Skip site navigation (1)Skip section navigation (2)
Date:      2 Mar 1999 13:32:32 +1100
From:      john@nlc.net.au
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/10344: Core dump in gethostbyaddr for 199.93.70.2
Message-ID:  <19990302023232.64408.qmail@grunt.nlc.net.au>

next in thread | raw e-mail | index | archive | help

>Number:         10344
>Category:       bin
>Synopsis:       Core dump in gethostbyaddr for 199.93.70.2
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar  1 18:40:00 PST 1999
>Closed-Date:
>Last-Modified:
>Originator:     John Saunders
>Release:        FreeBSD 3.1-STABLE i386
>Organization:
Northlink Communications
>Environment:

3.1-STABLE cvsupped on Feb 23rd 1999.

>Description:

The IP address 199.93.70.2 has many PTR records associated
with it. It appears that doing a gethostbyaddr overflows
some buffer which causes a signal 10 core dump.

The problem was originally discovered with the dnsserver
process on squid core dumping. The Backtrace is...

#0  0x280cc964 in __ns_name_unpack ()
#1  0x280ccb75 in __ns_name_uncompress ()
#2  0x280cc246 in __dn_expand ()
#3  0x280c1074 in _gethostbyhtaddr ()
#4  0x280c19c2 in _gethostbydnsaddr ()
#5  0x280c04a6 in gethostbyaddr ()
#6  0x8048881 in lookup (buf=0xefbfda4c "199.93.70.2") at dnsserver.c:198
#7  0x8048b2e in main (argc=1, argv=0xefbfdc78) at dnsserver.c:341
#8  0x8048755 in _start ()

Compiling ns_name.c with -g and linking to dnsserver gives a bit
more information.

#0  __ns_name_unpack (msg=0xefbfd5b8 "[q\203\200",
    eom=0xefc0354d <Address 0xefc0354d out of bounds>,
    src=0xefbfd9ae "\003www\bntyamXY?o&\024\f(\004Z?o\004",
    dst=0xefbfcbf0 "\003www\bntyamXY?in-addr\004arpa", dstsiz=255)
    at ns_name.c:307
#1  0x80492e4 in __ns_name_uncompress (msg=0xefbfd5b8 "[q\203\200",
    eom=0xefc0354d <Address 0xefc0354d out of bounds>,
    src=0xefbfd9ae "\003www\bntyamXY?o&\024\f(\004Z?o\004",
    dst=0x280f3e41 "2.70.93.199.in-addr.arpa", dstsiz=7567) at ns_name.c:430

>How-To-Repeat:

The problem is in the resolver library so it can be repeated
with any process that does a reverse lookup. Try the following:

nslookup -type=ptr 199.93.70.2

Strangely if you don't specify -type=ptr then only the first PTR
record is returned and everything works. It appears that if you
want to list _all_ PTR records it comes to grief.

>Fix:

Unknown. Although I suspect it's an access through the srcp pointer
in the while loop.


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990302023232.64408.qmail>