From patchwork Sat Sep 7 01:08:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 1982105 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=unstable.cc header.i=a@unstable.cc header.a=rsa-sha256 header.s=20220809-q8oc header.b=ftW/aoqP; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X0w1L0WZNz1y1H for ; Sat, 7 Sep 2024 11:07:17 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 5787838565C3 for ; Sat, 7 Sep 2024 01:07:14 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from wilbur.contactoffice.com (wilbur.contactoffice.com [212.3.242.68]) by sourceware.org (Postfix) with ESMTPS id 1E5B138565CA for ; Sat, 7 Sep 2024 01:06:17 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 1E5B138565CA Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=unstable.cc Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=unstable.cc ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 1E5B138565CA Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=212.3.242.68 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1725671181; cv=none; b=OF1wOzrh0xSbBJAL2bLC5a1MOE0J73WUpag0sFZX3kEr3TlsEYhMPfUWKQMGhHxWZZHcr2kQ/LZQqurZJ64D7Gllo/EmlU2lvWXytyLXnZh1ZJ0AWozC9tImCenbcwhnQzG7V6Rs2Hc68dq4kQsHBdMMpjWu8XVwzlFVbNllOz4= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1725671181; c=relaxed/simple; bh=um26TSyODUEDWlTV7ZGMnT7W8wJ0lc8ntgpG+kYfrJs=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=jhmyLlCv1EK5Pi3x7MGJuL2Lzg9eHDNX6u0lglv1NIeN73EwZFpcE56nXYnBGUU3ObkY+isoPhNQaM5pGrl0mIa/iFWz2f/1/SYmBPCGNG69vCBHOscixZbU9S9Nz3ob0zlPRmGiW6GW7I2ZMEK4etL4vXKMZbwOS58jqZl+Vbc= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from smtpauth2.co-bxl (smtpauth2.co-bxl [10.2.0.24]) by wilbur.contactoffice.com (Postfix) with ESMTP id 1C87D4778; Sat, 7 Sep 2024 03:06:16 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1725671176; s=20220809-q8oc; d=unstable.cc; i=a@unstable.cc; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Transfer-Encoding; bh=/b9zub/BPJsMA10GPndOKCeQRXNhPFQekYnWKRZqcV8=; b=ftW/aoqPWVqTDE72tEKUyiLR50lzdRb6ERcAGFBbWTjV8HFZUDDe2WrdgXrtfgG2 LchIurLucHdf+8CHu59tgGG+IgSzv1ZlcDGw/KYZ7BJ/dfxGfGzd77JhxkC4BQuxNE7 4lE2B+wc7UlvcA+gPzYEmC64sR6b9YBuVvR1m6Shylh2nMuz3cX3pbNddPG4IWfakUK hqwN1PobvpncIX+H8cvdwUSJnyOPzjWLzYyvANWLZkGOvhKIUkR8nhSTFziOZ1JZuae xHSDtWUP6gZoL97DeVWLQ8TvOyoOqZpGiqX9Ez640RlXLrJjiPyEE3n0JQUf+8nSXKp Xzk9nLBiDw== Received: by smtp.mailfence.com with ESMTPSA ; Sat, 7 Sep 2024 03:06:12 +0200 (CEST) From: Antonio Quartulli To: libc-alpha@sourceware.org Cc: Antonio Quartulli , Arne Schwabe , Cristina Nita-Rotaru , Anqi Chen Subject: [PATCH] nss: reject invalid port passed to getaddrinfo [BZ #16208] Date: Sat, 7 Sep 2024 03:08:04 +0200 Message-ID: <20240907010804.8081-1-a@unstable.cc> X-Mailer: git-send-email 2.44.2 MIME-Version: 1.0 X-ContactOffice-Account: com:375058688 X-Spam-Status: No, score=-11.2 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_LOW, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org When passing a numeric string as port/service to getaddrinfo() representing a number larger than 65535, the function will not complain and will simply extract the lowest 16bits of the converted number. Specifically, the string is converted to int by calling strtoul() and later it is moved to gaih_servtuple.num after passing through htons(). For example, invoking getaddrinfo() with service equal to "70000" will result in no error and ai_addr->sin_port set to 4464. This issue was (re)discovered by researcher Anqi Chen while stress testing OpenVPN with invalid config parameters. Thanks a lot to Arne Schwabe for finding out that the root cause was hidden inside glibc. Similarly, also when passing 0 no error is thrown while it should. Add proper check to reject invalid values immediately. Cc: Arne Schwabe Cc: Cristina Nita-Rotaru Reported-by: Anqi Chen Signed-off-by: Antonio Quartulli --- nss/Makefile | 1 + nss/getaddrinfo.c | 6 ++++ nss/tst-getaddrinfo6.c | 64 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 71 insertions(+) create mode 100644 nss/tst-getaddrinfo6.c diff --git a/nss/Makefile b/nss/Makefile index 9331b3308c..94acfd0e38 100644 --- a/nss/Makefile +++ b/nss/Makefile @@ -321,6 +321,7 @@ tests := \ tst-getaddrinfo \ tst-getaddrinfo2 \ tst-getaddrinfo3 \ + tst-getaddrinfo6 \ tst-gethnm \ tst-getpw \ tst-gshadow \ diff --git a/nss/getaddrinfo.c b/nss/getaddrinfo.c index 3ccd3905fa..84ff72bad0 100644 --- a/nss/getaddrinfo.c +++ b/nss/getaddrinfo.c @@ -2377,6 +2377,12 @@ getaddrinfo (const char *name, const char *service, gaih_service.num = -1; } + else if (gaih_service.num == 0 || gaih_service.num > USHRT_MAX) + { + /* provided numeric string is invalid */ + __free_in6ai (in6ai); + return EAI_NONAME; + } pservice = &gaih_service; } diff --git a/nss/tst-getaddrinfo6.c b/nss/tst-getaddrinfo6.c new file mode 100644 index 0000000000..6f9c5aa546 --- /dev/null +++ b/nss/tst-getaddrinfo6.c @@ -0,0 +1,64 @@ +/* Test invalid port/service lookup [BZ #16208]. + Copyright (C) 2014-2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include +#include + +static int +do_one_test (const char *service) +{ + const int family[2] = { AF_INET, AF_INET6 }; + struct addrinfo hints, *aitop; + int index, gaierr; + int result = 0; + + for (index = 0; index < sizeof (family) / sizeof (family[0]); ++index) + { + memset (&hints, '\0', sizeof (hints)); + hints.ai_family = family[index]; + + gaierr = getaddrinfo (NULL, service, &hints, &aitop); + if (gaierr != EAI_NONAME) + { + printf ("FAIL getaddrinfo returned %d, should return %d\n", + gaierr, EAI_NONAME); + result = 1; + } + } + + return result; +} + + +static int +do_test (void) +{ + int err = 0; + + err |= do_one_test ("0"); + err |= do_one_test ("70000"); + + return err; +} +#define TEST_FUNCTION do_test () + +#include "../test-skeleton.c"