The bufsize on current Linux build is:
size_t bufsize = (type == 439963904 ? 2 : 1) * (12 + 4 + 255 + 1);
So with upper bound as 544 (2 * (12 + 4 + 255 + 1)). However, it might
increase to 2 * PACKETSIZE later with malloc. The default scratch_buffer
should fullfill the most usual allocation requirement.
Checked on x86_64-linux-gnu and i686-linux-gnu.
Reviewed-by: Joe Simmons-Talbott <josimmon@redhat.com>
The structure HEADER is normally aligned to a word boundary but
sometimes it needs to be accessed when aligned on a byte boundary.
This change defines a new typedef, UHEADER, with alignment 1.
It is used to ensure the fields are accessed with byte loads and
stores when necessary.
V4: Change to res_mkquery.c deleted. Small whitespace fix.
V5: Move UHEADER typedef to resolv/resolv-internal.h. Replace all
HEADER usage with UHEADER in resolv/res_send.c.
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Replace a call to sprintf with an equivalent pair of stpcpy/strcpy calls
to avoid a GCC 12 -Wformat-overflow false positive due to recent optimizer
improvements.
This switches to public symbols without __ prefixes, due to improved
namespace management in glibc.
The script was used with --no-new-version to move the symbols
__res_nquery, __res_nquerydomain, __res_nsearch, __res_query,
__res_querydomain, __res_search, res_query, res_querydomain,
res_search. The public symbols res_nquery, res_nquerydomain,
res_nsearch, res_ownok, res_query, res_querydomain, res_search
were added with make update-all-abi.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
These deprecated symbols continue to be exported from libresolv.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
And reformat it to GNU style. Remove the unecessary setbuf call.
Use __fgets_unlocked for PLT avoidance; no locking is required here.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
But only as an internal symbol, __libc_ns_samename. The libresolv
ABI is preserved. This is because the function is deprecated, and
it does not make sense to add new symbol versions for deprecated
functions.
Also reformat the implementation to GNU style.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
This change uses the extended resolver state in struct resolv_conf to
store the search list. If applications have not patched the _res
object directly, this extended search list will be used by the stub
resolver during name resolution.
struct resolv_context objects provide a temporary resolver context
which does not change during a name lookup operation. Only when the
outmost context is created, the stub resolver configuration is
verified to be current (at present, only against previous res_init
calls). Subsequent attempts to obtain the context will reuse the
result of the initial verification operation.
struct resolv_context can also be extended in the future to store
data which needs to be deallocated during thread cancellation.
EDNS is disabled by default (so there is interoperability issue), and
the fallback code is problematic because it prevents an application
from obtaining DNSSEC data after a FORMERR response.
The RES_F_* constants are only used with the private _res._flags
member. RES_EXHAUSTIVE is unused. The removed function
declarations refer to functions not actually exported by glibc,
so they are unusable by applications.
* A stack-based buffer overflow was found in libresolv when invoked from
libnss_dns, allowing specially crafted DNS responses to seize control
of execution flow in the DNS client. The buffer overflow occurs in
the functions send_dg (send datagram) and send_vc (send TCP) for the
NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
family. The use of AF_UNSPEC triggers the low-level resolver code to
send out two parallel queries for A and AAAA. A mismanagement of the
buffers used for those queries could result in the response of a query
writing beyond the alloca allocated buffer created by
_nss_dns_gethostbyname4_r. Buffer management is simplified to remove
the overflow. Thanks to the Google Security Team and Red Hat for
reporting the security impact of this issue, and Robert Holiday of
Ciena for reporting the related bug 18665. (CVE-2015-7547)
See also:
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.htmlhttps://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
This should only happen if the domain to search is the root,
represented as "." rather than by an empty string. Skipping it here
prevents libc_res_nquerydomain from duplicating the trailing dot,
which would cause the domain name compression to fail.
for ChangeLog
[BZ #16469]
* resolv/res_query.c (__libc_res_nsearch): Skip leading dot in
search domain names.
If we drop it here, we will fail to detect a duplicate trailing dot
later on. Retaining, OTOH, has no ill effects whatsoever, and it even
saves us the trouble of copying the domain name minus the trailing
dot, like we used to do.
for ChangeLog
[BZ #16469]
* NEWS: Update.
* resolv/res_query.c (__libc_res_nquerydomain): Retain
trailing dot.
