29305 – Inefficient buffer space usage in nss_dns for gethostbyname and other functions

Bug 29305 - Inefficient buffer space usage in nss_dns for gethostbyname and other functions

Summary: Inefficient buffer space usage in nss_dns for gethostbyname and other functions

Status:	RESOLVED FIXED

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	network (show other bugs)
Version:	unspecified

Importance:	P2 normal
Target Milestone:	2.37
Assignee:	Florian Weimer

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-06-30 11:56 UTC by Florian Weimer
Modified:	2022-09-21 18:01 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Flags:	fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Weimer 2022-06-30 11:56:50 UTC

A typical response buffer looks like this:

00000000: e71b 0b01 0000 0000 141c 0b01 0000 0000  ................
00000010: 671c 0b01 0000 0000 0000 0000 0000 0000  g...............
00000020: 3a3a 3100 2020 2020 2020 2020 6c6f 6361  ::1.        loca
00000030: 6c68 6f73 7400 6c6f 6361 6c68 6f73 742e  lhost.localhost.
00000040: 6c6f 6361 6c64 6f6d 6169 6e00 6c6f 6361  localdomain.loca
00000050: 6c68 6f73 7436 006c 6f63 616c 686f 7374  lhost6.localhost
00000060: 362e 6c6f 6361 6c64 6f6d 6169 6e36 0000  6.localdomain6..
00000070: 561a 0b01 0000 0000 6c1a 0b01 0000 0000  V.......l.......
00000080: 771a 0b01 0000 0000 0000 0000 0000 0000  w...............
00000090: 5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
000000a0: 5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
000000b0: 5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
000000c0: 5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
000000d0: 5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
000000e0: 5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
000000f0: 5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
00000100: 5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
00000110: 5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
00000120: 5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
00000130: 5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
00000140: 5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
00000150: 5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
00000160: 5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
00000170: 5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
00000180: 5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
00000190: d01c 0b01 0000 0000 0000 0000 0000 0000  ................
000001a0: 5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
000001b0: 5858 5858 5858 5858 7777 772e 7265 6468  XXXXXXXXwww.redh
000001c0: 6174 2e63 6f6d 0077 7777 2e72 6564 6861  at.com.www.redha
000001d0: 742e 636f 6d00 6473 2d77 7777 2e72 6564  t.com.ds-www.red
000001e0: 6861 742e 636f 6d2e 6564 6765 6b65 792e  hat.com.edgekey.
000001f0: 6e65 7400 6473 2d77 7777 2e72 6564 6861  net.ds-www.redha
00000200: 742e 636f 6d2e 6564 6765 6b65 792e 6e65  t.com.edgekey.ne
00000210: 7400 6473 2d77 7777 2e72 6564 6861 742e  t.ds-www.redhat.
00000220: 636f 6d2e 6564 6765 6b65 792e 6e65 742e  com.edgekey.net.
00000230: 676c 6f62 616c 7265 6469 722e 616b 6164  globalredir.akad
00000240: 6e73 2e6e 6574 0064 732d 7777 772e 7265  ns.net.ds-www.re
00000250: 6468 6174 2e63 6f6d 2e65 6467 656b 6579  dhat.com.edgekey
00000260: 2e6e 6574 2e67 6c6f 6261 6c72 6564 6972  .net.globalredir
00000270: 2e61 6b61 646e 732e 6e65 7400 6533 3339  .akadns.net.e339
00000280: 362e 6473 6378 2e61 6b61 6d61 6965 6467  6.dscx.akamaiedg
00000290: 652e 6e65 7400 6533 3339 362e 6473 6378  e.net.e3396.dscx
000002a0: 2e61 6b61 6d61 6965 6467 652e 6e65 7400  .akamaiedge.net.
000002b0: 1700 57ba                                ..W.

