* gethostbyname buffer overflow (glibc)
@ 2015-01-27 16:59 Daniel Cegiełka
2015-01-27 17:10 ` Rich Felker
0 siblings, 1 reply; 3+ messages in thread
From: Daniel Cegiełka @ 2015-01-27 16:59 UTC (permalink / raw)
To: musl
eg from:
http://www.openwall.com/lists/oss-security/2015/01/27/9
# gcc ghost.c && ./a.out
should not happen
retval = gethostbyname_r(name, &resbuf, temp.buffer,
sizeof(temp.buffer), &result, &herrno);
if (strcmp(temp.canary, CANARY) != 0) {
puts("vulnerable");
exit(EXIT_SUCCESS);
}
if (retval == ERANGE) {
puts("not vulnerable");
exit(EXIT_SUCCESS);
}
puts("should not happen");
exit(EXIT_FAILURE);
Double exit. Is something wrong with gethostbyname_r() in musl?
Daniel
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: gethostbyname buffer overflow (glibc)
2015-01-27 16:59 gethostbyname buffer overflow (glibc) Daniel Cegiełka
@ 2015-01-27 17:10 ` Rich Felker
2015-01-27 17:23 ` Daniel Cegiełka
0 siblings, 1 reply; 3+ messages in thread
From: Rich Felker @ 2015-01-27 17:10 UTC (permalink / raw)
To: musl
On Tue, Jan 27, 2015 at 05:59:36PM +0100, Daniel Cegiełka wrote:
> eg from:
>
> http://www.openwall.com/lists/oss-security/2015/01/27/9
>
> # gcc ghost.c && ./a.out
> should not happen
>
>
> retval = gethostbyname_r(name, &resbuf, temp.buffer,
> sizeof(temp.buffer), &result, &herrno);
>
> if (strcmp(temp.canary, CANARY) != 0) {
> puts("vulnerable");
> exit(EXIT_SUCCESS);
> }
> if (retval == ERANGE) {
> puts("not vulnerable");
> exit(EXIT_SUCCESS);
> }
> puts("should not happen");
> exit(EXIT_FAILURE);
>
> Double exit. Is something wrong with gethostbyname_r() in musl?
I'm not sure what you mean by "double exit". As far as I can tell,
musl just detects errors in a different order, and returns ENOENT (2)
rather than ERANGE because the name is not valid.
Rich
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: gethostbyname buffer overflow (glibc)
2015-01-27 17:10 ` Rich Felker
@ 2015-01-27 17:23 ` Daniel Cegiełka
0 siblings, 0 replies; 3+ messages in thread
From: Daniel Cegiełka @ 2015-01-27 17:23 UTC (permalink / raw)
To: musl
2015-01-27 18:10 GMT+01:00 Rich Felker <dalias@libc.org>:
> On Tue, Jan 27, 2015 at 05:59:36PM +0100, Daniel Cegiełka wrote:
>> eg from:
>>
>> http://www.openwall.com/lists/oss-security/2015/01/27/9
>>
>> # gcc ghost.c && ./a.out
>> should not happen
>>
>>
>> retval = gethostbyname_r(name, &resbuf, temp.buffer,
>> sizeof(temp.buffer), &result, &herrno);
>>
>> if (strcmp(temp.canary, CANARY) != 0) {
>> puts("vulnerable");
>> exit(EXIT_SUCCESS);
>> }
>> if (retval == ERANGE) {
>> puts("not vulnerable");
>> exit(EXIT_SUCCESS);
>> }
>> puts("should not happen");
>> exit(EXIT_FAILURE);
>>
>> Double exit. Is something wrong with gethostbyname_r() in musl?
>
> I'm not sure what you mean by "double exit".
ghost.c return EXIT_FAILURE instead EXIT_SUCCESS, which is checked in
two cases (only)...
> As far as I can tell,
> musl just detects errors in a different order, and returns ENOENT (2)
> rather than ERANGE because the name is not valid.
... and yes, ghost.c should also check the other errors.
thx
> Rich
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-01-27 17:23 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-01-27 16:59 gethostbyname buffer overflow (glibc) Daniel Cegiełka
2015-01-27 17:10 ` Rich Felker
2015-01-27 17:23 ` Daniel Cegiełka
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).