* posix/tst-getaddrinfo5.c: New.
* posix/Makefile (tests): Add it.
There was a typo in the previous patch due to which resplen2 was
checked for non-zero instead of the value at resplen2. Fix that and
improve the condition by checking resplen2 for non-NULL (instead of
answerp2) and also adding the check in a third place.
[Fixes BZ #14308, #12994, #13651]
AF_UNSPEC results in sending two queries in parallel, one for the A
record and the other for the AAAA record. If one of these is a
referral, then the query fails, which is wrong. It should return at
least the one successful response.
The fix has two parts. The first part makes the referral fall back to
the SERVFAIL path, which results in using the successful response.
There is a bug in that path however, due to which the second part is
necessary. The bug here is that if the first response is a failure
and the second succeeds, __libc_res_nsearch does not detect that and
assumes a failure. The case where the first response is a success and
the second fails, works correctly.
This condition is produced by buggy routers, so here's a crude
interposable library that can simulate such a condition. The library
overrides the recvfrom syscall and modifies the header of the packet
received to reproduce this scenario. It has two key variables:
mod_packet and first_error.
The mod_packet variable when set to 0, results in odd packets being
modified to be a referral. When set to 1, even packets are modified
to be a referral.
The first_error causes the first response to be a failure so that a
domain-appended search is performed to test the second part of the
__libc_nsearch fix.
The driver for this fix is a simple getaddrinfo program that does an
AF_UNSPEC query. I have omitted this since it should be easy to
implement.
I have tested this on x86_64.
The interceptor library source:
/* Override recvfrom and modify the header of the first DNS response to make it
a referral and reproduce bz #845218. We have to resort to this ugly hack
because we cannot make bind return the buggy response of a referral for the
AAAA record and an authoritative response for the A record. */
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdbool.h>
#include <endian.h>
#include <dlfcn.h>
#include <stdlib.h>
/* Lifted from resolv/arpa/nameser_compat.h. */
typedef struct {
unsigned id :16; /*%< query identification number */
#if BYTE_ORDER == BIG_ENDIAN
/* fields in third byte */
unsigned qr: 1; /*%< response flag */
unsigned opcode: 4; /*%< purpose of message */
unsigned aa: 1; /*%< authoritive answer */
unsigned tc: 1; /*%< truncated message */
unsigned rd: 1; /*%< recursion desired */
/* fields
* in
* fourth
* byte
* */
unsigned ra: 1; /*%< recursion available */
unsigned unused :1; /*%< unused bits (MBZ as of 4.9.3a3) */
unsigned ad: 1; /*%< authentic data from named */
unsigned cd: 1; /*%< checking disabled by resolver */
unsigned rcode :4; /*%< response code */
#endif
#if BYTE_ORDER == LITTLE_ENDIAN || BYTE_ORDER == PDP_ENDIAN
/* fields
* in
* third
* byte
* */
unsigned rd :1; /*%< recursion desired */
unsigned tc :1; /*%< truncated message */
unsigned aa :1; /*%< authoritive answer */
unsigned opcode :4; /*%< purpose of message */
unsigned qr :1; /*%< response flag */
/* fields
* in
* fourth
* byte
* */
unsigned rcode :4; /*%< response code */
unsigned cd: 1; /*%< checking disabled by resolver */
unsigned ad: 1; /*%< authentic data from named */
unsigned unused :1; /*%< unused bits (MBZ as of 4.9.3a3) */
unsigned ra :1; /*%< recursion available */
#endif
/* remaining
* bytes
* */
unsigned qdcount :16; /*%< number of question entries */
unsigned ancount :16; /*%< number of answer entries */
unsigned nscount :16; /*%< number of authority entries */
unsigned arcount :16; /*%< number of resource entries */
} HEADER;
static int done = 0;
/* Packets to modify. 0 for the odd packets and 1 for even packets. */
static const int mod_packet = 0;
/* Set to true if the first request should result in an error, resulting in a
