public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/10484] getaddrinfo segfaults if /etc/hosts has a long line
[not found] <bug-10484-131@http.sourceware.org/bugzilla/>
@ 2011-01-07 17:41 ` agl at imperialviolet dot org
2011-01-07 18:04 ` agl at imperialviolet dot org
` (4 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: agl at imperialviolet dot org @ 2011-01-07 17:41 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=10484
Adam Langley <agl at imperialviolet dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |agl at imperialviolet dot
| |org
--- Comment #4 from Adam Langley <agl at imperialviolet dot org> 2011-01-07 17:40:48 UTC ---
The following program will blow its stack and crash if I have an /etc/hosts
line longer than 4Kish.
---
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
int main() {
struct addrinfo hints, *res;
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_INET;
getaddrinfo("www.google.com", "http", &hints, &res);
return 0;
}
---
Setting the ai_family in the hints is required in order to reproduce the crash.
(File and line references in the following are relative to git
16c2895feabae0962e0eba2b9164c6a83014bfe4)
In sysdeps/posix/getaddrinfo.c:531 we have a loop in gaih_inet which allocas a
buffer and doubles the size of that buffer each time __gethostbyname2_r returns
with ERANGE.
The __gethostbyname2_r ends up in nss/nss_files/files-hosts.c:128:
if (status == NSS_STATUS_SUCCESS»·»·······»·······»·······»······· \
»······· && _res_hconf.flags & HCONF_FLAG_MULTI)»······»·······»······· \
»·······{»······»·······»·······»·······»·······»·······»·······»······· \
»······· /* We have to get all host entries from the file. */»»······· \
»······· const size_t tmp_buflen = MIN (buflen, 4096);»»·······»······· \
»······· char tmp_buffer[tmp_buflen]»··»·······»·······»·······»······· \
»······· __attribute__ ((__aligned__ (__alignof__ (struct hostent_data))));\
Here, if HCONF_FLAG_MULTI is set then a secondary buffer is created on the
stack for the use of internal_getent. This buffer is limited to 4K in size.
internal_getent will try to read lines from /etc/hosts and it will return
ERANGE if the line (plus an internal structure) doesn't fit into |tmp_buffer|.
When this happens the loop in getaddrinfo.c will try doubling the size of its
buffer. However, |tmp_buffer| was limited to 4K so __gethostbyname2_r
repeatedly returns ERANGE and gaih_inet uselessly expands the buffer on the
stack until the program crashes.
I believe that the best solution is to replace:
const size_t tmp_buflen = MIN (buflen, 4096);
with:
const size_t tmp_buflen = buflen;
I can confirm that this fixes the crash for me.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug libc/10484] getaddrinfo segfaults if /etc/hosts has a long line
[not found] <bug-10484-131@http.sourceware.org/bugzilla/>
2011-01-07 17:41 ` [Bug libc/10484] getaddrinfo segfaults if /etc/hosts has a long line agl at imperialviolet dot org
@ 2011-01-07 18:04 ` agl at imperialviolet dot org
2011-01-13 16:29 ` drepper.fsp at gmail dot com
` (3 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: agl at imperialviolet dot org @ 2011-01-07 18:04 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=10484
Adam Langley <agl at imperialviolet dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target|x86_64-unknown-linux-gnu |
Host|x86_64-unknown-linux-gnu |
Version|2.9 |2.13
Build|x86_64-unknown-linux-gnu |
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug libc/10484] getaddrinfo segfaults if /etc/hosts has a long line
[not found] <bug-10484-131@http.sourceware.org/bugzilla/>
2011-01-07 17:41 ` [Bug libc/10484] getaddrinfo segfaults if /etc/hosts has a long line agl at imperialviolet dot org
2011-01-07 18:04 ` agl at imperialviolet dot org
@ 2011-01-13 16:29 ` drepper.fsp at gmail dot com
2014-02-16 18:29 ` jackie.rosen at hushmail dot com
` (2 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: drepper.fsp at gmail dot com @ 2011-01-13 16:29 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=10484
Ulrich Drepper <drepper.fsp at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
--- Comment #5 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-01-13 16:29:25 UTC ---
I've checked in a patch.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug libc/10484] getaddrinfo segfaults if /etc/hosts has a long line
[not found] <bug-10484-131@http.sourceware.org/bugzilla/>
` (2 preceding siblings ...)
2011-01-13 16:29 ` drepper.fsp at gmail dot com
@ 2014-02-16 18:29 ` jackie.rosen at hushmail dot com
2014-05-28 19:46 ` schwab at sourceware dot org
2014-07-01 7:26 ` fweimer at redhat dot com
5 siblings, 0 replies; 10+ messages in thread
From: jackie.rosen at hushmail dot com @ 2014-02-16 18:29 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=10484
Jackie Rosen <jackie.rosen at hushmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jackie.rosen at hushmail dot com
--- Comment #6 from Jackie Rosen <jackie.rosen at hushmail dot com> ---
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/adult-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug libc/10484] getaddrinfo segfaults if /etc/hosts has a long line
[not found] <bug-10484-131@http.sourceware.org/bugzilla/>
` (3 preceding siblings ...)
