a91cae6ea SOURCES/node-v18.14.2-stripped.tar.gz
|
||||
0b3e890fd45200fb3a2fdc14408cc51e23990480 SOURCES/undici-5.20.0.tar.gz
|
||||
ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz
|
||||
c29e21be754c26cac4bf99848c5b1f4e8564e248 SOURCES/wasi-sdk-14.0-linux.tar.gz
|
||||
|
@ -0,0 +1,53 @@
|
||||
From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001
|
||||
From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
|
||||
Date: Wed, 18 Jan 2023 22:14:26 +0800
|
||||
Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid
|
||||
stack overflow (#497)
|
||||
|
||||
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
|
||||
the input str and initialize a sortlist configuration.
|
||||
|
||||
However, ares_set_sortlist has not any checks about the validity of the input str.
|
||||
It is very easy to create an arbitrary length stack overflow with the unchecked
|
||||
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
|
||||
statements in the config_sortlist call, which could potentially cause severe
|
||||
security impact in practical programs.
|
||||
|
||||
This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
|
||||
potential stack overflows.
|
||||
|
||||
fixes #496
|
||||
|
||||
Fix By: @hopper-vul
|
||||
Resolves: CVE-2022-4904
|
||||
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/cares/src/lib/ares_init.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
|
||||
index de5d86c..d5858f6 100644
|
||||
--- a/deps/cares/src/lib/ares_init.c
|
||||
+++ b/deps/cares/src/lib/ares_init.c
|
||||
@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
|
||||
q = str;
|
||||
while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
|
||||
q++;
|
||||
+ if (q-str >= 16)
|
||||
+ return ARES_EBADSTR;
|
||||
memcpy(ipbuf, str, q-str);
|
||||
ipbuf[q-str] = '\0';
|
||||
/* Find the prefix */
|
||||
@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
|
||||
const char *str2 = q+1;
|
||||
while (*q && *q != ';' && !ISSPACE(*q))
|
||||
q++;
|
||||
+ if (q-str >= 32)
|
||||
+ return ARES_EBADSTR;
|
||||
memcpy(ipbufpfx, str, q-str);
|
||||
ipbufpfx[q-str] = '\0';
|
||||
str = str2;
|
||||
--
|
||||
2.39.2
|
||||
|
Loading…
Reference in new issue