[3.4] c-ares: Single byte out of buffer write (CVE-2016-5180)
When a string is passed in to ares_create_query or ares_mkquery and
uses an escaped trailing dot, like “hello\.”, c-ares calculates the
string length wrong and
subsequently writes outside of the allocated buffer with one byte. The
wrongly written byte is the least significant byte of the ‘dnsclass’
argument; most commonly 1.
Proof of concept code have showed how this can be exploited in a
real-world system, but we are not aware of any exploits having actually
happened in the wild.
Affected versions:
c-ares 1.0.0 to and including 1.11.0
Fixed In Version:
c-ares 1.12.0
Reference:
https://c-ares.haxx.se/adv\_20160929.html
Patch:
https://c-ares.haxx.se/CVE-2016-5180.patch
(from redmine: issue id 6257, created on 2016-10-04, closed on 2016-10-18)
- Relations:
- parent #6256 (closed)
- Changesets:
- Revision c1ee0fbf by Natanael Copa on 2016-10-18T09:18:31Z:
main/c-ares: security upgrade to 1.12.0 (CVE-2016-5180)
fixes #6257