Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
deps: cherry-pick 0d252eb from upstream c-ares
Original commit message:

  If there are more ttls returned than the maximum provided by the requestor, then
  the *naddrttls response would be larger than the actual number of elements in
  the addrttls array.

  This bug could lead to invalid memory accesses in applications using c-ares.

  This behavior appeared to break with PR c-ares/c-ares#257

  Fixes: c-ares/c-ares#371
  Reported By: Momtchil Momtchev (@mmomtchev)
  Fix By: Brad House (@bradh352)

Refs: https://github.com/nodejs/node/issues/36063

Signed-off-by: Michael Dawson <mdawson@devrus.com>

CVE-ID: CVE-2020-8277
PR-URL: nodejs-private/node-private#231
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
  • Loading branch information
mhdawson authored and BethGriggs committed Nov 14, 2020
1 parent a18008f commit 1fd2c81
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 2 deletions.
3 changes: 2 additions & 1 deletion deps/cares/src/ares_parse_a_reply.c
Expand Up @@ -197,7 +197,8 @@ int ares_parse_a_reply(const unsigned char *abuf, int alen,

if (naddrttls)
{
*naddrttls = naddrs;
/* Truncated to at most *naddrttls entries */
*naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs;
}

ares__freeaddrinfo_cnames(ai.cnames);
Expand Down
3 changes: 2 additions & 1 deletion deps/cares/src/ares_parse_aaaa_reply.c
Expand Up @@ -200,7 +200,8 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen,

if (naddrttls)
{
*naddrttls = naddrs;
/* Truncated to at most *naddrttls entries */
*naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs;
}

ares__freeaddrinfo_cnames(ai.cnames);
Expand Down

0 comments on commit 1fd2c81

Please sign in to comment.