[tor-commits] [torsocks/master] Fix memcpy() buffer overrun in gethostbyname()
dgoulet at torproject.org
dgoulet at torproject.org
Sun Aug 21 15:15:40 UTC 2016
commit 23651bcebd368e09bcbd33c20acbe13153860c66
Author: David Goulet <dgoulet at ev0ke.net>
Date: Sun Aug 21 10:36:39 2016 -0400
Fix memcpy() buffer overrun in gethostbyname()
An extra 12 bytes of uninitialized data from the stack was copied in the
static tsocks_he_addr object which is then returned in the hostent object by
gethostbyname().
First of all, this patch sets the right length to tsocks_he_addr which is 4
bytes that is the IPv4 address in network byte order.
Second, gethostbyname can take a valid IPv4 so check that before trying to
resolve so to speed up the call.
Thanks to guido for reporting this through our Hackerone bug bounty program.
Reported-by: Guido Vranken <guidovranken at gmail.com>
Signed-off-by: David Goulet <dgoulet at ev0ke.net>
---
src/lib/gethostbyname.c | 22 ++++++++++++++++------
src/lib/torsocks.h | 2 +-
2 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/src/lib/gethostbyname.c b/src/lib/gethostbyname.c
index 93a3483..d67cc8e 100644
--- a/src/lib/gethostbyname.c
+++ b/src/lib/gethostbyname.c
@@ -22,12 +22,13 @@
#include <stdlib.h>
#include <common/log.h>
+#include <common/utils.h>
#include "torsocks.h"
struct hostent tsocks_he;
char *tsocks_he_addr_list[2];
-char tsocks_he_addr[INET_ADDRSTRLEN];
+char tsocks_he_addr[4];
char tsocks_he_name[255];
/* gethostbyname(3) */
@@ -71,10 +72,19 @@ LIBC_GETHOSTBYNAME_RET_TYPE tsocks_gethostbyname(LIBC_GETHOSTBYNAME_SIG)
goto error;
}
- /* Resolve the given hostname through Tor. */
- ret = tsocks_tor_resolve(AF_INET, name, &ip);
- if (ret < 0) {
- goto error;
+ /* Man page specifies that it can either be an hostname or IPv4 address.
+ * If it's an address, go with it else try to resolve it through Tor. */
+ if (utils_is_address_ipv4(name)) {
+ if (inet_pton(AF_INET, name, &ip) <= 0) {
+ goto error;
+ }
+ /* "ip" now contains the network byte order of the address. */
+ } else {
+ /* We have a hostname so resolve it through Tor. */
+ ret = tsocks_tor_resolve(AF_INET, name, &ip);
+ if (ret < 0) {
+ goto error;
+ }
}
/* Reset static host entry of tsocks. */
@@ -82,7 +92,7 @@ LIBC_GETHOSTBYNAME_RET_TYPE tsocks_gethostbyname(LIBC_GETHOSTBYNAME_SIG)
memset(tsocks_he_addr_list, 0, sizeof(tsocks_he_addr_list));
memset(tsocks_he_addr, 0, sizeof(tsocks_he_addr));
- /* Copy resolved network byte order IP address. */
+ /* Copy network byte order IP address. */
memcpy(tsocks_he_addr, &ip, sizeof(tsocks_he_addr));
tsocks_he_addr_list[0] = tsocks_he_addr;
diff --git a/src/lib/torsocks.h b/src/lib/torsocks.h
index eddd0de..bcaf92b 100644
--- a/src/lib/torsocks.h
+++ b/src/lib/torsocks.h
@@ -112,7 +112,7 @@
*/
extern struct hostent tsocks_he;
extern char *tsocks_he_addr_list[2];
-extern char tsocks_he_addr[INET_ADDRSTRLEN];
+extern char tsocks_he_addr[4];
extern char tsocks_he_name[255];
#define LIBC_GETHOSTBYNAME_NAME gethostbyname
More information about the tor-commits
mailing list