2014-02-16 18:29 ` jackie.rosen at hushmail dot com
@ 2014-05-28 19:46 ` schwab at sourceware dot org
2014-07-01 7:26 ` fweimer at redhat dot com
5 siblings, 0 replies; 10+ messages in thread
From: schwab at sourceware dot org @ 2014-05-28 19:46 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=10484
Andreas Schwab <schwab at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC|jackie.rosen at hushmail dot com |
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug libc/10484] getaddrinfo segfaults if /etc/hosts has a long line
[not found] <bug-10484-131@http.sourceware.org/bugzilla/>
` (4 preceding siblings ...)
2014-05-28 19:46 ` schwab at sourceware dot org
@ 2014-07-01 7:26 ` fweimer at redhat dot com
5 siblings, 0 replies; 10+ messages in thread
From: fweimer at redhat dot com @ 2014-07-01 7:26 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=10484
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security-
--- Comment #7 from Florian Weimer <fweimer at redhat dot com> ---
No trust boundary is crossed because write access to /etc/hosts is very
restricted. I don't think it is even updated when connecting to different
networks using tools such as NetworkManager.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug libc/10484] getaddrinfo segfaults if /etc/hosts has a long line
2009-08-05 15:22 [Bug libc/10484] New: " lars at ubuntu dot com
` (2 preceding siblings ...)
2009-10-30 13:49 ` fibonacci dot prower at gmail dot com
@ 2009-11-17 7:02 ` fibonacci dot prower at gmail dot com
3 siblings, 0 replies; 10+ messages in thread
From: fibonacci dot prower at gmail dot com @ 2009-11-17 7:02 UTC (permalink / raw)
To: glibc-bugs
--
What |Removed |Added
----------------------------------------------------------------------------
Status|WAITING |ASSIGNED
http://sourceware.org/bugzilla/show_bug.cgi?id=10484
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug libc/10484] getaddrinfo segfaults if /etc/hosts has a long line
2009-08-05 15:22 [Bug libc/10484] New: " lars at ubuntu dot com
2009-08-05 19:29 ` [Bug libc/10484] " fibonacci dot prower at gmail dot com
2009-10-30 5:38 ` drepper at redhat dot com
@ 2009-10-30 13:49 ` fibonacci dot prower at gmail dot com
2009-11-17 7:02 ` fibonacci dot prower at gmail dot com
3 siblings, 0 replies; 10+ messages in thread
From: fibonacci dot prower at gmail dot com @ 2009-10-30 13:49 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From fibonacci dot prower at gmail dot com 2009-10-30 13:49 -------
Try a longer line. I've gotten 100k+ lines just by using a hosts file for
adblock and then running network-admin.
--
http://sourceware.org/bugzilla/show_bug.cgi?id=10484
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug libc/10484] getaddrinfo segfaults if /etc/hosts has a long line
2009-08-05 15:22 [Bug libc/10484] New: " lars at ubuntu dot com
2009-08-05 19:29 ` [Bug libc/10484] " fibonacci dot prower at gmail dot com
@ 2009-10-30 5:38 ` drepper at redhat dot com
2009-10-30 13:49 ` fibonacci dot prower at gmail dot com
2009-11-17 7:02 ` fibonacci dot prower at gmail dot com
3 siblings, 0 replies; 10+ messages in thread
From: drepper at redhat dot com @ 2009-10-30 5:38 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From drepper at redhat dot com 2009-10-30 05:38 -------
You have to be much more precise. I cannot reproduce any problem and your
description doesn't say where the stack overflow is supposed to happen.
--
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |WAITING
http://sourceware.org/bugzilla/show_bug.cgi?id=10484
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug libc/10484] getaddrinfo segfaults if /etc/hosts has a long line
2009-08-05 15:22 [Bug libc/10484] New: " lars at ubuntu dot com
@ 2009-08-05 19:29 ` fibonacci dot prower at gmail dot com
2009-10-30 5:38 ` drepper at redhat dot com
` (2 subsequent siblings)
3 siblings, 0 replies; 10+ messages in thread
From: fibonacci dot prower at gmail dot com @ 2009-08-05 19:29 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From fibonacci dot prower at gmail dot com 2009-08-05 19:28 -------
This also happens on plain x86 processors. The original bug was found on a PIV.
Perhaps it shouldn't be marked as x86_64.
--
http://sourceware.org/bugzilla/show_bug.cgi?id=10484
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-07-01 7:26 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <bug-10484-131@http.sourceware.org/bugzilla/>
2011-01-07 17:41 ` [Bug libc/10484] getaddrinfo segfaults if /etc/hosts has a long line agl at imperialviolet dot org
2011-01-07 18:04 ` agl at imperialviolet dot org
2011-01-13 16:29 ` drepper.fsp at gmail dot com
2014-02-16 18:29 ` jackie.rosen at hushmail dot com
2014-05-28 19:46 ` schwab at sourceware dot org
2014-07-01 7:26 ` fweimer at redhat dot com
2009-08-05 15:22 [Bug libc/10484] New: " lars at ubuntu dot com
2009-08-05 19:29 ` [Bug libc/10484] " fibonacci dot prower at gmail dot com
2009-10-30 5:38 ` drepper at redhat dot com
2009-10-30 13:49 ` fibonacci dot prower at gmail dot com
2009-11-17 7:02 ` fibonacci dot prower at gmail dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).