deps: c-ares, avoid single-byte buffer overwrite #9108
Conversation
Backport of nodejs#8849 for c-ares 1.9.0. Incorrect string length calculation when passing escaped dot. - CVE: CVE-2016-5180 - Upstream bug: https://c-ares.haxx.se/adv_20160929.html
nodejs-github-bot
added
cares
| @@ -191,5 +168,22 @@ int ares_mkquery(const char *name, int dnsclass, int type, unsigned short id, | |||
| DNS_QUESTION_SET_TYPE(q, type); | |||
| DNS_QUESTION_SET_CLASS(q, dnsclass); | |||
|
|
|||
| q += QFIXEDSZ; | |||
There was a problem hiding this comment.
In the latest version, this line was previously inside a if (max_udp_size) {} block but was lifted out for the patch. In this backport it's standing alone and I'm not super-confident that it belongs here.
There was a problem hiding this comment.
OK, so previously q was just used to position for writes, but in the new version it's also used to check the final length and reject if it's too long, so we need this in here for that purpose whereas it was not needed before because there are no more writes after this.
|
CI @ https://ci.nodejs.org/job/node-test-pull-request/4527/, usual failures on Windows, others are good. |
|
Are we going to be doing another v0.10 release before the 31st? |
|
@jasnell yes, this fix has been announced already http://nodejs.org/en/blog/vulnerability/october-2016-security-releases/ @nodejs/collaborators I'd appreciate a review here asap, this needs to get out in less than 24 hours. |
|
Pretty sure I grok most of what's going on in here now and am comfortable this is correct. I'm going to have to merge this unreviewed if nobody steps up in the next few hours, unfortunately! Gotta get a v0.10 out. |
Backport of nodejs#8849 for c-ares 1.9.0. Incorrect string length calculation when passing escaped dot. - CVE: CVE-2016-5180 - Upstream bug: https://c-ares.haxx.se/adv_20160929.html PR-URL: nodejs#9108 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This is a manual backport of #8849 because we're jumping back from 1.10 to 1.9 here. It's pretty awkward because there's no
max_udp_sizeargument in this old form. Tests pass locally but I don't have the highest degree of confidence that I've got this 100% so I'd appreciate some more expert eyes please.Maybe one of @indutny, @bnoordhuis, @addaleax might be able to grok this better than I?