[Bug libc/10823] New: [patch] __libc_res_nsend: wrong subscript while copying nsaddr_list into nsaddrs

[Bug libc/10823] New: [patch] __libc_res_nsend: wrong subscript while copying nsaddr_list into nsaddrs

[petar at smokva dot net]

Without the attached patch, the resolver will copy invalid items from
nsaddr_list into nsaddrs when ipv6 nameservers are used in _PATH_RESCONF

A res_(n)query with the following resolv.conf:

  +---
  | nameserver 2.2.2.2
  | nameserver ::1
  | nameserver 3.3.3.3

will only query 2.2.2.2 and ::1 while skipping 3.3.3.3.

A closer look at res_send.c revealed that __libc_res_nsend even copied
empty nsaddr_list items while populating nsaddrs.  Since having an ipv6
nameserver automatically means one empty nsaddr_list slot, the setup
above results in:

  +---
  | nsaddr	fam		addr		port
  | ------	---		----		----
  | [0]		AF_INET		2.2.2.2		53
  | [1]		AF_INET6	::1		53
  | [2]		0		0.0.0.0		0

I tested the patch against glibc-2.10.1 and it works as expected.

		Petar Bogdanovic

diff --git a/resolv/res_send.c b/resolv/res_send.c
index 4c14db1..9f3fe21 100644
--- a/resolv/res_send.c
+++ b/resolv/res_send.c
@@ -438,21 +438,21 @@ __libc_res_nsend(res_state statp, const u_char *buf, int
buflen,
 				map[n] = ns++;
 			}
 		EXT(statp).nscount = n;
 		for (ns = 0; ns < EXT(statp).nscount; ns++) {
 			n = map[ns];
 			if (EXT(statp).nsaddrs[n] == NULL)
 				EXT(statp).nsaddrs[n] =
 				    malloc(sizeof (struct sockaddr_in6));
 			if (EXT(statp).nsaddrs[n] != NULL) {
 				memset (mempcpy(EXT(statp).nsaddrs[n],
-						&statp->nsaddr_list[ns],
+						&statp->nsaddr_list[n],
 						sizeof (struct sockaddr_in)),
 					'\0',
 					sizeof (struct sockaddr_in6)
 					- sizeof (struct sockaddr_in));
 				EXT(statp).nssocks[n] = -1;
 				n++;
 			}
 		}
 		EXT(statp).nsinit = 1;
 	}

Raw diff: http://smokva.net/patch/glibc__resolv__res_send.c.diff

-- 
           Summary: [patch] __libc_res_nsend: wrong subscript while copying
                    nsaddr_list into nsaddrs
           Product: glibc
           Version: 2.10
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: petar at smokva dot net
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: i686-pc-linux-gnu
  GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu


http://sourceware.org/bugzilla/show_bug.cgi?id=10823

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10823] [patch] __libc_res_nsend: wrong subscript while copying nsaddr_list into nsaddrs

[petar at smokva dot net]

------- Additional Comments From petar at smokva dot net  2009-10-21 22:38 -------
Created an attachment (id=4306)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=4306&action=view)
replaces mentioned subscript


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=10823

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10823] [patch] __libc_res_nsend: wrong subscript while copying nsaddr_list into nsaddrs

[drepper at redhat dot com]

------- Additional Comments From drepper at redhat dot com  2009-10-29 15:18 -------
Fixed in git.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED


http://sourceware.org/bugzilla/show_bug.cgi?id=10823

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.