git: 2696f9be7ff6 - stable/13 - libc: Don't use uninitialised string for getnetbyaddr[_r](0) DNS lookup

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Jessica Clarke <jrtc27_at_FreeBSD.org>
Date: Fri, 30 Jan 2026 01:19:03 UTC
The branch stable/13 has been updated by jrtc27:

URL: https://cgit.FreeBSD.org/src/commit/?id=2696f9be7ff6d89b62b8c47c0c315e8a67d0e994

commit 2696f9be7ff6d89b62b8c47c0c315e8a67d0e994
Author:     Jessica Clarke <jrtc27@FreeBSD.org>
AuthorDate: 2026-01-27 21:44:39 +0000
Commit:     Jessica Clarke <jrtc27@FreeBSD.org>
CommitDate: 2026-01-30 01:17:53 +0000

    libc: Don't use uninitialised string for getnetbyaddr[_r](0) DNS lookup
    
    If net is all-zero, the loop to extract all leading non-zero octets will
    iterate zero times and leave nn with the value 4, which the following
    switch statement to initialise qbuf does not handle. As a result,
    _dns_getnetbyaddr will look up the PTR record for this uninitialised
    string, which will leak the pre-existing contents of that stack memory
    to the DNS resolver and, if remote and not otherwise protected, network.
    
    Note that _dns_getnetbyaddr is only used if nsswitch.conf is configured
    to enable the "dns" source for the "networks" database, which is not the
    default configuration in FreeBSD.
    
    For glibc this same bug, in code also derived from BIND's, was issued
    CVE-2026-0915. This commit adopts the same behaviour as glibc's fix,
    which is to regard a net of 0 as being for 0.0.0.0. Apparently NetBSD
    will return NS_UNAVAIL instead, which may or may not make more sense,
    but in general glibc compatibility tends to cause less friction when
    there's not a good reason to avoid it.
    
    Reviewed by:    markj (secteam)
    Fixes:          1363f04ce1b8 ("get* rework and new bind code")
    MFC after:      1 day
    Security:       Same bug as glibc's CVE-2026-0915
    
    (cherry picked from commit 331316b073505e4794754af1cd0c5ccc578a2bde)
---
 lib/libc/net/getnetbydns.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/libc/net/getnetbydns.c b/lib/libc/net/getnetbydns.c
index c2a8310e4172..9cf5f545a542 100644
--- a/lib/libc/net/getnetbydns.c
+++ b/lib/libc/net/getnetbydns.c
@@ -308,6 +308,9 @@ _dns_getnetbyaddr(void *rval, void *cb_data, va_list ap)
 	for (nn = 4, net2 = net; net2; net2 >>= 8)
 		netbr[--nn] = net2 & 0xff;
 	switch (nn) {
+	case 4: 	/* net was all-zero i.e. 0.0.0.0 */
+		sprintf(qbuf, "0.0.0.0.in-addr.arpa");
+		break;
 	case 3: 	/* Class A */
 		sprintf(qbuf, "0.0.0.%u.in-addr.arpa", netbr[3]);
 		break;