Bug 10021 - getaddrinfo uses uninitialised value in conditional (glibc-2.9)
Summary: getaddrinfo uses uninitialised value in conditional (glibc-2.9)
Status: RESOLVED WORKSFORME
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: unspecified
: P3 minor
Target Milestone: ---
Assignee: Ulrich Drepper
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-01 04:11 UTC by Eric Lambert
Modified: 2014-07-01 07:22 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
Project(s) to access:
ssh public key:
fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Lambert 2009-04-01 04:11:37 UTC 
## DESCRIPTION ##

On my Fedora 10 i686 machine, was running valgrind to validate some code. Noticed that valgrind was 
complaining that there was use of an uninitialised value in a conditional inside glibc.  Upon further 
investigation, it appears that the problem is within glibc itself.  Using the simple test at the bottom of 
this report, I was able to reproduce the problem at will on my fedora machine (which has glibc-2.9),  
but when I run the same code on my ubuntu machine (which has glibc-2.8.90) the problem does not 
appear. 

I did some digging into the glibc source ( git revision d8f1d9bc9b34b21e322c8607511b40c0ef37038e)  
and think I have found the culprit. In sysdeps/posix/getaddrinfo.c  in the function gaih_inet at line 709 
you will see the following definition:

int herrno; 

and on line 720 you will see this value is used in a conditional but has not been explicitly initialized 
before so  (i assume the call to fct4 implicitly initializes the value)

if (status != NSS_STATUS_TRYAGAIN  || rc != ERANGE || herrno != NETDB_INTERNAL)

Note, I am tagging this as p3 and Severity minor as the only issue this causes me is that valgrind 
complains.  Assuming that it is possible that the herrno value is not be correctly initialized, than I 
would imagine this could warrant higher priority.

## SYSTEM INFO ##

[elambert@doh glibc]$ cat /etc/redhat-release 
Fedora release 10 (Cambridge)

[elambert@doh glibc]$ uname -a
Linux doh 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 athlon i386 GNU/Linux

[elambert@doh glibc]$ ls -ld /lib/libc.so.6 
lrwxrwxrwx 1 root root 11 2009-03-14 19:15 /lib/libc.so.6 -> libc-2.9.so


## HOW TO REPRODUCE ##

1) compile the testgai.c test program (source included below)
[elambert@doh test]$ cc  testgai.c -o testgai
2) run the produced binary, using valgrind to check for memory conditions
[elambert@doh test]$  /usr/bin/valgrind --leak-check=yes --show-reachable=yes ./testgai
==5208== Memcheck, a memory error detector.
.....
==5208== Conditional jump or move depends on uninitialised value(s)
==5208==    at 0x9B1B23: gaih_inet (in /lib/libc-2.9.so)
==5208==    by 0x9B3906: getaddrinfo (in /lib/libc-2.9.so)
==5208==    by 0x8048486: main (in /home/elambert/test/testgai)

Note, If you change testgai.c program so that the host value used by getaddrinfo is not an entry in 
/etc/hosts or if you just comment out all entries in /etc/hosts and then run the binary this issue does 
*not* appear

## SOURCE ##
[elambert@doh test]$  cat testgai.c 
#include <netdb.h>
#include <string.h>
main () {
  struct addrinfo *ai;
  struct addrinfo hints;
  int e;

  memset(&hints, 0, sizeof(hints));
  hints.ai_family= PF_UNSPEC;
  hints.ai_socktype= SOCK_STREAM;
  hints.ai_protocol= IPPROTO_TCP;

  e= getaddrinfo("localhost", "11211", &hints, &ai);
  freeaddrinfo(ai);
}
Comment 1 Ulrich Drepper 2009-04-23 04:19:13 UTC 
You'll have to say what NSS modules are used?  Run your test program on your
machine using LD_DEBUG=files in the environment?
Comment 2 Petr Baudis 2010-06-01 04:10:30 UTC 
I can't reproduce this locally either. The code should be correct since
gethostbyname4_r() is obliged to set h_errno in case it returns error (and if it
doesn't return error, we will never get to this code branch).