From patchwork Wed Mar 23 20:22:39 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 601367 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3qVgws5twFz9sBg for ; Thu, 24 Mar 2016 07:22:53 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b=Pd9/H67M; dkim-atps=neutral DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:subject:to:references:from:message-id:date :mime-version:in-reply-to:content-type; q=dns; s=default; b=WUuL 6Pmc+UrQA9sJtcPjrzdhhhzCTfH9/IU6rfunC4brA0KWLmC1Px5TlSJLAVDdMeAW yOCRJB1N/2p3znwyedVX2TNk/YpsLT6of9fLz9wdSCLVY75uQliyXY9X0Vk0mDTZ z3Zi4pYDsHKYyab8kFYnTAb0wJ7e6Pb8Mjgn1Eg= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:subject:to:references:from:message-id:date :mime-version:in-reply-to:content-type; s=default; bh=CN6wntAaNO vpAMANLYhLiAdtI1k=; b=Pd9/H67M3MBYaU40ye5kERqMVdyIomLw9Mrbcjm9b/ 0XAKTIXiy2vEJM+zm06xGq8IjJYjp0fDIgWQI84qQ4yyGhz7d1dBf8ILbcXrkc91 ZB2Pm9o4tE4Zcyfh22FAZwrPw155BsSP+pZXMotyiaZ5IZg6BVR4aGy1XBPizSbu Q= Received: (qmail 108480 invoked by alias); 23 Mar 2016 20:22:45 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 107465 invoked by uid 89); 23 Mar 2016 20:22:44 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=BAYES_00, SPF_HELO_PASS, T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy=unsuccessful, nxdomain, switched, consequence X-HELO: mx1.redhat.com Subject: Re: [PATCH] resolv: Always set *resplen2 out parameter in send_dg [BZ #19791] To: libc-alpha@sourceware.org References: <56E2DD9B.3060803@redhat.com> From: Florian Weimer X-Enigmail-Draft-Status: N1110 Message-ID: <56F2FB0F.5090907@redhat.com> Date: Wed, 23 Mar 2016 21:22:39 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <56E2DD9B.3060803@redhat.com> This is the new patch. It sets *resplen2 strictly before each return (except for the success case). I have convinced myself that this does not alter any correct cases. If send_dg does not return 0 I have a companion patch for send_vc (bug 19825) which I still need to submit. I ran the external resolver test suite, apart from a tst-partial-fail failure due to libresolv's newly found ability to find non-broken responses, there are no failures. Thanks, Florian Since commit 44d20bca52ace85850012b0ead37b360e3ecd96e (Implement second fallback mode for DNS requests), there is a code path which returns early, before *resplen2 is initialized. This happens if the name server address is immediately recognized as invalid (because of lack of protocol support, or if it is a broadcast address such 255.255.255.255, or another invalid address). If this happens and *resplen2 was non-zero (which is the case if a previous query resulted in a failure), __libc_res_nquery would reuse an existing second answer buffer. This answer has been previously identified as unusable (for example, it could be an NXDOMAIN response). Due to the presence of a second answer, no name server switching will occur. The result is a name resolution failure, although a successful resolution would have been possible if name servers have been switched and queries had proceeded along the search path. The above paragraph still simplifies the situation. Before glibc 2.23, if the second answer needed malloc, the stub resolver would still attempt to reuse the second answer, but this is not possible because __libc_res_nsearch has freed it, after the unsuccessful call to __libc_res_nquerydomain, and set the buffer pointer to NULL. This eventually leads to an assertion failure in __libc_res_nquery: /* Make sure both hp and hp2 are defined */ assert((hp != NULL) && (hp2 != NULL)); If assertions are disabled, the consequence is a NULL pointer dereference on the next line. Starting with glibc 2.23, as a result of commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665)), the second answer is always allocated with malloc. This means that the assertion failure happens with small responses as well because there is no buffer to reuse, as soon as there is a name resolution failure which triggers a search for an answer along the search path. This commit addresses the issue by ensuring that *resplen2 is initialized before the send_dg function returns. This commit also addresses a bug where an invalid second reply is incorrectly returned as a valid to the caller. 