diff options
author | Michael Dawson <mdawson@devrus.com> | 2020-11-13 03:02:17 +0300 |
---|---|---|
committer | Michaƫl Zasso <targos@protonmail.com> | 2020-11-15 10:31:48 +0300 |
commit | 2a44836eebf020160e7b198c694dd10e380b2ad2 (patch) | |
tree | f4fb80d0080cbaf6acfbb44bc1d755e7c0643862 | |
parent | df211208c05721da7e7522cca43c9fe935245750 (diff) |
deps: cherry-pick 0d252eb from upstream c-ares
Original commit message:
If there are more ttls returned than the maximum provided by the requestor, then
the *naddrttls response would be larger than the actual number of elements in
the addrttls array.
This bug could lead to invalid memory accesses in applications using c-ares.
This behavior appeared to break with PR https://github.com/c-ares/c-ares/pull/257
Fixes: https://github.com/c-ares/c-ares/issues/371
Reported By: Momtchil Momtchev (@mmomtchev)
Fix By: Brad House (@bradh352)
Refs: https://github.com/nodejs/node/issues/36063
Signed-off-by: Michael Dawson <mdawson@devrus.com>
CVE-ID: CVE-2020-8277
PR-URL: https://github.com/nodejs-private/node-private/pull/231
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
-rw-r--r-- | deps/cares/src/ares_parse_a_reply.c | 3 | ||||
-rw-r--r-- | deps/cares/src/ares_parse_aaaa_reply.c | 3 |
2 files changed, 4 insertions, 2 deletions
diff --git a/deps/cares/src/ares_parse_a_reply.c b/deps/cares/src/ares_parse_a_reply.c index d8a9e9b5783..e71c993f8de 100644 --- a/deps/cares/src/ares_parse_a_reply.c +++ b/deps/cares/src/ares_parse_a_reply.c @@ -197,7 +197,8 @@ int ares_parse_a_reply(const unsigned char *abuf, int alen, if (naddrttls) { - *naddrttls = naddrs; + /* Truncated to at most *naddrttls entries */ + *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs; } ares__freeaddrinfo_cnames(ai.cnames); diff --git a/deps/cares/src/ares_parse_aaaa_reply.c b/deps/cares/src/ares_parse_aaaa_reply.c index 0d39bfa8268..346d430750b 100644 --- a/deps/cares/src/ares_parse_aaaa_reply.c +++ b/deps/cares/src/ares_parse_aaaa_reply.c @@ -200,7 +200,8 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen, if (naddrttls) { - *naddrttls = naddrs; + /* Truncated to at most *naddrttls entries */ + *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs; } ares__freeaddrinfo_cnames(ai.cnames); |