diff options
| author | usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2015-02-17 08:48:18 +0000 |
|---|---|---|
| committer | usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2015-02-17 08:48:18 +0000 |
| commit | a2279999c7cd8755f357cde80ec61c422b0f0815 (patch) | |
| tree | 7fba11e8e1f1e56e4d98e0f8765a50af9792720f | |
| parent | b1b04e8179c9ed0fdca5b094efac01c6a31a76db (diff) | |
merge revision(s) 49543,49557: [Backport #10854]
* ext/socket/getaddrinfo.c (get_addr): reject too long hostname to
get rid of GHOST vulnerability on very old platforms.
* ext/socket/raddrinfo.c (make_hostent_internal): ditto, paranoic
check for the canonnical name.
check for the canonical name.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_0_0@49624 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
| -rw-r--r-- | ChangeLog | 8 | ||||
| -rw-r--r-- | ext/socket/getaddrinfo.c | 1 | ||||
| -rw-r--r-- | ext/socket/raddrinfo.c | 3 | ||||
| -rw-r--r-- | version.h | 8 |
4 files changed, 15 insertions, 5 deletions
@@ -1,3 +1,11 @@ +Tue Feb 17 17:37:14 2015 Nobuyoshi Nakada <nobu@ruby-lang.org> + + * ext/socket/getaddrinfo.c (get_addr): reject too long hostname to + get rid of GHOST vulnerability on very old platforms. + + * ext/socket/raddrinfo.c (make_hostent_internal): ditto, paranoic + check for the canonical name. + Fri Jan 30 16:49:15 2015 Nobuyoshi Nakada <nobu@ruby-lang.org> * object.c: [DOC] Revise documentation by Marcus Stollsteimer at diff --git a/ext/socket/getaddrinfo.c b/ext/socket/getaddrinfo.c index aa966b3c52..c03dd601ff 100644 --- a/ext/socket/getaddrinfo.c +++ b/ext/socket/getaddrinfo.c @@ -589,6 +589,7 @@ get_addr(const char *hostname, int af, struct addrinfo **res, struct addrinfo *p } else hp = getipnodebyname(hostname, af, AI_ADDRCONFIG, &h_error); #else + if (strlen(hostname) >= NI_MAXHOST) ERR(EAI_NODATA); hp = gethostbyname((char*)hostname); h_error = h_errno; #endif diff --git a/ext/socket/raddrinfo.c b/ext/socket/raddrinfo.c index 9015a75ab7..afe5b6da34 100644 --- a/ext/socket/raddrinfo.c +++ b/ext/socket/raddrinfo.c @@ -501,7 +501,8 @@ make_hostent_internal(struct hostent_arg *arg) } rb_ary_push(ary, rb_str_new2(hostp)); - if (addr->ai_canonname && (h = gethostbyname(addr->ai_canonname))) { + if (addr->ai_canonname && strlen(addr->ai_canonname) < NI_MAXHOST && + (h = gethostbyname(addr->ai_canonname))) { names = rb_ary_new(); if (h->h_aliases != NULL) { for (pch = h->h_aliases; *pch; pch++) { @@ -1,10 +1,10 @@ #define RUBY_VERSION "2.0.0" -#define RUBY_RELEASE_DATE "2015-01-30" -#define RUBY_PATCHLEVEL 630 +#define RUBY_RELEASE_DATE "2015-02-17" +#define RUBY_PATCHLEVEL 631 #define RUBY_RELEASE_YEAR 2015 -#define RUBY_RELEASE_MONTH 1 -#define RUBY_RELEASE_DAY 30 +#define RUBY_RELEASE_MONTH 2 +#define RUBY_RELEASE_DAY 17 #include "ruby/version.h" |