2016-03-23 Florian Weimer [BZ #19791] * resolv/res_send.c (close_and_return_error): New function. (send_dg): Initialize *resplen2 after reopen failure. Call close_and_return_error for error returns. On error paths without __res_iclose, initialze *resplen2 explicitly. Update comment for successful return. diff --git a/resolv/res_send.c b/resolv/res_send.c index 25c19f1..b4efcb6 100644 --- a/resolv/res_send.c +++ b/resolv/res_send.c @@ -649,6 +649,18 @@ get_nsaddr (res_state statp, int n) return (struct sockaddr *) (void *) &statp->nsaddr_list[n]; } +/* Close the resolver structure, assign zero to *RESPLEN2 if RESPLEN2 + is not NULL, and return zero. */ +static int +__attribute__ ((warn_unused_result)) +close_and_return_error (res_state statp, int *resplen2) +{ + __res_iclose(statp, false); + if (resplen2 != NULL) + *resplen2 = 0; + return 0; +} + /* The send_vc function is responsible for sending a DNS query over TCP to the nameserver numbered NS from the res_state STATP i.e. EXT(statp).nssocks[ns]. The function supports sending both IPv4 and @@ -1114,7 +1126,11 @@ send_dg(res_state statp, retry_reopen: retval = reopen (statp, terrno, ns); if (retval <= 0) - return retval; + { + if (resplen2 != NULL) + *resplen2 = 0; + return retval; + } retry: evNowTime(&now); evConsTime(&timeout, seconds, 0); @@ -1127,8 +1143,6 @@ send_dg(res_state statp, int recvresp2 = buf2 == NULL; pfd[0].fd = EXT(statp).nssocks[ns]; pfd[0].events = POLLOUT; - if (resplen2 != NULL) - *resplen2 = 0; wait: if (need_recompute) { recompute_resend: @@ -1136,9 +1150,7 @@ send_dg(res_state statp, if (evCmpTime(finish, now) <= 0) { poll_err_out: Perror(statp, stderr, "poll", errno); - err_out: - __res_iclose(statp, false); - return (0); + return close_and_return_error (statp, resplen2); } evSubTime(&timeout, &finish, &now); need_recompute = 0; @@ -1185,7 +1197,9 @@ send_dg(res_state statp, } *gotsomewhere = 1; - return (0); + if (resplen2 != NULL) + *resplen2 = 0; + return 0; } if (n < 0) { if (errno == EINTR) @@ -1253,7 +1267,7 @@ send_dg(res_state statp, fail_sendmmsg: Perror(statp, stderr, "sendmmsg", errno); - goto err_out; + return close_and_return_error (statp, resplen2); } } else @@ -1271,7 +1285,7 @@ send_dg(res_state statp, if (errno == EINTR || errno == EAGAIN) goto recompute_resend; Perror(statp, stderr, "send", errno); - goto err_out; + return close_and_return_error (statp, resplen2); } just_one: if (nwritten != 0 || buf2 == NULL || single_request) @@ -1349,7 +1363,7 @@ send_dg(res_state statp, goto wait; } Perror(statp, stderr, "recvfrom", errno); - goto err_out; + return close_and_return_error (statp, resplen2); } *gotsomewhere = 1; if (__glibc_unlikely (*thisresplenp < HFIXEDSZ)) { @@ -1360,7 +1374,7 @@ send_dg(res_state statp, (stdout, ";; undersized: %d\n", *thisresplenp)); *terrno = EMSGSIZE; - goto err_out; + return close_and_return_error (statp, resplen2); } if ((recvresp1 || hp->id != anhp->id) && (recvresp2 || hp2->id != anhp->id)) { @@ -1409,7 +1423,7 @@ send_dg(res_state statp, ? *thisanssizp : *thisresplenp); /* record the error */ statp->_flags |= RES_F_EDNS0ERR; - goto err_out; + return close_and_return_error (statp, resplen2); } #endif if (!(statp->options & RES_INSECURE2) @@ -1461,10 +1475,10 @@ send_dg(res_state statp, goto wait; } - __res_iclose(statp, false); /* don't retry if called from dig */ if (!statp->pfcode) - return (0); + return close_and_return_error (statp, resplen2); + __res_iclose(statp, false); } if (anhp->rcode == NOERROR && anhp->ancount == 0 && anhp->aa == 0 && anhp->ra == 0 && anhp->arcount == 0) { @@ -1486,6 +1500,8 @@ send_dg(res_state statp, __res_iclose(statp, false); // XXX if we have received one reply we could // XXX use it and not repeat it over TCP... + if (resplen2 != NULL) + *resplen2 = 0; return (1); } /* Mark which reply we received. */ @@ -1501,21 +1517,22 @@ send_dg(res_state statp, __res_iclose (statp, false); retval = reopen (statp, terrno, ns); if (retval <= 0) - return retval; + { + if (resplen2 != NULL) + *resplen2 = 0; + return retval; + } pfd[0].fd = EXT(statp).nssocks[ns]; } } goto wait; } - /* - * All is well, or the error is fatal. Signal that the - * next nameserver ought not be tried. - */ + /* All is well. We have received both responses (if + two responses were requested). */ return (resplen); - } else if (pfd[0].revents & (POLLERR | POLLHUP | POLLNVAL)) { - /* Something went wrong. We can stop trying. */ - goto err_out; - } + } else if (pfd[0].revents & (POLLERR | POLLHUP | POLLNVAL)) + /* Something went wrong. We can stop trying. */ + return close_and_return_error (statp, resplen2); else { /* poll should not have returned > 0 in this case. */ abort ();