Date: Sat, 10 Jun 2000 18:50:02 -0700 (PDT) From: vladimir@math.uic.edu To: freebsd-bugs@FreeBSD.org Subject: Re: bin/19096: libc core dump using ftp and telnet Message-ID: <200006110150.SAA55576@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/19096; it has been noted by GNATS.
From: vladimir@math.uic.edu
To: freebsd-gnats-submit@FreeBSD.org, liveevil@tasam.com
Cc: vladimir@math.uic.edu
Subject: Re: bin/19096: libc core dump using ftp and telnet
Date: 11 Jun 2000 01:30:52 -0000
> [1]Navigation Bar
>
> Problem Report bin/19096
>
> libc core dump using ftp and telnet
>
> Confidential
> no
>
> Severity
> critical
>
> Priority
> high
>
> Responsible
> [2]freebsd-bugs@FreeBSD.org
>
> State
> open
>
> Class
> sw-bug
>
> Submitter-Id
> current-users
>
> Arrival-Date
> Wed Jun 07 10:00:00 PDT 2000
>
> Last-Modified
> Wed Jun 7 12:00:01 PDT 2000
>
> Originator
> LiVeeViL <[3]liveevil@tasam.com>
>
> Release
> 4.0-STABLE FreeBSD 4.0-STABLE
>
> Organization
>
>NONE
>
> Environment
>
>4.0-STABLE FreeBSD 4.0-STABLE
>
> Description
>
>some how a URL (easymoney.com) was able to change my default webpage to there's. I did a query on there domain name, and fo
>und a entry in there dns zone file. One of the entry names is *.exitmoney.com. I wanted to see if I could establish a conn
>ection using that hostname.
>
>Here is what I got:
>
>bash-2.03$ telnet
>telnet> o
>(to) *.exitmoney.com
>Segmentation fault (core dumped)
>
>Also the same using FTP server (Version 6.00LS)
>
>bash-2.03$ ftp
>ftp> o
>(to) *.exitmoney.com
>Segmentation fault (core dumped)
>bash-2.03$
>
>-rw------- 1 liveevil liveevil 380928 Jun 7 12:41 telnet.core
>-rw------- 1 liveevil liveevil 454656 Jun 7 12:42 ftp.core
>
>
> How-To-Repeat
>
>bash-2.03$ telnet
>telnet> o
>(to) *.exitmoney.com
>Segmentation fault (core dumped)
>
>Also the same using FTP server (Version 6.00LS)
>
>bash-2.03$ ftp
>ftp> o
>(to) *.exitmoney.com
>Segmentation fault (core dumped)
>bash-2.03$
>
> Fix
>
>It seems like both ftp and telnet have trouble with input from host names with "*"'s in them. I have also try to reproduce
>the same results using ping, nslookup and traceroute without any luck. I do not know how to fix this problem.
>
>
> Audit-Trail
>
>From: Ruslan Ermilov <ru@sunbay.com>
>To: liveevil@tasam.com
>Cc: freebsd-gnats-submit@FreeBSD.org
>Subject: Re: bin/19096: core dump using ftp and telnet
>Date: Wed, 7 Jun 2000 21:12:59 +0300
>
> On Wed, Jun 07, 2000 at 09:50:03AM -0700, liveevil@tasam.com wrote:
> >
> > Number: 19096
> > Synopsis: core dump using ftp and telnet
> > Severity: non-critical
> > Priority: low
> > Release: 4.0-STABLE FreeBSD 4.0-STABLE
> >
> It turns out to be the problem with libc.
> Maybe, _hpcopy() should check for value of *errp???
>
> Script started on Wed Jun 7 21:06:04 2000
> GNU gdb 4.18
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for details.
> This GDB was configured as "i386-unknown-freebsd"...
> Core was generated by `ftp'.
> Program terminated with signal 11, Segmentation fault.