search query. */
static bool first_error = true;
static ssize_t (*real_recvfrom) (int sockfd, void *buf, size_t len, int flags,
struct sockaddr *src_addr, socklen_t *addrlen);
void
__attribute__ ((constructor))
init (void)
{
real_recvfrom = dlsym (RTLD_NEXT, "recvfrom");
if (real_recvfrom == NULL)
{
printf ("Failed to get reference to recvfrom: %s\n", dlerror ());
printf ("Cannot simulate test\n");
abort ();
}
}
/* Modify the second packet that we receive to set the header in a manner as to
reproduce BZ #845218. */
static void
mod_buf (HEADER *h, int port)
{
if (done % 2 == mod_packet || (first_error && done == 1))
{
printf ("(Modifying header)");
if (first_error && done == 1)
h->rcode = 3;
else
h->rcode = 0; /* NOERROR == 0. */
h->ancount = 0;
h->aa = 0;
h->ra = 0;
h->arcount = 0;
}
done++;
}
ssize_t
recvfrom (int sockfd, void *buf, size_t len, int flags,
struct sockaddr *src_addr, socklen_t *addrlen)
{
ssize_t ret = real_recvfrom (sockfd, buf, len, flags, src_addr, addrlen);
int port = htons (((struct sockaddr_in *) src_addr)->sin_port);
struct in_addr addr = ((struct sockaddr_in *) src_addr)->sin_addr;
const char *host = inet_ntoa (addr);
printf ("\n*** From %s:%d: ", host, port);
mod_buf (buf, port);
printf ("returned %zd\n", ret);
return ret;
}
2009-05-05 Aurelien Jarno <aurelien@aurel32.net>
[BZ #10128]
* resolv/res_query.c (__libc_res_nquery): If one query returns NOTIMP
or FORMERR and the other NOERROR, don't raise an error.
Use it instead of locally defined resplen2 variable.
(res_nsend): Adjust for __libc_res_nsend interface change.
(send_vc): Initialize *resplen2 if necessary. Read length of
package into an appropriately aligned variable. Store converted length
in new variable and use it appropriately.
Add branch prediction help.
* resolv/res_query.c (__libc_res_nquery): Take additional parameter
and pass it on to __libc_res_nsend. Adjust all callers.
(__libc_res_nsearch): Likewise.
(__libc_res_nqeurydomain): Likewise.
* resolv/nss_dns/dns-host.c: Adjust for __libc_res_nsearch interface
change.
(_nss_dns_gethostbyname4): Don't unconditionally allocate tmp array.
Define resplen2 variable and pass it to __libc_res_nsearch and then
to gaih_getanswer.
(getanswer_r): In case of incorrect DNS data don't overread buffer.
Add branch prediction.
(gaih_getanswer_slice): Likewise. Check for invalid data types.
(gaih_getanswer): Don't decode second slice if first one failed due
to a too small buffer. Don't let not found status of second
decoder shadow results of the first.
* resolv/gethnamaddr.c (gethostbyname2): Adjust for __libc_res_nsearch
and __libc_res_nquery interface changes
(gethostbyaddr): Adjust for __libc_res_nquery interface change.
* include/resolv.h: Adjust prototypes for __libc_res_nquery,
__libc_res_nsearch, and __libc_res_nsend.
* resolv/nss_dns/dns-canon.c: Adjust for __libc_res_nquery interface
change.
* resolv/nss_dns/dns-network.c: Adjust for __libc_res_nquery and
__libc_res_nsearch interface changes.
answer was too short don't try to read that answer's header.
* resolv/res_send.c (send_dg): In case of timeout and there are
two queries and one has been answered, return value indicating
success.
prototypes.
* include/arpa/nameser_compat.h: Define T_UNSPEC.
* nis/Versions (libnss_nis): Export _nss_nis_gethostbyname4_r.
(libnss_nisplus): Export _nss_nisplus_gethostbyname4_r.
* nis/nss_nis/nis-hosts.c (LINE_PARSER): Change to also handle
af==AF_UNSPEC.
(_nss_nis_gethostbyname4_r): New function.
* nis/nss_nisplus/nisplus-hosts.c (_nss_nisplus_parse_hostent):
Change to also handle af==AF_UNSPEC.
(get_tablename): New function. Use it to avoid duplication.
(_nss_nisplus_gethostbyname4_r): New function.
* nscd/aicache.c (addhstaiX): Use gethostbyname4_r function is
available.
* nss/Versions (libnss_files): Export _nss_files_gethostbyname4_r.
* nss/nss.h: Define struct gaih_addrtuple.
* nss/nss_files/files-hosts.c (LINE_PARSER): Change to also handle
af==AF_UNSPEC.
