[tor-commits] [torsocks/master] Fix memcpy() buffer overrun in gethostbyname()

Sun Aug 21 15:15:40 UTC 2016

commit 23651bcebd368e09bcbd33c20acbe13153860c66
Author: David Goulet <dgoulet at ev0ke.net>
Date:   Sun Aug 21 10:36:39 2016 -0400

    Fix memcpy() buffer overrun in gethostbyname()
    
    An extra 12 bytes of uninitialized data from the stack was copied in the
    static tsocks_he_addr object which is then returned in the hostent object by
    gethostbyname().
    
    First of all, this patch sets the right length to tsocks_he_addr which is 4
    bytes that is the IPv4 address in network byte order.
    
    Second, gethostbyname can take a valid IPv4 so check that before trying to
    resolve so to speed up the call.
    
    Thanks to guido for reporting this through our Hackerone bug bounty program.
    
    Reported-by: Guido Vranken <guidovranken at gmail.com>
    Signed-off-by: David Goulet <dgoulet at ev0ke.net>
---
 src/lib/gethostbyname.c | 22 ++++++++++++++++------
 src/lib/torsocks.h      |  2 +-
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/src/lib/gethostbyname.c b/src/lib/gethostbyname.c
index 93a3483..d67cc8e 100644
--- a/src/lib/gethostbyname.c
+++ b/src/lib/gethostbyname.c
@@ -22,12 +22,13 @@
 #include <stdlib.h>
 
 #include <common/log.h>
+#include <common/utils.h>
 
 #include "torsocks.h"
 
 struct hostent tsocks_he;
 char *tsocks_he_addr_list[2];
-char tsocks_he_addr[INET_ADDRSTRLEN];
+char tsocks_he_addr[4];
 char tsocks_he_name[255];
 
 /* gethostbyname(3) */
@@ -71,10 +72,19 @@ LIBC_GETHOSTBYNAME_RET_TYPE tsocks_gethostbyname(LIBC_GETHOSTBYNAME_SIG)
 		goto error;
 	}
 
-	/* Resolve the given hostname through Tor. */
-	ret = tsocks_tor_resolve(AF_INET, name, &ip);
-	if (ret < 0) {
-		goto error;
+	/* Man page specifies that it can either be an hostname or IPv4 address.
+	 * If it's an address, go with it else try to resolve it through Tor. */
+	if (utils_is_address_ipv4(name)) {
+		if (inet_pton(AF_INET, name, &ip) <= 0) {
+			goto error;
+		}
+		/* "ip" now contains the network byte order of the address. */
+	} else {
+		/* We have a hostname so resolve it through Tor. */
+		ret = tsocks_tor_resolve(AF_INET, name, &ip);
+		if (ret < 0) {
+			goto error;
+		}
 	}
 
 	/* Reset static host entry of tsocks. */
@@ -82,7 +92,7 @@ LIBC_GETHOSTBYNAME_RET_TYPE tsocks_gethostbyname(LIBC_GETHOSTBYNAME_SIG)
 	memset(tsocks_he_addr_list, 0, sizeof(tsocks_he_addr_list));
 	memset(tsocks_he_addr, 0, sizeof(tsocks_he_addr));
 
-	/* Copy resolved network byte order IP address. */
+	/* Copy network byte order IP address. */
 	memcpy(tsocks_he_addr, &ip, sizeof(tsocks_he_addr));
 
 	tsocks_he_addr_list[0] = tsocks_he_addr;
diff --git a/src/lib/torsocks.h b/src/lib/torsocks.h
index eddd0de..bcaf92b 100644
--- a/src/lib/torsocks.h
+++ b/src/lib/torsocks.h
@@ -112,7 +112,7 @@
  */
 extern struct hostent tsocks_he;
 extern char *tsocks_he_addr_list[2];
-extern char tsocks_he_addr[INET_ADDRSTRLEN];
+extern char tsocks_he_addr[4];
 extern char tsocks_he_name[255];
 
 #define LIBC_GETHOSTBYNAME_NAME gethostbyname



