ruby-changes:37462
From: nobu <ko1@a...>
Date: Sun, 8 Feb 2015 13:04:41 +0900 (JST)
Subject: [ruby-changes:37462] nobu:r49543 (trunk): getaddrinfo.c: GHOST vulnerability check
nobu 2015-02-08 13:04:32 +0900 (Sun, 08 Feb 2015) New Revision: 49543 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=49543 Log: getaddrinfo.c: GHOST vulnerability check * ext/socket/getaddrinfo.c (get_addr): reject too long hostname to get rid of GHOST vulnerability on very old platforms. * ext/socket/raddrinfo.c (make_hostent_internal): ditto, paranoic check for the canonnical name. Modified files: trunk/ChangeLog trunk/ext/socket/getaddrinfo.c trunk/ext/socket/raddrinfo.c Index: ChangeLog =================================================================== --- ChangeLog (revision 49542) +++ ChangeLog (revision 49543) @@ -1,3 +1,11 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Sun Feb 8 13:04:25 2015 Nobuyoshi Nakada <nobu@r...> + + * ext/socket/getaddrinfo.c (get_addr): reject too long hostname to + get rid of GHOST vulnerability on very old platforms. + + * ext/socket/raddrinfo.c (make_hostent_internal): ditto, paranoic + check for the canonnical name. + Sun Feb 8 12:48:38 2015 Nobuyoshi Nakada <nobu@r...> * ext/win32/lib/win32/registry.rb (Win32::Registry::API): use wide Index: ext/socket/raddrinfo.c =================================================================== --- ext/socket/raddrinfo.c (revision 49542) +++ ext/socket/raddrinfo.c (revision 49543) @@ -617,7 +617,8 @@ make_hostent_internal(struct hostent_arg https://github.com/ruby/ruby/blob/trunk/ext/socket/raddrinfo.c#L617 } rb_ary_push(ary, rb_str_new2(hostp)); - if (addr->ai_canonname && (h = gethostbyname(addr->ai_canonname))) { + if (addr->ai_canonname && strlen(addr->ai_canonname) < NI_MAXHOST && + (h = gethostbyname(addr->ai_canonname))) { names = rb_ary_new(); if (h->h_aliases != NULL) { for (pch = h->h_aliases; *pch; pch++) { Index: ext/socket/getaddrinfo.c =================================================================== --- ext/socket/getaddrinfo.c (revision 49542) +++ ext/socket/getaddrinfo.c (revision 49543) @@ -593,6 +593,7 @@ get_addr(const char *hostname, int af, s https://github.com/ruby/ruby/blob/trunk/ext/socket/getaddrinfo.c#L593 } else hp = getipnodebyname(hostname, af, AI_ADDRCONFIG, &h_error); #else + if (strlen(hostname) >= NI_MAXHOST) ERR(EAI_NODATA); hp = gethostbyname((char*)hostname); h_error = h_errno; #endif -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/