(_nss_files_gethostbyname4_r): New function.
* resolv/Versions (libnss_dns): Export _nss_dns_gethostbyname4_r.
* resolv/gethnmaddr.c: Adjust __libc_res_nsearch and __libc_res_nquery
calls.
* resolv/res_query.c (__libc_res_nquery): Take two additional
parameters for second answer buffer. Handle type=T_UNSPEC to mean
look up IPv4 and IPv6.
Change all callers.
* resolv/res_send.c (__libc_res_nsend): Take five aditional parameters
for an additional query and answer buffer. Pass to send_vc and
send_dg.
(send_vc): Send possibly two requests and receive two answers.
(send_dg): Likewise.
* resolv/nss_dns/dns-host.c: Adjust calls to __libc_res_nsearch and
__libc_res_nquery.
(_nss_dns_gethostbyname4_r): New function.
(gaih_getanswer_slice): Likewise.
(gaih_getanswer): Likewise.
* resolv/nss_dns/dns-canon.c (_nss_dns_getcanonname_r): Adjust
__libc_res_nquery call.
* resolv/nss_dns/dns-network.c (_nss_dns_getnetbyaddr_r): Likewise.
(_nss_dns_getnetbyname_r): Adjust __libc_res_nsearch call.
* sysdeps/posix/getaddrinfo.c: Use gethostbyname4_r function is
available.
* resolv/res_mkquery.c: Define __res_nopt.
* resolv/res_query.c (__libc_res_nquery): If RES_USE_EDNS0 is set
try adding EDNS0 record.
* resolv/res_send.c (send_dg): If request failed with FORMERR and
EDNS0 record was send make sure we don't try it again.
* resolv/resolv.h: Define RES_F_EDNS0ERR and RES_USE_EDNS0.
* include/resolv.h: Declare __res_nopt.
2006-05-06 Ulrich Drepper <drepper@redhat.com>
[BZ #2499]
* resolv/res_query.c (__libc_res_nquery): If answerp != NULL,
__libc_res_nsend might reallocate the buffer for the answer. In
this case we have to reload the HP pointer.
Update.
* elf/dl-load.c (_dl_map_object): If __RTLD_CALLMAP flag is set,
reset loader before the actual loading.
* elf/dl-open.c (dl_open_worker): If file name contains no path
element determine map of caller. Pass caller map in this case to
_dl_map_object. Set __RTLD_CALLMAP in mode.
* include/dlfcn.h (__RTLD_CALLMAP): Define. [BZ #116]
Patch by Greg Wolodkin <greg@mathworks.com>.
2002-10-15 Jakub Jelinek <jakub@redhat.com>
* include/resolv.h (__libc_res_nquery, __libc_res_nsearch,
__libc_res_nsend): New prototypes.
* resolv/res_query.c (QUERYSIZE): Define.
(__libc_res_nquery): Renamed from res_nquery. Added answerp
argument. Allocate only QUERYSIZE bytes first, if res_nmkquery
fails use MAXPACKET buffer. Call __libc_res_nsend instead of
res_nsend, pass answerp.
(res_nquery): Changed into wrapper around __libc_res_nquery.
(__libc_res_nsearch): Renamed from res_nsearch. Added answerp
argument. Call __libc_res_nquerydomain and __libc_res_nquery
instead of the non-__libc_ variants, pass them answerp.
(res_nsearch): Changed into wrapper around __libc_res_nsearch.
(__libc_res_nquerydomain): Renamed from res_nquerydomain.
Added answerp argument. Call __libc_res_nquery instead of
res_nquery, pass answerp.
(res_nquerydomain): Changed into wrapper around
__libc_res_nquerydomain.
* resolv/res_send.c: Include sys/ioctl.h.
(MAXPACKET): Define.
(send_vc): Change arguments. Reallocate answer buffer if it is
too small.
(send_dg): Likewise.
(__libc_res_nsend): Renamed from res_nsend. Added ansp argument.
Reallocate answer buffer if it is too small and hooks are in use.
Adjust calls to send_vc and send_dg.
(res_nsend): Changed into wrapper around __libc_res_nsend.
* resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname2_r): Allocate
just 1K answer buffer on the stack, use __libc_res_nsearch instead
of res_nsearch.
