Date: 2 Mar 1999 13:32:32 +1100 From: john@nlc.net.au To: FreeBSD-gnats-submit@freebsd.org Subject: bin/10344: Core dump in gethostbyaddr for 199.93.70.2 Message-ID: <19990302023232.64408.qmail@grunt.nlc.net.au>
next in thread | raw e-mail | index | archive | help
>Number: 10344 >Category: bin >Synopsis: Core dump in gethostbyaddr for 199.93.70.2 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Mar 1 18:40:00 PST 1999 >Closed-Date: >Last-Modified: >Originator: John Saunders >Release: FreeBSD 3.1-STABLE i386 >Organization: Northlink Communications >Environment: 3.1-STABLE cvsupped on Feb 23rd 1999. >Description: The IP address 199.93.70.2 has many PTR records associated with it. It appears that doing a gethostbyaddr overflows some buffer which causes a signal 10 core dump. The problem was originally discovered with the dnsserver process on squid core dumping. The Backtrace is... #0 0x280cc964 in __ns_name_unpack () #1 0x280ccb75 in __ns_name_uncompress () #2 0x280cc246 in __dn_expand () #3 0x280c1074 in _gethostbyhtaddr () #4 0x280c19c2 in _gethostbydnsaddr () #5 0x280c04a6 in gethostbyaddr () #6 0x8048881 in lookup (buf=0xefbfda4c "199.93.70.2") at dnsserver.c:198 #7 0x8048b2e in main (argc=1, argv=0xefbfdc78) at dnsserver.c:341 #8 0x8048755 in _start () Compiling ns_name.c with -g and linking to dnsserver gives a bit more information. #0 __ns_name_unpack (msg=0xefbfd5b8 "[q\203\200", eom=0xefc0354d <Address 0xefc0354d out of bounds>, src=0xefbfd9ae "\003www\bntyamXY?o&\024\f(\004Z?o\004", dst=0xefbfcbf0 "\003www\bntyamXY?in-addr\004arpa", dstsiz=255) at ns_name.c:307 #1 0x80492e4 in __ns_name_uncompress (msg=0xefbfd5b8 "[q\203\200", eom=0xefc0354d <Address 0xefc0354d out of bounds>, src=0xefbfd9ae "\003www\bntyamXY?o&\024\f(\004Z?o\004", dst=0x280f3e41 "2.70.93.199.in-addr.arpa", dstsiz=7567) at ns_name.c:430 >How-To-Repeat: The problem is in the resolver library so it can be repeated with any process that does a reverse lookup. Try the following: nslookup -type=ptr 199.93.70.2 Strangely if you don't specify -type=ptr then only the first PTR record is returned and everything works. It appears that if you want to list _all_ PTR records it comes to grief. >Fix: Unknown. Although I suspect it's an access through the srcp pointer in the while loop. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990302023232.64408.qmail>