diff options
author | Michael Dawson <mdawson@devrus.com> | 2020-11-13 03:02:17 +0300 |
---|---|---|
committer | Beth Griggs <bgriggs@redhat.com> | 2020-11-14 20:25:10 +0300 |
commit | 1fd2c8142b611baadc973947b83c0863cb003d9d (patch) | |
tree | d9552cfd596a1b43e10b4c894aa73edf739a9c72 | |
parent | a18008f24f650d6972cf4bef2a4498b846d78889 (diff) |
deps: cherry-pick 0d252eb from upstream c-ares
Original commit message:
If there are more ttls returned than the maximum provided by the requestor, then
the *naddrttls response would be larger than the actual number of elements in
the addrttls array.
This bug could lead to invalid memory accesses in applications using c-ares.
This behavior appeared to break with PR https://github.com/c-ares/c-ares/pull/257
Fixes: https://github.com/c-ares/c-ares/issues/371
Reported By: Momtchil Momtchev (@mmomtchev)
Fix By: Brad House (@bradh352)
Refs: https://github.com/nodejs/node/issues/36063
Signed-off-by: Michael Dawson <mdawson@devrus.com>
CVE-ID: CVE-2020-8277
PR-URL: https://github.com/nodejs-private/node-private/pull/231
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
-rw-r--r-- | deps/cares/src/ares_parse_a_reply.c | 3 | ||||
-rw-r--r-- | deps/cares/src/ares_parse_aaaa_reply.c | 3 |
2 files changed, 4 insertions, 2 deletions
diff --git a/deps/cares/src/ares_parse_a_reply.c b/deps/cares/src/ares_parse_a_reply.c index d8a9e9b5783..e71c993f8de 100644 --- a/deps/cares/src/ares_parse_a_reply.c +++ b/deps/cares/src/ares_parse_a_reply.c @@ -197,7 +197,8 @@ int ares_parse_a_reply(const unsigned char *abuf, int alen, if (naddrttls) { - *naddrttls = naddrs; + /* Truncated to at most *naddrttls entries */ + *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs; } ares__freeaddrinfo_cnames(ai.cnames); diff --git a/deps/cares/src/ares_parse_aaaa_reply.c b/deps/cares/src/ares_parse_aaaa_reply.c index 0d39bfa8268..346d430750b 100644 --- a/deps/cares/src/ares_parse_aaaa_reply.c +++ b/deps/cares/src/ares_parse_aaaa_reply.c @@ -200,7 +200,8 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen, if (naddrttls) { - *naddrttls = naddrs; + /* Truncated to at most *naddrttls entries */ + *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs; } ares__freeaddrinfo_cnames(ai.cnames); |