(_nss_dns_gethostbyaddr_r): Similarly with __libc_res_nquery.
* resolv/nss_dns/dns-network.c (_nss_dns_getnetbyaddr_r): Likewise.
(_nss_dns_getnetbyname_r): Similarly with __libc_res_nsearch.
* resolv/gethnamaddr.c (gethostbyname2): Likewise.
(gethostbyaddr): Similarly with __libc_res_nquery.
* resolv/Versions (libresolv): Export __libc_res_nquery and
__libc_res_nsearch at GLIBC_PRIVATE.
2002-10-09 Ulrich Drepper <drepper@redhat.com>
* Versions.def (libc): Add GLIBC_2.3.1.
(libpthread): Add GLIBC_2.3.1.
* include/signal.h: Add libc_hidden_proto for __sigwait, __sigwaitinfo,
and __sigtimedwait.
* signal/Versions: Add __sigtimedwait, __sigwait, and __sigwaitinfo.
* sysdeps/unix/sysv/linux/sigtimedwait.c (__sigtimedwait): Add
libc_hidden_def.
* sysdeps/unix/sysv/linux/sigwait.c (__sigwait): Likewise.
* sysdeps/unix/sysv/linux/sigwaitinfo.c (__sigwaitinfo): Likewise.
* include/sys/msg.h: Declare __libc_msgrcv and __libc_msgsnd.
* sysdeps/unix/sysv/linux/msgrcv.c (__msgrcv): Rename to __libc_msgrcv
and make old name an alias.
* sysdeps/unix/sysv/linux/msgsnd.c (__msgsnd): Rename to __libc_msgsnd
and make old name an alias.
* sysvipc/Versions (libc) [GLIBC_PRIVATE]: Add __libc_msgrcv and
__libc_msgsnd.
* include/sys/uio.h: Declare __libc_readv and __libc_writev.
* misc/Versions (libc) [GLIBC_PRIVATE]: Add __libc_readv and
__libc_writev.
* sysdeps/generic/readv.c (__readv): Rename to __libc_readv and make
old name an alias.
* sysdeps/posix/readv.c: Likewise
* sysdeps/unix/sysv/aix/readv.c: Likewise.
* sysdeps/unix/sysv/linux/readv.c: Likewise.
* sysdeps/generic/writev.c (__writev): Rename to __libc_writev and make
old name an alias.
* sysdeps/posix/writev.c: Likewise
* sysdeps/unix/sysv/aix/writev.c: Likewise.
* sysdeps/unix/sysv/linux/writev.c: Likewise.
* include/sys/wait.h: Declare __waitid.
* posix/Versions (libc) [GLIBC_PRIVATE]: Add __waitid.
* sysdeps/generic/waitid.c (waitid): Rename to __waitid and make old
name an alias.
* sysdeps/posix/waitid.c: Likewise.
* sysdeps/unix/sysv/aix/waitid.c: Likewise.
* sysdeps/unix/sysv/linux/syscalls.list: Add creat syscall.
2002-10-07 Jakub Jelinek <jakub@redhat.com>
* include/alloca.h (__libc_use_alloca, __libc_alloca_cutoff): New
prototypes.
(__MAX_ALLOCA_CUTOFF): Define.
Include allocalim.h.
* resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname2_r,
_nss_dns_gethostbyaddr_r): Use alloca or malloc to allocate
host_buffer depending on __libc_use_alloca.
* resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r,
_nss_dns_getnetbyaddr_r): Use alloca or malloc to allocate
net_buffer depending on __libc_use_alloca.
* resolv/res_query.c (res_nquery): Use alloca or malloc to allocate
buf depending on __libc_use_alloca.
* resolv/gethnamaddr.c (gethostbyname2, gethostbyaddr): Likewise.
* stdio-common/vfprintf.c (vfprintf): Use __libc_use_alloca
instead of hardcoded constants.
Pass proper size argument to alloca and compute end for wide char
version.
* stdio-common/printf_fp.c (__printf_fp): Use __libc_use_alloca
instead of hardcoded constants.
* string/strcoll.c (strcoll): Likewise.
* string/strxfrm.c (strxfrm): Likewise.
* sysdeps/posix/readv.c (__readv): Likewise.
* sysdeps/posix/writev.c (__writev): Likewise.
* sysdeps/generic/allocalim.h: New file.