[Bug network/14841] New: RRSIG confuses getaddrinfo: getaddrinfo*.gaih_getanswer: got type "46"

[Bug network/14841] New: RRSIG confuses getaddrinfo: getaddrinfo*.gaih_getanswer: got type "46"

[lekensteyn at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=14841

             Bug #: 14841
           Summary: RRSIG confuses getaddrinfo:
                    getaddrinfo*.gaih_getanswer: got type "46"
           Product: glibc
           Version: 2.16
            Status: NEW
          Severity: normal
          Priority: P2
         Component: network
        AssignedTo: unassigned@sourceware.org
        ReportedBy: lekensteyn@gmail.com
    Classification: Unclassified


Created attachment 6736
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6736
getaddrinfo-bug.c

Since 13 November 2012 I see the following messages in my syslog from Firefox:

    getaddrinfo*.gaih_getanswer: got type "46"

This is printed when using Google's public DNS server 8.8.4.4. "46" is RRSIG
according to Wikipedia and my Wireshark output. The error message comes from
resolv/nss_dns/dns-host.c:1147

I have attached C source code that exposes this bug.

Steps to reproduce:
1. Use a DNS server that responds with the DNSSEC field "RRSIG" (like 8.8.4.4).
2. gcc getaddrinfo-bug.c -o getaddrinfo-bug && ./getaddrinfo-bug.
3. Look in the syslog.

I have verified that this message does not occur if I use a DNS server that
does not gives a response containing a RRSIG field.

Tested with Arch Linux glibc version 2.16.0-5 and an unpatched 2.16.0 build.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug network/14841] RRSIG confuses getaddrinfo: getaddrinfo*.gaih_getanswer: got type "46"

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=14841

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/14841] RRSIG confuses getaddrinfo: getaddrinfo*.gaih_getanswer: got type "46"

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=14841

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
The NSS DNS client does not set the DO bit on DNS queries.  If the resolver
still sends RRSIG records, that's a resolver bug, and logging this seems to be
okay.  (If I recall correctly, the Google public DNS server used to have
exactly this bug, so it all adds up.)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/14841] RRSIG confuses getaddrinfo: getaddrinfo*.gaih_getanswer: got type "46"

[siddhesh at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=14841

Siddhesh Poyarekar <siddhesh at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
                 CC|                            |siddhesh at redhat dot com
         Resolution|INVALID                     |---

--- Comment #2 from Siddhesh Poyarekar <siddhesh at redhat dot com> ---
Reopening since I believe the NSS DNS client does set the DO bit if the flags
in _res have RES_USE_DNSSEC.  Subsequent lookups (using gethostbyname* and
res_gethostbyname*; I haven't tested getaddrinfo) will send the DO bit and
result in the resolver sending RRSIG records.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/14841] RRSIG confuses getaddrinfo: getaddrinfo*.gaih_getanswer: got type "46"

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=14841

--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  65f6f938cd562a614a68e15d0581a34b177ec29d (commit)
       via  3e3002ffead0526d088c353f97475400367087da (commit)
      from  9813dd5835fa81c2e61c188fe08e28c9f3c60c07 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=65f6f938cd562a614a68e15d0581a34b177ec29d

commit 65f6f938cd562a614a68e15d0581a34b177ec29d
Author: Eric Rannaud <e@nanocritical.com>
Date:   Tue Feb 24 13:12:26 2015 +0530

    linux: open and openat ignore 'mode' with O_TMPFILE in flags

    Both open and openat load their last argument 'mode' lazily, using
    va_arg() only if O_CREAT is found in oflag. This is wrong, mode is also
    necessary if O_TMPFILE is in oflag.

    By chance on x86_64, the problem wasn't evident when using O_TMPFILE
    with open, as the 3rd argument of open, even when not loaded with
    va_arg, is left untouched in RDX, where the syscall expects it.

    However, openat was not so lucky, and O_TMPFILE couldn't be used: mode
    is the 4th argument, in RCX, but the syscall expects its 4th argument in
    a different register than the glibc wrapper, in R10.

    Introduce a macro __OPEN_NEEDS_MODE (oflag) to test if either O_CREAT or
    O_TMPFILE is set in oflag.

    Tested on Linux x86_64.

        [BZ #17523]
        * io/fcntl.h (__OPEN_NEEDS_MODE): New macro.
        * io/bits/fcntl2.h (open): Use it.
        (openat): Likewise.
        * io/open.c (__libc_open): Likewise.
        * io/open64.c (__libc_open64): Likewise.
        * io/open64_2.c (__open64_2): Likewise.
        * io/open_2.c (__open_2): Likewise.
        * io/openat.c (__openat): Likewise.
        * io/openat64.c (__openat64): Likewise.
        * io/openat64_2.c (__openat64_2): Likewise.
        * io/openat_2.c (__openat_2): Likewise.
        * sysdeps/mach/hurd/open.c (__libc_open): