Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 27 Jan 2015 18:23:32 +0100
From: Daniel Cegiełka <daniel.cegielka@...il.com>
To: musl@...ts.openwall.com
Subject: Re: gethostbyname buffer overflow (glibc)

2015-01-27 18:10 GMT+01:00 Rich Felker <dalias@...c.org>:
> On Tue, Jan 27, 2015 at 05:59:36PM +0100, Daniel Cegiełka wrote:
>> eg from:
>>
>> http://www.openwall.com/lists/oss-security/2015/01/27/9
>>
>> # gcc ghost.c && ./a.out
>> should not happen
>>
>>
>>   retval = gethostbyname_r(name, &resbuf, temp.buffer,
>> sizeof(temp.buffer), &result, &herrno);
>>
>>   if (strcmp(temp.canary, CANARY) != 0) {
>>     puts("vulnerable");
>>     exit(EXIT_SUCCESS);
>>   }
>>   if (retval == ERANGE) {
>>     puts("not vulnerable");
>>     exit(EXIT_SUCCESS);
>>   }
>>   puts("should not happen");
>>   exit(EXIT_FAILURE);
>>
>> Double exit. Is something wrong with gethostbyname_r() in musl?
>
> I'm not sure what you mean by "double exit".

ghost.c return EXIT_FAILURE instead EXIT_SUCCESS, which is checked in
two cases (only)...

> As far as I can tell,
> musl just detects errors in a different order, and returns ENOENT (2)
> rather than ERANGE because the name is not valid.

... and yes, ghost.c should also check the other errors.

thx

> Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.