A serious security vulnerability — CVE-2023-31130 — was found in c-ares, a popular C library that handles asynchronous DNS requests. This bug involves a buffer underflow in the function ares_inet_net_pton() when it processes specially crafted IPv6 addresses. While the most common internal use case is safe, systems that use this function directly or via ares_set_sortlist() can be at real risk. This post breaks down what happened, shows some relevant code, and explains how to stay safe.
What is c-ares and What Went Wrong?
c-ares is used by applications and libraries—including some big names—for non-blocking DNS queries. As part of its feature set, c-ares provides a utility function called ares_inet_net_pton(), which is used to convert IPv4 or IPv6 in string format into a packed network address.
The vulnerability happens when certain IPv6 addresses are used—specifically those containing too many embedded zeroes like "::00:00:00/2". This can lead to code reading memory before the intended buffer (buffer underflow), causing possible crashes or, in rare cases, information leaks or code execution.
Where Does It Happen?
The function in question is mainly used for parsing configuration—administrators might trigger this problem if they set a dangerous address with ares_set_sortlist(). More critically, if your code uses ares_inet_net_pton() directly with untrusted user input, you’re exposed to a greater range of problems.
Technical Details: Inside the Vulnerability
Let’s take a simplified look at (part of) what went wrong, referencing the upstream commit that fixed it.
Original Problem in Code
// Inside ares_inet_net_pton(), simplified
for (; *src != '\'; src++)
{
if (colon_count++ > MAX_COLON)
{
// pointer arithmetic went wrong here
// leading to underflow
p--; // PAD: possibly moves before buf start
}
*p++ = x;
}
When parsing certain inputs, the code would decrease the p pointer one too many times, causing it to point *before* the start of the network buffer — a buffer underflow. This can mess up program state or trigger a crash.
You could trigger this bug like so
#include <ares.h>
int main(void) {
unsigned char buf[16];
// This IPv6 triggers the bug
const char *malicious_addr = "::00:00:00/2";
// 6 = AF_INET6, 16 = buffer len
int res = ares_inet_net_pton(6, malicious_addr, buf, 16);
// Check result, may crash or misbehave!
return res;
}
This example may result in reading memory from before buf, which is undefined behavior in C.
Impact: Who’s at Risk?
- System Admins: If you configure c-ares sortlists with odd IPv6 addresses via ares_set_sortlist(), c-ares processes them and could hit this bug.
- Developers: If your application calls ares_inet_net_pton() directly with user-controlled input (say, for parsing addresses from the network or config files), you might be exposed to more severe risks: crashes or, in worst cases, a path to remote code execution (if other exploitation conditions exist).
How to Fix It
The bug was fixed on May 10, 2023 in c-ares version 1.19.1.
Patch Commit: ae18bbedad43b2a2767cab5722ce327b9a283eea
Update c-ares to 1.19.1+ — This is the only reliable fix.
2. Validate Input: If you must support older versions, make sure not to pass malformed or attacker-controlled IPv6 strings to ares_inet_net_pton().
3. Audit Use: Review your codebase for any direct calls to this function or indirect usage (e.g., through configuration).
References
- c-ares Security Advisory for CVE-2023-31130
- Full Patch Commit
- GitHub Release: c-ares 1.19.1
- CVE Details
Summary
CVE-2023-31130 is a buffer underflow in c-ares' IPv6 address parsing function. Bad inputs like "::00:00:00/2" can crash your app, or worse, depending on usage. Upgrade to c-ares 1.19.1 or later, and be extremely cautious about processing strange network addresses, especially when those come from users or external configs.
Stay safe, and always keep your dependencies up to date!
Timeline
Published on: 05/25/2023 22:15:00 UTC
Last modified on: 06/26/2023 22:15:00 UTC