This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] nss_dns: Enforce QDCOUNT == 1 in getnetby* implementation

From: Florian Weimer <fweimer at redhat dot com>
To: DJ Delorie <dj at redhat dot com>
Cc: libc-alpha at sourceware dot org
Date: Mon, 08 Apr 2019 12:19:20 +0200
Subject: Re: [PATCH] nss_dns: Enforce QDCOUNT == 1 in getnetby* implementation
References: <xntvg95cnt.fsf@greed.delorie.com> <87imwpqdv4.fsf@oldenburg2.str.redhat.com>

* Florian Weimer:

> * DJ Delorie:
>
>> Florian Weimer <fweimer@redhat.com> writes:
>>> The stub resolver sends a query with one question record, so if
>>> the answer contains a different number, the DNS message is
>>> corrupted.
>>
>> The resolver now returns a different error code when question_count is
>> zero.  Is this intentional?  Does this need to be documented anywhere?
>
> Hmm.  I didn't realize we still have RES_INSECURE2 code.  By default, we
> call res_queriesmatch, which checks if the question count matches what
> we sent.  This is what I meant with “corrupted”: the libresolv code will
> discard the tentative response.
>
> Clearly we should remove the RES_INSECURE2 code, there really is no use
> for it.  And the RES_INSECURE1 check is ineffective because we use a
> connected UDP socket, so the kernel filters non-matching addresses and
> those packets never reach user space.

RES_INSECURE2 is now gone.  Is the nss_dns patch now okay?

Thanks,
Florian

Follow-Ups:
- Re: [PATCH] nss_dns: Enforce QDCOUNT == 1 in getnetby* implementation
  - From: DJ Delorie

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]