[Bug 1945072] Re: getaddrinfo crashes on negative answers after Truncated retry

Wed Sep 29 10:19:15 UTC 2021

I tried to replicate it with this patch to the test suite:

diff --git a/resolv/tst-bug18665-tcp.c b/resolv/tst-bug18665-tcp.c
index 9b1ff0fbd8..e8e0d12bb7 100644
--- a/resolv/tst-bug18665-tcp.c
+++ b/resolv/tst-bug18665-tcp.c
@@ -47,6 +47,41 @@ response (const struct resolv_response_context *ctx,
       struct resolv_response_flags flags = {.tc = true};
       resolv_response_init (b, flags);
       resolv_response_add_question (b, qname, qclass, qtype);
+
+      if (qtype == T_A)
+        {
+          resolv_response_section (b, ns_s_an);
+          resolv_response_open_record (b, qname, qclass, T_CNAME, 600);
+          const char *alias = "somewhat.longish.cname.example";
+          resolv_response_add_name (b, alias);
+          resolv_response_close_record (b);
+
+          for (int i = 0; i < 35; ++i)
+            {
+              resolv_response_open_record (b, alias, qclass, T_A, 600);
+              const char ipv4[4] = {10, 255, 255, i};
+              resolv_response_add_data (b, ipv4, sizeof (ipv4));
+              resolv_response_close_record (b);
+            }
+        }
+      else
+        {
+          resolv_response_section (b, ns_s_ns);
+          resolv_response_open_record (b, qname, qclass, T_SOA, 600);
+          resolv_response_add_name (b, "ns1.example");
+          resolv_response_add_name (b, "hostmaster.example");
+          const uint32_t values[5] =
+            {
+              htonl (2021092901),
+              htonl (600),
+              htonl (600),
+              htonl (360000),
+              htonl (600),
+            };
+          resolv_response_add_data (b, values, sizeof (values));
+          resolv_response_close_record (b);
+        }
+
       return;
     }
 
But I do not get a crash with current master. I think we really need those packet captures, sorry.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1945072

Title:
  getaddrinfo crashes on negative answers after Truncated retry

Status in glibc package in Ubuntu:
  New

Bug description:
  
  Programs using getaddrinfo will segfault downstack of the call in limited circumstances.

  We have limited this crash to a specific situation, some of these
  details may not be relevant to the problem but are included in case
  they are:

  - getaddrinfo makes two requests, A and AAAA, using UDP
  - At least one of the replies to the two requests is truncated
  - getaddrinfo makes two additional requests, A and AAAA, using TCP
  - At least one of the the replies to the two TCP requests has an empty answer section
    - For example, the response comes back with a REFUSED or SERVFAIL
    - Even a NOERROR with an empty answer section will cause this crash

  Sample gai call:

    struct addrinfo* results;
    int ec = getaddrinfo(host.c_str(), "", nullptr, &results);

  
  This is difficult to reproduce without being able to control the replies yourself since downstream must give a negative answer on the TCP after answering the UDP.  (This can happen, the downstream server can decide not to answer for any number of policy reasons.)

  Using 18.04.5.  glibc version is 2.27.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1945072/+subscriptions