> #0 0x807321e in _hpcopy (hp=0xbfbff4a0, errp=0xbfbff590)
> at /usr/src/lib/libc/../libc/net/name6.c:559
> 559 if (**pp != '\0') {
> (gdb) l
> 554 size = sizeof(struct hostent);
> 555 if (hp->h_name != NULL && *hp->h_name != '\0')
> 556 size += strlen(hp->h_name) + 1;
> 557 if ((pp = hp->h_aliases) != NULL) {
> 558 for (i = 0; *pp != NULL; i++, pp++) {
> 559 if (**pp != '\0') {
> 560 size += strlen(*pp) + 1;
> 561 nalias++;
> 562 }
> 563 }
> (gdb) print pp
> $1 = (char **) 0xbfbff0a4
> (gdb) print *pp
> $2 = 0x1000100 <Address 0x1000100 out of bounds>
> (gdb) up
> #1 0x8074714 in _res_search_multi (name=0x80bb0a0 "*.exitmoney.com",
> rtl=0xbfbff4dc, errp=0xbfbff590)
> at /usr/src/lib/libc/../libc/net/name6.c:1352
> 1352 hp = _hpcopy(&hpbuf, errp);
> (gdb) l
> 1347 hpbuf.h_addrtype = (rtl->rtl_type == T_AAAA)
> 1348 ? AF_INET6 : AF_INET;
> 1349 hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
> 1350 hp = getanswer(&buf, ret, name, rtl->rtl_type,
> 1351 &hpbuf, errp);
> 1352 hp = _hpcopy(&hpbuf, errp);
> 1353 hp0 = _hpmerge(hp0, hp, errp);
> 1354 }
> 1355 }
> 1356 if (hp0 != NULL)
> (gdb) print *errp
> $3 = 3
> (gdb) quit
>
> Script done on Wed Jun 7 21:07:30 2000
>
> --
> Ruslan Ermilov Oracle Developer/DBA,
> ru@sunbay.com Sunbay Software AG,
> ru@FreeBSD.org FreeBSD committer,
> +380.652.512.251 Simferopol, Ukraine
>
> [4]http://www.FreeBSD.org The Power To Serve
> [5]http://www.oracle.com Enabling The Information Age
>
>
>From: Ruslan Ermilov <ru@sunbay.com>
>To: bug-followup@FreeBSD.org
>Cc:
>Subject: Re: bin/19096: core dump using ftp and telnet
>Date: Wed, 7 Jun 2000 21:57:29 +0300
>
> On Wed, Jun 07, 2000 at 11:20:01AM -0700, Ruslan Ermilov wrote:
> >
> > On Wed, Jun 07, 2000 at 09:50:03AM -0700, liveevil@tasam.com wrote:
> > >
> > > Number: 19096
> > > Synopsis: core dump using ftp and telnet
> > > Severity: non-critical
> > > Priority: low
> > > Release: 4.0-STABLE FreeBSD 4.0-STABLE
> > >
> > It turns out to be the problem with libc.
> > Maybe, _hpcopy() should check for value of *errp???
> >
> Something like this should be done (IN ALL PLACES):
>
> Index: name6.c
> ===================================================================
> RCS file: /home/ncvs/src/lib/libc/net/name6.c,v
> retrieving revision 1.6.2.3
> diff -u -r1.6.2.3 name6.c
> --- name6.c 2000/05/13 18:46:13 1.6.2.3
> +++ name6.c 2000/06/07 18:55:12
> @@ -1349,7 +1349,8 @@
> hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
> hp = getanswer(&buf, ret, name, rtl->rtl_type,
> &hpbuf, errp);
> - hp = _hpcopy(&hpbuf, errp);
> + if (hp != NULL)
> + hp = _hpcopy(&hpbuf, errp);
> hp0 = _hpmerge(hp0, hp, errp);
> }
> }
>
>
> Which gives the correct behaviour:
>
> Script started on Wed Jun 7 21:53:48 2000
> ftp: *.exitmoney.com: Non-recoverable failure in name resolution
> ftp> quit
>
> Script done on Wed Jun 7 21:53:50 2000
>
> --
> Ruslan Ermilov Oracle Developer/DBA,
> ru@sunbay.com Sunbay Software AG,
> ru@FreeBSD.org FreeBSD committer,
> +380.652.512.251 Simferopol, Ukraine
>
> [6]http://www.FreeBSD.org The Power To Serve
> [7]http://www.oracle.com Enabling The Information Age
>
> [8]Submit Followup
> ______________________________________________________________________________________________________________
>
>
> [9]www@FreeBSD.org
I just submitted a bug report yesterday that didn't seem to make it
to the database about
"gethostbyname() fails if there are 'bad' chars in the hostname",
with an equivalent fix. The failure happens when the hostname
resolves, but has 'illegal' chars in it, for example,
mail_dxb.zu.ac.ae (I found this one when I noticed that our
inetd is dumping core).
Hopefully someone closes my bug report if it makes it to the
database, because #19096 is essentially the same thing.
Vladimir
vladimir@math.uic.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006110150.SAA55576>