Bug 450766 - dname response causes glibc to assert without log message and core dump.
dname response causes glibc to assert without log message and core dump.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: glibc (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Jakub Jelinek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-10 16:52 EDT by Peter Jones
Modified: 2008-06-27 00:46 EDT (History)
1 user (show)

See Also:
Fixed In Version: 2.8.90-6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-27 00:46:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
wireshark log (724 bytes, application/octet-stream)
2008-06-10 16:52 EDT, Peter Jones
no flags Details
log on the abort case. (585 bytes, patch)
2008-06-11 11:39 EDT, Peter Jones
no flags Details | Diff
add the text for T_DNAME so p_type() will work correctly. (1.18 KB, patch)
2008-06-11 12:56 EDT, Peter Jones
no flags Details | Diff

  None (edit)
Description Peter Jones 2008-06-10 16:52:26 EDT
Description of problem: in some cases when a dns DNAME response is recieved,
glibc aborts, which allows a denial of service attack in programs like firefox.

wireshark log attached.
Comment 1 Peter Jones 2008-06-10 16:52:26 EDT
Created attachment 308868 [details]
wireshark log
Comment 2 Ulrich Drepper 2008-06-10 18:37:09 EDT
I've added code to ignore the T_DNAME messages.  This is a misconfigured server.
 I cannot reproduce it here so testing is welcome.  Should be part of the  next
rawhide build.
Comment 3 Peter Jones 2008-06-11 11:39:33 EDT
Created attachment 308946 [details]
log on the abort case.

Any chance on also applying the attached patch to log responses that would
trigger the abort?
Comment 4 Peter Jones 2008-06-11 12:56:45 EDT
Created attachment 308960 [details]
add the text for T_DNAME so p_type() will work correctly.

We also need T_DNAME added to the list from which p_type works...
Comment 5 Peter Jones 2008-06-11 12:58:06 EDT
Uli, can you please also review the two patches I've attached to this bug?  The
first adds logging for unknown responses which would trigger abort(), and the
second adds handling for T_DNAME in p_type(), which is needed for the patch you
already applied.
Comment 6 Ulrich Drepper 2008-06-27 00:46:39 EDT
I've added the debug entry to cvs.  The T_DNAME entry is not needed.  Since the
debug cod eis not added to the binary their is no reason to keep this BZ open.

Note You need to log in before you can comment on or make changes to this bug.