File resolv-internal-qtype.patch of Package glibc.29706

2016-12-31  Florian Weimer  <fweimer@redhat.com>

	[BZ #18784]
	CVE-2015-5180
	* include/arpa/nameser_compat.h (T_QUERY_A_AND_AAAA): Rename from
	T_UNSPEC.  Adjust value.
	* resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it.
	* resolv/res_query.c (__libc_res_nquery): Likewise.
	* resolv/res_mkquery.c (res_nmkquery): Check for out-of-range
	QTYPEs.

Index: glibc-2.22/include/arpa/nameser_compat.h
===================================================================
--- glibc-2.22.orig/include/arpa/nameser_compat.h
+++ glibc-2.22/include/arpa/nameser_compat.h
@@ -1,8 +1,8 @@
 #ifndef _ARPA_NAMESER_COMPAT_
 #include <resolv/arpa/nameser_compat.h>
 
-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e.,
-   T_A and T_AAAA).  */
-#define T_UNSPEC 62321
+/* The number is outside the 16-bit RR type range and is used
+   internally by the implementation.  */
+#define T_QUERY_A_AND_AAAA 439963904
 
 #endif
Index: glibc-2.22/resolv/nss_dns/dns-host.c
===================================================================
--- glibc-2.22.orig/resolv/nss_dns/dns-host.c
+++ glibc-2.22/resolv/nss_dns/dns-host.c
@@ -312,7 +312,7 @@ _nss_dns_gethostbyname4_r (const char *n
 
   int olderr = errno;
   enum nss_status status;
-  int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,
+  int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA,
 			      host_buffer.buf->buf, 2048, &host_buffer.ptr,
 			      &ans2p, &nans2p, &resplen2, &ans2p_malloced);
   if (n >= 0)
Index: glibc-2.22/resolv/res_mkquery.c
===================================================================
--- glibc-2.22.orig/resolv/res_mkquery.c
+++ glibc-2.22/resolv/res_mkquery.c
@@ -112,6 +112,10 @@ res_nmkquery(res_state statp,
 	int n;
 	u_char *dnptrs[20], **dpp, **lastdnptr;
 
+	if (class < 0 || class > 65535
+	    || type < 0 || type > 65535)
+	  return -1;
+
 #ifdef DEBUG
 	if (statp->options & RES_DEBUG)
 		printf(";; res_nmkquery(%s, %s, %s, %s)\n",
Index: glibc-2.22/resolv/res_query.c
===================================================================
--- glibc-2.22.orig/resolv/res_query.c
+++ glibc-2.22/resolv/res_query.c
@@ -129,7 +129,7 @@ __libc_res_nquery(res_state statp,
 	int n, use_malloc = 0;
 	u_int oflags = statp->_flags;
 
-	size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE;
+	size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;
 	u_char *buf = alloca (bufsize);
 	u_char *query1 = buf;
 	int nquery1 = -1;
@@ -144,7 +144,7 @@ __libc_res_nquery(res_state statp,
 		printf(";; res_query(%s, %d, %d)\n", name, class, type);
 #endif
 
-	if (type == T_UNSPEC)
+	if (type == T_QUERY_A_AND_AAAA)
 	  {
 	    n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL,
 			     query1, bufsize);
@@ -211,7 +211,7 @@ __libc_res_nquery(res_state statp,
 	if (__builtin_expect (n <= 0, 0) && !use_malloc) {
 		/* Retry just in case res_nmkquery failed because of too
 		   short buffer.  Shouldn't happen.  */
-		bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET;
+		bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;
 		buf = malloc (bufsize);
 		if (buf != NULL) {
 			query1 = buf;