From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1bL5SD-0003u2-Oe for mharc-grub-devel@gnu.org; Thu, 07 Jul 2016 05:18:41 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35271) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bL5SB-0003sJ-Ps for grub-devel@gnu.org; Thu, 07 Jul 2016 05:18:40 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bL5S8-0001RA-34 for grub-devel@gnu.org; Thu, 07 Jul 2016 05:18:38 -0400 Received: from smtp.nue.novell.com ([195.135.221.5]:33125) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bL5S7-0001Qi-P8 for grub-devel@gnu.org; Thu, 07 Jul 2016 05:18:36 -0400 Received: from nwb-ext-pat.microfocus.com ([10.120.13.103]) by smtp.nue.novell.com with ESMTP (TLS encrypted); Thu, 07 Jul 2016 11:18:33 +0200 Received: from linux-9gqx.suse.de (nwb-a10-snat.microfocus.com [10.120.13.201]) by nwb-ext-pat.microfocus.com with ESMTP (TLS encrypted); Thu, 07 Jul 2016 10:18:25 +0100 Date: Thu, 7 Jul 2016 17:18:17 +0800 From: Michael Chang To: grub-devel@gnu.org Subject: [PATCH] dns: fix heap corruption Message-ID: <20160707091817.GA16571@linux-9gqx.suse.de> Mail-Followup-To: grub-devel@gnu.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 195.135.221.5 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2016 09:18:40 -0000 Since commit f9d1b4422efb2c06e5472fb2c304712e2029796b I occasionally bumped into heap corruption problem during dns lookup. After tracing the issue, it looks the *data->addresses array is not correctly allocated. It need to hold accumulated dns look up result but not only the new result in new message. The heap corruption occured when appending new result to it. This patch fixed the issue for me by reallocating the array if it found too small to hold all the result. Thanks, --- grub-core/net/dns.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c index 89741dd..b8d8873 100644 --- a/grub-core/net/dns.c +++ b/grub-core/net/dns.c @@ -276,14 +276,25 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), ptr++; ptr += 4; } - *data->addresses = grub_malloc (sizeof ((*data->addresses)[0]) - * grub_be_to_cpu16 (head->ancount)); - if (!*data->addresses) + + if (ALIGN_UP (grub_be_to_cpu16 (head->ancount) + *data->naddresses, 4) > ALIGN_UP (*data->naddresses, 4)) { - grub_errno = GRUB_ERR_NONE; - grub_netbuff_free (nb); - return GRUB_ERR_NONE; + grub_net_network_level_address_t *old_addresses = *data->addresses; + *data->addresses = grub_malloc (sizeof ((*data->addresses)[0]) + * ALIGN_UP (grub_be_to_cpu16 (head->ancount) + *data->naddresses, 4)); + if (!*data->addresses) + { + grub_errno = GRUB_ERR_NONE; + grub_netbuff_free (nb); + return GRUB_ERR_NONE; + } + if (*data->naddresses) + { + grub_memcpy (*data->addresses, old_addresses, sizeof ((*data->addresses)[0]) * (*data->naddresses)); + grub_free (old_addresses); + } } + reparse_ptr = ptr; reparse: for (i = 0, ptr = reparse_ptr; i < grub_be_to_cpu16 (head->ancount); i++) -- 2.6.2