fix CVE-2022-4904

(cherry picked from commit ee24eb41af640bacd403439aa2085601be76c449)

backport-add-str-len-check-in-config_sortlist-to-avoid-stack-overflow.patch

@@ -0,0 +1,62 @@
+From ac596026e77244481fd68736ae7f15855803a08a Mon Sep 17 00:00:00 2001
+From: hopper-vul <hopper.vul@gmail.com>
+Date: Tue, 13 Dec 2022 19:54:21 +0800
+Subject: [PATCH] Add str len check in config_sortlist to avoid stack overflow
+
+In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
+the input str and initialize a sortlist configuration.
+
+However, ares_set_sortlist has not any checks about the validity of the input str.
+It is very easy to create an arbitrary length stack overflow with the unchecked
+`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
+statements in the config_sortlist call, which could potentially cause severe
+security impact in practical programs.
+
+This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
+potential stack overflows.
+
+fixes #496
+
+Signed-off-by: hopper-vul <hopper.vul@gmail.com>
+---
+ ares_init.c            | 4 ++++
+ test/ares-test-init.cc | 2 ++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/ares_init.c b/ares_init.c
+index dffa518..e1fa82f 100644
+--- a/ares_init.c
++++ b/ares_init.c
+@@ -2210,6 +2210,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+       q = str;
+       while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
+         q++;
++      if (q-str >= 16)
++        return ARES_EBADSTR;
+       memcpy(ipbuf, str, q-str);
+       ipbuf[q-str] = '\0';
+       /* Find the prefix */
+@@ -2218,6 +2220,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+           const char *str2 = q+1;
+           while (*q && *q != ';' && !ISSPACE(*q))
+             q++;
++          if (q-str >= 32)
++            return ARES_EBADSTR;
+           memcpy(ipbufpfx, str, q-str);
+           ipbufpfx[q-str] = '\0';
+           str = str2;
+diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc
+index ff6c6c6..c3cb948 100644
+--- a/test/ares-test-init.cc
++++ b/test/ares-test-init.cc
+@@ -270,6 +270,8 @@ TEST_F(DefaultChannelTest, SetAddresses) {
+
+ TEST_F(DefaultChannelTest, SetSortlistFailures) {
+   EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4"));
++  EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16"));
++  EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*"));
+   EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk"));
+   EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123"));
+ }
+--
+2.33.0

c-ares.spec

@@ -1,6 +1,6 @@
 Name:           c-ares
 Version:        1.16.1
-Release:        3
+Release:        4
 Summary:        A C library for asynchronous DNS requests
 
 License:        MIT
@@ -16,6 +16,7 @@ Patch3:         0003-Avoid-buffer-overflow-in-RC4-loop-comparison-336.patch
 Patch4:         CVE-2020-8277.patch
 Patch5:         backport-001-CVE-2021-3672.patch
 Patch6:         backport-002-CVE-2021-3672.patch
+Patch7:         backport-add-str-len-check-in-config_sortlist-to-avoid-stack-overflow.patch
 %description
 This is c-ares, an asynchronous resolver library. It is intended for applications
 which need to perform DNS queries without blocking, or need to perform multiple
@@ -58,6 +59,12 @@ make %{?_smp_mflags}
 %{_mandir}/man3/*
 
 %changelog
+* Fri Feb 10 2023 xingwei <xingwei14@h-partners.com> - 1.16.1-4
+- Type:cves
+- CVE:CVE-2022-4904
+- SUG:NA
+- DESC:fix CVE-2022-4904
+
 * Thu Aug 12 2021 gaihuiying <gaihuiying1@huawei.com> - 1.16.1-3
 - fix CVE-2021-3672