deps: cherry-pick 0d252eb from upstream c-ares

Original commit message: If there are more ttls returned than the maximum provided by the requestor, then the *naddrttls response would be larger than the actual number of elements in the addrttls array. This bug could lead to invalid memory accesses in applications using c-ares. This behavior appeared to break with PR c-ares/c-ares#257 Fixes: c-ares/c-ares#371 Reported By: Momtchil Momtchev (@mmomtchev) Fix By: Brad House (@bradh352) Refs: https://github.com/nodejs/node/issues/36063 Signed-off-by: Michael Dawson <mdawson@devrus.com> CVE-ID: CVE-2020-8277 PR-URL: nodejs-private/node-private#231 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Beth Griggs <bgriggs@redhat.com>
nodejs · Nov 15, 2020 · 2a44836 · 2a44836
1 parent df21120
commit 2a44836
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/deps/cares/src/ares_parse_a_reply.c b/deps/cares/src/ares_parse_a_reply.c
@@ -197,7 +197,8 @@ int ares_parse_a_reply(const unsigned char *abuf, int alen,
 
   if (naddrttls)
     {
-      *naddrttls = naddrs;
+      /* Truncated to at most *naddrttls entries */
+      *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs;
     }
 
   ares__freeaddrinfo_cnames(ai.cnames);

diff --git a/deps/cares/src/ares_parse_aaaa_reply.c b/deps/cares/src/ares_parse_aaaa_reply.c
@@ -200,7 +200,8 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen,
 
   if (naddrttls)
     {
-      *naddrttls = naddrs;
+      /* Truncated to at most *naddrttls entries */
+      *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs;
     }
 
   ares__freeaddrinfo_cnames(ai.cnames);