This roughly corresponds to the following DNS packet:

; <<>> DiG 9.16.29-RH <<>> www.redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35698
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
; COOKIE: 278a93776c2c45bbf190f68462bd8e694ae55e8c652b2a09 (good)
;; QUESTION SECTION:
;www.redhat.com.			IN	A

;; ANSWER SECTION:
www.redhat.com.		300	IN	CNAME	ds-www.redhat.com.edgekey.net.
ds-www.redhat.com.edgekey.net. 15029 IN	CNAME	ds-www.redhat.com.edgekey.net.globalredir.akadns.net.
ds-www.redhat.com.edgekey.net.globalredir.akadns.net. 628 IN CNAME e3396.dscx.akamaiedge.net.
e3396.dscx.akamaiedge.net. 14	IN	A	23.0.87.186

;; Query time: 26 msec
;; MSG SIZE  rcvd: 229

There are a bunch of gaps that are never written (the /etc/hosts contents before the XXX and the XXX themselves). And the names of CNAME aliases are stored twice.

If gethostbyname_r starts out with a small buffer, this results in pointless extra DNS queries.

Comment 1 Sourceware Commits 2022-08-30 08:04:11 UTC

The master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d101d836e7e4bd1d4e4972b0e0bd0a55c9b650fa

commit d101d836e7e4bd1d4e4972b0e0bd0a55c9b650fa
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Aug 30 10:02:49 2022 +0200

    nss_dns: Rewrite getanswer_r to match getanswer_ptr (bug 12154, bug 29305)
    
    Allocate the pointer arrays only at the end, when their sizes
    are known.  This addresses bug 29305.
    
    Skip over invalid names instead of failing lookups.  This partially
    fixes bug 12154 (for gethostbyname, fixing getaddrinfo requires
    different changes).
    
    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

Comment 2 Florian Weimer 2022-08-30 08:16:13 UTC

Fixed for glibc 2.37.

Comment 3 Sourceware Commits 2022-09-13 11:23:47 UTC

The release/2.36/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=78c8ef21fa54e994451d5b42ead6080d99a88a49

commit 78c8ef21fa54e994451d5b42ead6080d99a88a49
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Aug 30 10:02:49 2022 +0200

    nss_dns: Rewrite getanswer_r to match getanswer_ptr (bug 12154, bug 29305)
    
    Allocate the pointer arrays only at the end, when their sizes
    are known.  This addresses bug 29305.
    
    Skip over invalid names instead of failing lookups.  This partially
    fixes bug 12154 (for gethostbyname, fixing getaddrinfo requires
    different changes).
    
    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    (cherry picked from commit d101d836e7e4bd1d4e4972b0e0bd0a55c9b650fa)

Comment 4 Sourceware Commits 2022-09-13 11:24:13 UTC

The release/2.36/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5d885617cec5713fdde42177398fe98acb66b7a2

commit 5d885617cec5713fdde42177398fe98acb66b7a2
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Sep 13 13:22:27 2022 +0200

    NEWS: Note bug 12154 and bug 29305 as fixed

Comment 5 Sourceware Commits 2022-09-20 11:07:35 UTC

The release/2.35/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ee74c14325a1d6577dd55cc314832d684ddecf68

commit ee74c14325a1d6577dd55cc314832d684ddecf68
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Aug 30 10:02:49 2022 +0200

    nss_dns: Rewrite getanswer_r to match getanswer_ptr (bug 12154, bug 29305)
    
    Allocate the pointer arrays only at the end, when their sizes
    are known.  This addresses bug 29305.
    
    Skip over invalid names instead of failing lookups.  This partially
    fixes bug 12154 (for gethostbyname, fixing getaddrinfo requires
    different changes).
    
    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    (cherry picked from commit d101d836e7e4bd1d4e4972b0e0bd0a55c9b650fa)

Comment 6 Sourceware Commits 2022-09-21 18:01:25 UTC

The release/2.34/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9abc40d9b514fc51cd1a052d32d092a827c6e21a

commit 9abc40d9b514fc51cd1a052d32d092a827c6e21a
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Aug 30 10:02:49 2022 +0200

    nss_dns: Rewrite getanswer_r to match getanswer_ptr (bug 12154, bug 29305)
    
    Allocate the pointer arrays only at the end, when their sizes
    are known.  This addresses bug 29305.
    
    Skip over invalid names instead of failing lookups.  This partially
    fixes bug 12154 (for gethostbyname, fixing getaddrinfo requires
    different changes).
    
    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    (cherry picked from commit d101d836e7e4bd1d4e4972b0e0bd0a55c9b650fa)