commit 23651bcebd368e09bcbd33c20acbe13153860c66 Author: David Goulet <dgoulet@ev0ke.net> Date: Sun Aug 21 10:36:39 2016 -0400 Fix memcpy() buffer overrun in gethostbyname() An extra 12 bytes of uninitialized data from the stack was copied in the static tsocks_he_addr object which is then returned in the hostent object by gethostbyname(). First of all, this patch sets the right length to tsocks_he_addr which is 4 bytes that is the IPv4 address in network byte order. Second, gethostbyname can take a valid IPv4 so check that before trying to resolve so to speed up the call. Thanks to guido for reporting this through our Hackerone bug bounty program. Reported-by: Guido Vranken <guidovranken@gmail.com> Signed-off-by: David Goulet <dgoulet@ev0ke.net> --- src/lib/gethostbyname.c | 22 ++++++++++++++++------ src/lib/torsocks.h | 2 +- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/src/lib/gethostbyname.c b/src/lib/gethostbyname.c index 93a3483..d67cc8e 100644 --- a/src/lib/gethostbyname.c +++ b/src/lib/gethostbyname.c @@ -22,12 +22,13 @@ #include <stdlib.h> #include <common/log.h> +#include <common/utils.h> #include "torsocks.h" struct hostent tsocks_he; char *tsocks_he_addr_list[2]; -char tsocks_he_addr[INET_ADDRSTRLEN]; +char tsocks_he_addr[4]; char tsocks_he_name[255]; /* gethostbyname(3) */ @@ -71,10 +72,19 @@ LIBC_GETHOSTBYNAME_RET_TYPE tsocks_gethostbyname(LIBC_GETHOSTBYNAME_SIG) goto error; } - /* Resolve the given hostname through Tor. */ - ret = tsocks_tor_resolve(AF_INET, name, &ip); - if (ret < 0) { - goto error; + /* Man page specifies that it can either be an hostname or IPv4 address. + * If it's an address, go with it else try to resolve it through Tor. */ + if (utils_is_address_ipv4(name)) { + if (inet_pton(AF_INET, name, &ip) <= 0) { + goto error; + } + /* "ip" now contains the network byte order of the address. */ + } else { + /* We have a hostname so resolve it through Tor. */ + ret = tsocks_tor_resolve(AF_INET, name, &ip); + if (ret < 0) { + goto error; + } } /* Reset static host entry of tsocks. */ @@ -82,7 +92,7 @@ LIBC_GETHOSTBYNAME_RET_TYPE tsocks_gethostbyname(LIBC_GETHOSTBYNAME_SIG) memset(tsocks_he_addr_list, 0, sizeof(tsocks_he_addr_list)); memset(tsocks_he_addr, 0, sizeof(tsocks_he_addr)); - /* Copy resolved network byte order IP address. */ + /* Copy network byte order IP address. */ memcpy(tsocks_he_addr, &ip, sizeof(tsocks_he_addr)); tsocks_he_addr_list[0] = tsocks_he_addr; diff --git a/src/lib/torsocks.h b/src/lib/torsocks.h index eddd0de..bcaf92b 100644 --- a/src/lib/torsocks.h +++ b/src/lib/torsocks.h @@ -112,7 +112,7 @@ */ extern struct hostent tsocks_he; extern char *tsocks_he_addr_list[2]; -extern char tsocks_he_addr[INET_ADDRSTRLEN]; +extern char tsocks_he_addr[4]; extern char tsocks_he_name[255]; #define LIBC_GETHOSTBYNAME_NAME gethostbyname