RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 689807 - examples & doc do not set inet family when creating Socket or SSLSocket, will cause failures with ipv6
Summary: examples & doc do not set inet family when creating Socket or SSLSocket, will...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: python-nss
Version: 6.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: John Dennis
QA Contact: Aleš Mareček
URL:
Whiteboard:
Depends On: 689059
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-22 13:58 UTC by John Dennis
Modified: 2013-01-10 06:32 UTC (History)
6 users (show)

Fixed In Version: python-nss-0.11-3.el6
Doc Type: Bug Fix
Doc Text:
This field is the basis of the errata or release note for this bug. It can also be used for change logs. The Technical Note template, known as CCFR, is as follows: Cause What actions or circumstances cause this bug to present. Consequence What happens when the bug presents. Fix What was done to fix the bug.
Clone Of: 689059
Environment:
Last Closed: 2011-05-19 13:35:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0607 0 normal SHIPPED_LIVE python-nss bug fix and enhancement update 2011-05-18 17:56:27 UTC

Description John Dennis 2011-03-22 13:58:12 UTC 
+++ This bug was initially created as a clone of Bug #689059 +++

The Socket and SSLSocket objects take an optional family parameter, it defaults to PR_AF_INET (e.g. ipv4). If the NetworkAddress object subsequently used with the socket object specifies a ipv6 address then an error will occur because of the mismatch between the socket family and the address family.

The examples installed in the documentation subpackage and the API documentation fail to force the family when a socket object is created. For ipv4 this is not a problem because the socket constructor defaults to AF_INET, but for ipv6 addresses the family must be explicitly set to PR_AF_INET6 (e.g. net_addr.family)

Perhaps the optional family parameter to Socket and SSLSocket shouldn't be optional with a default of PR_AF_INET, but that is an api change. At a minimum the examples and documentation should be explicit with regards to the family.
Comment 1 John Dennis 2011-03-22 14:01:39 UTC 
A patch for the ssl_example program was prepared by myself and then tested by Ales Marecek in QE as part of the RHEL 6.1 QE testing. Ales reports success. I would like to patch and rebuild. Denise Dumas has indicated this is an appropriate fix to introduce during this point in the cycle.
Comment 2 Aleš Mareček 2011-03-22 14:09:36 UTC 
I can confirm that new version of ssl_example.py works properly.
Comment 3 John Dennis 2011-03-22 17:39:16 UTC 
Pasting the contents of an email discussing the issue and proposed patch so that the information is captured here.

--------------------------------------------------------------------------

Socket objects must be created to match the intended address family (e.g 
PR_AF_*). NetworkAddress objects have an implicit address family (e.g. 
IPv4 addresses are PR_AF_INET and IPv6 addresses are PR_AF_INET6).

Sockets are bound with a NetworkAddress object during connect, bind, 
etc. If the address family of a socket does not match the address family 
of a NetworkAddress object you will sometimes get low level errors and 
in some cases you won't get an error at all but just incorrect behavior 
(e.g. a IPv4 binding to an IPv6 "any" address actually binds to a IPv4 
address yet it reports it's listening on IPv6).

The constructor for Socket objects would default it's family parameter 
to IPv4 if it wasn't explicitly specified. Thus if you accept the 
defaults when creating a Socket but iterate over the addresses returned 
by AddrInfo and that address is IPv6 you'll end up with a address family 
mismatch between the Socket object and the address it connects or binds to.

The fix is simple, when creating a Socket object always specify the 
family of the NetworkAddress object you intend to use the socket with. 
The example programs and the example code snippets in the API 
documentation failed to explicitly set the family parameter during 
Socket construction.

Just to be clear, the problem is only in the examples and documentation, 
the library itself does not have a problem, although I plan on adding a 
check in the library to prevent a mismatch from being accepted (see below).

The update for the package will include:

* Fix each place in the example/test code which allows a Socket object 
to default to IPv4 to have an explicit family parameter.

* Fix each code snippet in the API doc in a similar manner.

* Update the Socket entry points which accept a NetworkAddress object to 
validate the address family in the NetworkAddress family matches the 
socket object, otherwise raise an exception. In other words do not allow 
users to make this mistake. If they do you'll get a very specific error 
explaining the coding mistake.

* Mark the use of a default IPv4 family in Socket objects as being 
deprecated. A future version of the library will demand you explicitly 
specify the address family when creating a Socket object. Why? The 
assumption that IPv4 will be used is no longer a valid assumption.
Comment 7 Florian Nadge 2011-05-11 12:23:05 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
This field is the basis of the errata or release note for this bug. It can also be used for change logs.

The Technical Note template, known as CCFR, is as follows:

Cause
    What actions or circumstances cause this bug to present.
Consequence
    What happens when the bug presents.
Fix
    What was done to fix the bug.
Comment 9 John Dennis 2011-05-11 12:33:39 UTC 
Cause:

Socket constructor defaults to using IPv4.

Consequence:

If the Socket object is later associated with an IPv6 NetworkAddress object a mismatch will occur and an exception will be thrown.

Fix:

Always create the Socket object using the family property of the NetworkAddress object, do not allow Socket object's family to assume a default value.

Result:

Successful socket operation with IPv6.
Comment 10 errata-xmlrpc 2011-05-19 13:35:21 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0607.html
Note You need to log in before you can comment on or make changes to this bug.