File nss-dns-buffer-overflow.patch of Package glibc.i686
2015-04-21 Arjun Shankar <arjun.is@lostca.se>
[BZ #18287]
* resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
based on padding. (CVE-2015-1781)
Index: glibc-2.19/resolv/nss_dns/dns-host.c
===================================================================
--- glibc-2.19.orig/resolv/nss_dns/dns-host.c
+++ glibc-2.19/resolv/nss_dns/dns-host.c
@@ -618,7 +618,8 @@ getanswer_r (const querybuf *answer, int
int have_to_map = 0;
uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
buffer += pad;
- if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0))
+ buflen = buflen > pad ? buflen - pad : 0;
+ if (__builtin_expect (buflen < sizeof (struct host_data), 0))
{
/* The buffer is too small. */
too_small: