Fetched from gentoo glibc patchball
Original patch filename: 10_all_glibc-CVE-2015-7547.patch
Based on: https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
CVE-2015-7547 - glibc getaddrinfo stack-based buffer overflow.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname,
- return NSS_STATUS_NOTFOUND;
+ *h_errnop = HOST_NOT_FOUND;
+ return NSS_STATUS_NOTFOUND;
while (ancount-- > 0 && cp < end_of_message && had_error == 0)
@@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname,
/* Special case here: if the resolver sent a result but it only
contains a CNAME while we are looking for a T_A or T_AAAA record,
we fail with NOTFOUND instead of TRYAGAIN. */
- return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
+ *h_errnop = HOST_NOT_FOUND;
+ return NSS_STATUS_NOTFOUND;
+ *h_errnop = NETDB_INTERNAL;
+ return NSS_STATUS_TRYAGAIN;
@@ -1242,8 +1252,15 @@ gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2,
+ /* Use the second response status in some cases. */
if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND)
+ /* Do not return a truncated second response (unless it was
+ unavoidable e.g. unrecoverable TRYAGAIN). */
+ if (status == NSS_STATUS_SUCCESS
+ && (status2 == NSS_STATUS_TRYAGAIN
+ && *errnop == ERANGE && *h_errnop != NO_RECOVERY))
+ status = NSS_STATUS_TRYAGAIN;
@@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp,
@@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp,
@@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp,
@@ -639,11 +639,7 @@ send_vc(res_state statp,
const HEADER *hp = (HEADER *) buf;
const HEADER *hp2 = (HEADER *) buf2;
- int orig_anssizp = *anssizp;
- // int anssiz = *anssizp;
- HEADER *anhp = (HEADER *) ans;