public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "agl at imperialviolet dot org" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sources.redhat.com Subject: [Bug libc/10484] getaddrinfo segfaults if /etc/hosts has a long line Date: Fri, 07 Jan 2011 17:41:00 -0000 [thread overview] Message-ID: <bug-10484-131-vgMc81OGUL@http.sourceware.org/bugzilla/> (raw) In-Reply-To: <bug-10484-131@http.sourceware.org/bugzilla/> http://sourceware.org/bugzilla/show_bug.cgi?id=10484 Adam Langley <agl at imperialviolet dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |agl at imperialviolet dot | |org --- Comment #4 from Adam Langley <agl at imperialviolet dot org> 2011-01-07 17:40:48 UTC --- The following program will blow its stack and crash if I have an /etc/hosts line longer than 4Kish. --- #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> int main() { struct addrinfo hints, *res; memset(&hints, 0, sizeof(hints)); hints.ai_family = PF_INET; getaddrinfo("www.google.com", "http", &hints, &res); return 0; } --- Setting the ai_family in the hints is required in order to reproduce the crash. (File and line references in the following are relative to git 16c2895feabae0962e0eba2b9164c6a83014bfe4) In sysdeps/posix/getaddrinfo.c:531 we have a loop in gaih_inet which allocas a buffer and doubles the size of that buffer each time __gethostbyname2_r returns with ERANGE. The __gethostbyname2_r ends up in nss/nss_files/files-hosts.c:128: if (status == NSS_STATUS_SUCCESS»·»·······»·······»·······»······· \ »······· && _res_hconf.flags & HCONF_FLAG_MULTI)»······»·······»······· \ »·······{»······»·······»·······»·······»·······»·······»·······»······· \ »······· /* We have to get all host entries from the file. */»»······· \ »······· const size_t tmp_buflen = MIN (buflen, 4096);»»·······»······· \ »······· char tmp_buffer[tmp_buflen]»··»·······»·······»·······»······· \ »······· __attribute__ ((__aligned__ (__alignof__ (struct hostent_data))));\ Here, if HCONF_FLAG_MULTI is set then a secondary buffer is created on the stack for the use of internal_getent. This buffer is limited to 4K in size. internal_getent will try to read lines from /etc/hosts and it will return ERANGE if the line (plus an internal structure) doesn't fit into |tmp_buffer|. When this happens the loop in getaddrinfo.c will try doubling the size of its buffer. However, |tmp_buffer| was limited to 4K so __gethostbyname2_r repeatedly returns ERANGE and gaih_inet uselessly expands the buffer on the stack until the program crashes. I believe that the best solution is to replace: const size_t tmp_buflen = MIN (buflen, 4096); with: const size_t tmp_buflen = buflen; I can confirm that this fixes the crash for me. -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
next parent reply other threads:[~2011-01-07 17:41 UTC|newest] Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top [not found] <bug-10484-131@http.sourceware.org/bugzilla/> 2011-01-07 17:41 ` agl at imperialviolet dot org [this message] 2011-01-07 18:04 ` agl at imperialviolet dot org 2011-01-13 16:29 ` drepper.fsp at gmail dot com 2014-02-16 18:29 ` jackie.rosen at hushmail dot com 2014-05-28 19:46 ` schwab at sourceware dot org 2014-07-01 7:26 ` fweimer at redhat dot com 2009-08-05 15:22 [Bug libc/10484] New: " lars at ubuntu dot com 2009-08-05 19:29 ` [Bug libc/10484] " fibonacci dot prower at gmail dot com 2009-10-30 5:38 ` drepper at redhat dot com 2009-10-30 13:49 ` fibonacci dot prower at gmail dot com 2009-11-17 7:02 ` fibonacci dot prower at gmail dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-10484-131-vgMc81OGUL@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sources.redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).