In ns_name_ntop, the NS_CMPRSFLGS check is no longer needed because
labellen (called earlier) already rejects everything which is not
a plain label (compression references and extended label types).
Previously, we allocated room in the result space before the check,
leaving uninitialized data there in case the check failed.
This also consolidates the behavior between single (A or AAAA) and
dual (A and AAAA in parallel) queries. Single queries checked
the record length against the QTYPE, not the RRTYPE.
* A stack-based buffer overflow was found in libresolv when invoked from
libnss_dns, allowing specially crafted DNS responses to seize control
of execution flow in the DNS client. The buffer overflow occurs in
the functions send_dg (send datagram) and send_vc (send TCP) for the
NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
family. The use of AF_UNSPEC triggers the low-level resolver code to
send out two parallel queries for A and AAAA. A mismanagement of the
buffers used for those queries could result in the response of a query
writing beyond the alloca allocated buffer created by
_nss_dns_gethostbyname4_r. Buffer management is simplified to remove
the overflow. Thanks to the Google Security Team and Red Hat for
reporting the security impact of this issue, and Robert Holiday of
Ciena for reporting the related bug 18665. (CVE-2015-7547)
See also:
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.htmlhttps://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
DNSSEC defines a number of response types that one me expect when the
DO bit is set. We don't process any of them, but since we do allow
setting the DO bit, skip them without logging an error since it is
only a nuisance.
Tested on x86_64.
[BZ #14841]
* resolv/gethnamaddr.c (getanswer): Skip logging if
RES_USE_DNSSEC is set.
* resolv/nss_dns/dns-host.c (getanswer_r): Likewise.
The code in gethnamaddr.c for gethostbyaddr used and set this macro to
allow multiple PTR records to be added as aliases. This was useful
for gethostbyaddr since it returns a hostent structure, which can
return aliases.
The gethnamaddr.c source however is unused in glibc since pretty much
forever. Instead, the DNS lookup bits for gethostbyaddr (as well as
getnameinfo) are implemented in dns-hosts.c and in that implementation
all but one (the first one) of the multiple PTR records are ignored.
Since gethnamaddr.c is essentially dead code, ignore that
implementation and replace the MULTI_PTRS_ARE_ALIASES bit with a
comment mentioning that bind adds PTR records as aliases while we
don't.
limit
[BZ #14307]
* sysdeps/posix/getaddrinfo.c (gaih_inet): Increase the size of
the temporary buffer used to invoke __gethostbyname2_r,
__gethostbyaddr_r and gethostbyname4_r to make room for struct
host_data / struct gaih_addrtuple.
* resolv/nss_dns/dns-host.c (global scope): Move definition of
implementation constants MAX_NR_ALIASES and MAX_NR_ADDRS to
header file nss/nsswitch.h.
* nss/nsswitch.h (global scope): Add definition of implementation
constants MAX_NR_ALIASES and MAX_NR_ADDRS (moved from
resolv/nss_dns/dns-host.c).
[BZ #13928] A DNS request consists of multiple resources combined into
a single hostent, including multiple CNAME records that may have been
assigned different TTL values. In such a case, nscd should take the
least TTL among all of the resources as the timeout for the hostent
before it is reloaded in its cache so that the hostent remains stale
in the database for the least amount of time.
With big DNS answers like the one you get for goodtimesdot.com you can
get a truncated address list if IPv6 mapping is enabled. Instead tell
the caller to resize the buffer.
ESRCH return value.
(_nss_dns_gethostbyname4_r): Likewise.
* resolv/res_init.c (__res_vinit): Initialize nscount to zero.
* sysdeps/posix/getaddrinfo.c (gaih_inet): In case we use
gethostbyname4_r, we don't have a separate IPv6 status, so copy
the no_data variable.
