DescriptionMartin Sehnoutka
2016-06-23 08:55:38 UTC
Created attachment 1171376[details]
Proposed patch
Description of the problem:
lwresd segfault at start_lookup function under specific circumstances. Particularly when domain name with search domain is too long (more than 254 characters).
Affected versions:
All versions of Bind 9 available from RHEL repositories seems to be affected as well as upstream version from 'master' branch.
We investigated the problem and it seems that lwresd does not iterate over search domains and thus end up in infinite loop and eventually segfaults.
Steps to reproduce:
1. Create 'server' and 'client' scripts with this content:
client:
----
#!/usr/bin/python
from __future__ import print_function
from ctypes import *
lwres = CDLL("liblwres.so")
lwres.lwres_getrrsetbyname.argtypes = (c_char_p, c_int, c_int, c_int, c_void_p)
name = 3 * ("a" * 63 + ".") + "a" * 61
print("{0} ({1})".format(name, len(name)))
result = lwres.lwres_getrrsetbyname(name, 1, 1, 0, None)
print(result)
----
server:
----
#!/bin/bash
lwresd -g -d 100 -c <(echo 'options { forwarders { 172.16.36.2; }; }; lwres { search { a; }; };')
----
You need to use an IP address of an actual recursive DNS server in the server script.
2. Run server script and wait until it settles, then run client in another terminal.
Expected result: Server should stay running. Client should print a non-zero error code.
Actual result: Server segfaults. Client hangs waiting for a response.
Proposed patch is attached.
Created attachment 1171376 [details] Proposed patch Description of the problem: lwresd segfault at start_lookup function under specific circumstances. Particularly when domain name with search domain is too long (more than 254 characters). Affected versions: All versions of Bind 9 available from RHEL repositories seems to be affected as well as upstream version from 'master' branch. We investigated the problem and it seems that lwresd does not iterate over search domains and thus end up in infinite loop and eventually segfaults. Steps to reproduce: 1. Create 'server' and 'client' scripts with this content: client: ---- #!/usr/bin/python from __future__ import print_function from ctypes import * lwres = CDLL("liblwres.so") lwres.lwres_getrrsetbyname.argtypes = (c_char_p, c_int, c_int, c_int, c_void_p) name = 3 * ("a" * 63 + ".") + "a" * 61 print("{0} ({1})".format(name, len(name))) result = lwres.lwres_getrrsetbyname(name, 1, 1, 0, None) print(result) ---- server: ---- #!/bin/bash lwresd -g -d 100 -c <(echo 'options { forwarders { 172.16.36.2; }; }; lwres { search { a; }; };') ---- You need to use an IP address of an actual recursive DNS server in the server script. 2. Run server script and wait until it settles, then run client in another terminal. Expected result: Server should stay running. Client should print a non-zero error code. Actual result: Server segfaults. Client hangs waiting for a response. Proposed patch is attached.