qiurui
/
glibc
mirror of git://sourceware.org/git/glibc.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915) 

The default network value of zero for net was never tested for and
results in a DNS query constructed from uninitialized stack bytes.
The solution is to provide a default query for the case where net
is zero.

Adding a test case for this was straight forward given the existence of
tst-resolv-network and if the test is added without the fix you observe
this failure:

FAIL: resolv/tst-resolv-network
original exit status 1
error: tst-resolv-network.c:174: invalid QNAME: \146\218\129\128
error: 1 test failures

With a random QNAME resulting from the use of uninitialized stack bytes.

After the fix the test passes.

Additionally verified using wireshark before and after to ensure
on-the-wire bytes for the DNS query were as expected.

No regressions on x86_64.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
(cherry picked from commit e56ff82d50)
This commit is contained in:
Carlos O'Donell 2026-01-15 15:09:38 -05:00
parent 744b63026a
commit 49125ffc8e
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
resolv/nss_dns/dns-network.c
View File

@ -207,6 +207,10 @@ _nss_dns_getnetbyaddr_r (uint32_t net, int type, struct netent *result,
sprintf (qbuf, "%u.%u.%u.%u.in-addr.arpa", net_bytes[3], net_bytes[2], sprintf (qbuf, "%u.%u.%u.%u.in-addr.arpa", net_bytes[3], net_bytes[2],
net_bytes[1], net_bytes[0]); net_bytes[1], net_bytes[0]);
break; break;
default:
/* Default network (net is originally zero). */
strcpy (qbuf, "0.0.0.0.in-addr.arpa");
break;
} }
net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024); net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);

6
resolv/tst-resolv-network.c
View File

@ -46,6 +46,9 @@ handle_code (const struct resolv_response_context *ctx,
{ {
switch (code) switch (code)
{ {
case 0:
send_ptr (b, qname, qclass, qtype, "0.in-addr.arpa");
break;
case 1: case 1:
send_ptr (b, qname, qclass, qtype, "1.in-addr.arpa"); send_ptr (b, qname, qclass, qtype, "1.in-addr.arpa");
break; break;
@ -265,6 +268,9 @@ do_test (void)
"error: TRY_AGAIN\n"); "error: TRY_AGAIN\n");
/* Lookup by address, success cases. */ /* Lookup by address, success cases. */
check_reverse (0,
"name: 0.in-addr.arpa\n"
"net: 0x00000000\n");
check_reverse (1, check_reverse (1,
"name: 1.in-addr.arpa\n" "name: 1.in-addr.arpa\n"
"net: 0x00000001\n"); "net: 0x00000001\n");