Fwd: Change in aosp/bionic[master]: [fuzzers] Test for ns_parserr() and got a heap-buffer-overflow.

[enh <enh%google.com@localhost>]

FYI, https://android-review.googlesource.com/c/platform/bionic/+/1093130
fixes a bug recently found by fuzzing the DNS code we share with
NetBSD.

---------- Forwarded message ---------
Subject: Change in aosp/bionic[master]: [fuzzers] Test for
ns_parserr() and got a heap-buffer-overflow.


Bruce Chen would like Elliott Hughes to review this change.

View Change

Test for ns_parserr() and got a heap-buffer-overflow

In ns_name_skip of ns_name.c, there is a possible out of bounds read due to
a missing bounds check. This could lead to remote denial of service with no
additional execution privileges needed. User interaction is not needed for
exploitation.

Bug: 137346580
Test: built, flashed, booted
Test: ns_parserr_fuzzer test
Change-Id: Ib023bd9b2ae97795d64195de9922a6a32d7b2f37
---
M libc/dns/nameser/ns_name.c
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libc/dns/nameser/ns_name.c b/libc/dns/nameser/ns_name.c
index 3a202c1..c2dc80f 100644
--- a/libc/dns/nameser/ns_name.c
+++ b/libc/dns/nameser/ns_name.c
@@ -692,7 +692,7 @@
 {
  const u_char *cp;
  u_int n;
- int l;
+ int l=0;

  cp = *ptrptr;
  while (cp < eom && (n = *cp++) != 0) {
@@ -702,7 +702,7 @@
  cp += n;
  continue;
  case NS_TYPE_ELT: /* EDNS0 extended label */
- if ((l = labellen(cp - 1)) < 0) {
+ if (cp < eom && (l = labellen(cp - 1)) < 0) {
  errno = EMSGSIZE; /* XXX */
  return(-1);
  }

To view, visit change 1093130. To unsubscribe, or for help writing
mail filters, visit settings.