Bug 31025 - infinite loop in sortlist handling
Summary: infinite loop in sortlist handling
Status: UNCONFIRMED
Alias: None
Product: glibc
Classification: Unclassified
Component: network (show other bugs)
Version: 2.40
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-01 21:43 UTC by Joshua Rogers
Modified: 2023-11-02 10:07 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
joshua: security?


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Joshua Rogers 2023-11-01 21:43:07 UTC
Hi there,

I have found an infinite loop in resolv's handling of the "sortlist" option.

The issue resides in resolv/res_init.c:


              while (true)
                {
                  while (*cp == ' ' || *cp == '\t')
                    cp++;
                  if (*cp == '\0' || *cp == '\n' || *cp == ';')
                    break;
                  char *net = cp;
                  while (*cp && !is_sort_mask (*cp) && *cp != ';'
                         && isascii (*cp) && !isspace (*cp))
                    cp++;
                  char separator = *cp;
                  *cp = 0;
                  struct resolv_sortlist_entry e;
                  if (__inet_aton (net, &a))
                    {
                      [..]
                    }
                  *cp = separator;
                }

If __inet_aton() returns false, the value of the sortlist option is repeatedly tried over and over, leading to an infinite loop.

A quick example: printf "sortlist 192.0\3212.0" >> /etc/resolv.conf ; ping example.com

Setting this option on some type of embedded devices (think: switches, modems, BMCs, and so on, which likely have some type of option to change /etc/resolv.conf) will likely be completely bricked after a reboot. Any call to res_init either implicitly or explicitly will hang forever.

I'm not sure the best fix here, as it's not obvious to me whether invalid sortlist values are "allowed" (in the sense that they are skipped and processing continues if there is still other values), or one invalid value negates the whole line.


Cheers,
Josh