[Bug 1945072] [NEW] getaddrinfo crashes on negative answers after Truncated retry

Christopher K Brown 1945072 at bugs.launchpad.net
Sat Sep 25 21:14:32 UTC 2021 

Public bug reported:


Programs using getaddrinfo will segfault downstack of the call in limited circumstances.

We have limited this crash to a specific situation, some of these
details may not be relevant to the problem but are included in case they
are:

- getaddrinfo makes two requests, A and AAAA, using UDP
- At least one of the replies to the two requests is truncated
- getaddrinfo makes two additional requests, A and AAAA, using TCP
- At least one of the the replies to the two TCP requests has an empty answer section
  - For example, the response comes back with a REFUSED or SERVFAIL
  - Even a NOERROR with an empty answer section will cause this crash

Sample gai call:

  struct addrinfo* results;
  int ec = getaddrinfo(host.c_str(), "", nullptr, &results);


This is difficult to reproduce without being able to control the replies yourself since downstream must give a negative answer on the TCP after answering the UDP.  (This can happen, the downstream server can decide not to answer for any number of policy reasons.)

Using 18.04.5.  glibc version is 2.27.

** Affects: glibc (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1945072

Title:
  getaddrinfo crashes on negative answers after Truncated retry

Status in glibc package in Ubuntu:
  New

Bug description:
  
  Programs using getaddrinfo will segfault downstack of the call in limited circumstances.

  We have limited this crash to a specific situation, some of these
  details may not be relevant to the problem but are included in case
  they are:

  - getaddrinfo makes two requests, A and AAAA, using UDP
  - At least one of the replies to the two requests is truncated
  - getaddrinfo makes two additional requests, A and AAAA, using TCP
  - At least one of the the replies to the two TCP requests has an empty answer section
    - For example, the response comes back with a REFUSED or SERVFAIL
    - Even a NOERROR with an empty answer section will cause this crash

  Sample gai call:

    struct addrinfo* results;
    int ec = getaddrinfo(host.c_str(), "", nullptr, &results);

  
  This is difficult to reproduce without being able to control the replies yourself since downstream must give a negative answer on the TCP after answering the UDP.  (This can happen, the downstream server can decide not to answer for any number of policy reasons.)

  Using 18.04.5.  glibc version is 2.27.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1945072/+subscriptions

More information about the foundations-bugs mailing list