Bug 450766

Summary: dname response causes glibc to assert without log message and core dump.
Product: [Fedora] Fedora Reporter: Peter Jones <pjones>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: drepper
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.8.90-6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-27 04:46:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
wireshark log
none
log on the abort case.
none
add the text for T_DNAME so p_type() will work correctly. none

Description Peter Jones 2008-06-10 20:52:26 UTC 
Description of problem: in some cases when a dns DNAME response is recieved,
glibc aborts, which allows a denial of service attack in programs like firefox.

wireshark log attached.
Comment 1 Peter Jones 2008-06-10 20:52:26 UTC 
Created attachment 308868 [details]
wireshark log
Comment 2 Ulrich Drepper 2008-06-10 22:37:09 UTC 
I've added code to ignore the T_DNAME messages.  This is a misconfigured server.
 I cannot reproduce it here so testing is welcome.  Should be part of the  next
rawhide build.
Comment 3 Peter Jones 2008-06-11 15:39:33 UTC 
Created attachment 308946 [details]
log on the abort case.

Any chance on also applying the attached patch to log responses that would
trigger the abort?
Comment 4 Peter Jones 2008-06-11 16:56:45 UTC 
Created attachment 308960 [details]
add the text for T_DNAME so p_type() will work correctly.

We also need T_DNAME added to the list from which p_type works...
Comment 5 Peter Jones 2008-06-11 16:58:06 UTC 
Uli, can you please also review the two patches I've attached to this bug?  The
first adds logging for unknown responses which would trigger abort(), and the
second adds handling for T_DNAME in p_type(), which is needed for the patch you
already applied.
Comment 6 Ulrich Drepper 2008-06-27 04:46:39 UTC 
I've added the debug entry to cvs.  The T_DNAME entry is not needed.  Since the
debug cod eis not added to the binary their is no reason to keep this BZ open.