This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] resolv: Always initialize *resplen2 out parameter [BZ #19791]

From: Aurelien Jarno <aurelien at aurel32 dot net>
To: Florian Weimer <fweimer at redhat dot com>
Cc: GNU C Library <libc-alpha at sourceware dot org>
Date: Fri, 11 Mar 2016 17:41:14 +0100
Subject: Re: [PATCH] resolv: Always initialize *resplen2 out parameter [BZ #19791]
Authentication-results: sourceware.org; auth=none
References: <56E2DD9B dot 3060803 at redhat dot com>

On 2016-03-11 16:00, Florian Weimer wrote:
> Since commit 44d20bca52ace85850012b0ead37b360e3ecd96e (Implement
> second fallback mode for DNS requests), there is a code path
> which returns early, before *resplen2 is initialized.  This
> happens if the name server address is immediately recognized
> as invalid (because of lack of protocol support, or if it is
> a broadcast address such 255.255.255.255, or another invalid
> address).
> 
> If this happens and *resplen2 was non-zero (which is the case
> if a previous query resulted in a failure), __libc_res_nquery
> would reuse an existing second answer buffer.  This answer
> has been previously identified as unusable (for example,
> it could be an NXDOMAIN response).  Due to the presence of
> a second answer, no name server switching will occur.  The
> result is a name resolution failure, although a successful
> resolution would have been possible if name servers have
> been switched and queries had proceeded along the search path.
> 
> The above paragraph still simplifies the situation.  Before
> glibc 2.23, if the second answer needed malloc, the stub
> resolver would still attempt to reuse the second answer,
> but this is not possible because __libc_res_nsearch has freed
> it, after the unsuccessful call to __libc_res_nquerydomain,
> and set the buffer pointer to NULL.  This eventually leads to
> an assertion failure in __libc_res_nquery:
> 
> 	/* Make sure both hp and hp2 are defined */
> 	assert((hp != NULL) && (hp2 != NULL));
> 
> If assertions are disabled, the consequence is a NULL pointer
> dereference on the next line.
> 
> Starting with glibc 2.23, as a result of commit
> e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (CVE-2015-7547:
> getaddrinfo() stack-based buffer overflow (Bug 18665)),
> the second answer is always allocated with malloc.  This means
> that the assertion failure happens with small responses as well
> because there is no buffer to reuse, as soon as there is a
> name resolution failure which triggers a search for an answer
> along the search path.
> 
> I've also attached a revised test case (for the existing out-of-tree
> test framework).

Thanks for your analysis and your patch. It actually matches a failure
reported by a Debian user, which I was unable to reproduce so far:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816669

Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

Follow-Ups:
- Re: [PATCH] resolv: Always initialize *resplen2 out parameter [BZ #19791]
  - From: Florian Weimer

References:
- [PATCH] resolv: Always initialize *resplen2 out parameter [BZ #19791]
  - From: Florian Weimer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]