Bug 31025

Summary: infinite loop in sortlist handling
Product: glibc Reporter: Joshua Rogers <joshua>
Component: networkAssignee: Not yet assigned to anyone <unassigned>
Status: UNCONFIRMED ---    
Severity: normal CC: drepper.fsp
Priority: P2 Flags: joshua: security?
Version: 2.40   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:

Description Joshua Rogers 2023-11-01 21:43:07 UTC
Hi there,

I have found an infinite loop in resolv's handling of the "sortlist" option.

The issue resides in resolv/res_init.c:


              while (true)
                {
                  while (*cp == ' ' || *cp == '\t')
                    cp++;
                  if (*cp == '\0' || *cp == '\n' || *cp == ';')
                    break;
                  char *net = cp;
                  while (*cp && !is_sort_mask (*cp) && *cp != ';'
                         && isascii (*cp) && !isspace (*cp))
                    cp++;
                  char separator = *cp;
                  *cp = 0;
                  struct resolv_sortlist_entry e;
                  if (__inet_aton (net, &a))
                    {
                      [..]
                    }
                  *cp = separator;
                }

If __inet_aton() returns false, the value of the sortlist option is repeatedly tried over and over, leading to an infinite loop.

A quick example: printf "sortlist 192.0\3212.0" >> /etc/resolv.conf ; ping example.com

Setting this option on some type of embedded devices (think: switches, modems, BMCs, and so on, which likely have some type of option to change /etc/resolv.conf) will likely be completely bricked after a reboot. Any call to res_init either implicitly or explicitly will hang forever.

I'm not sure the best fix here, as it's not obvious to me whether invalid sortlist values are "allowed" (in the sense that they are skipped and processing continues if there is still other values), or one invalid value negates the whole line.


Cheers,
Josh