meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

From b9b8413cfdb70a3f99e1573333b23052d57ec1ae Mon Sep 17 00:00:00 2001
From: Brad House <brad@brad-house.com>
Date: Mon, 22 May 2023 06:51:49 -0400
Subject: [PATCH] Merge pull request from GHSA-9g78-jv2r-p7vc

Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae.patch]
CVE: CVE-2023-32067
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
---
 src/lib/ares_process.c | 41 +++++++++++++++++++++++++----------------
 1 file changed, 25 insertions(+), 16 deletions(-)

diff --git a/src/lib/ares_process.c b/src/lib/ares_process.c
index 87329e3..605e5f8 100644
--- a/src/lib/ares_process.c
+++ b/src/lib/ares_process.c
@@ -457,7 +457,7 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
 {
   struct server_state *server;
   int i;
-  ares_ssize_t count;
+  ares_ssize_t read_len;
   unsigned char buf[MAXENDSSZ + 1];
 #ifdef HAVE_RECVFROM
   ares_socklen_t fromlen;
@@ -500,32 +500,41 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
       /* To reduce event loop overhead, read and process as many
        * packets as we can. */
       do {
-        if (server->udp_socket == ARES_SOCKET_BAD)
-          count = 0;
-
-        else {
-          if (server->addr.family == AF_INET)
+        if (server->udp_socket == ARES_SOCKET_BAD) {
+          read_len = -1;
+        } else {
+          if (server->addr.family == AF_INET) {
             fromlen = sizeof(from.sa4);
-          else
+          } else {
             fromlen = sizeof(from.sa6);
-          count = socket_recvfrom(channel, server->udp_socket, (void *)buf,
-                                  sizeof(buf), 0, &from.sa, &fromlen);
+          }
+          read_len = socket_recvfrom(channel, server->udp_socket, (void *)buf,
+                                     sizeof(buf), 0, &from.sa, &fromlen);
         }
 
-        if (count == -1 && try_again(SOCKERRNO))
+        if (read_len == 0) {
+          /* UDP is connectionless, so result code of 0 is a 0-length UDP
+           * packet, and not an indication the connection is closed like on
+           * tcp */
           continue;
-        else if (count <= 0)
+        } else if (read_len < 0) {
+          if (try_again(SOCKERRNO))
+            continue;
+
           handle_error(channel, i, now);
+
 #ifdef HAVE_RECVFROM
-        else if (!same_address(&from.sa, &server->addr))
+        } else if (!same_address(&from.sa, &server->addr)) {
           /* The address the response comes from does not match the address we
            * sent the request to. Someone may be attempting to perform a cache
            * poisoning attack. */
-          break;
+          continue;
 #endif
-        else
-          process_answer(channel, buf, (int)count, i, 0, now);
-       } while (count > 0);
+
+        } else {
+          process_answer(channel, buf, (int)read_len, i, 0, now);
+        }
+      } while (read_len >= 0);
     }
 }
 
-- 
2.25.1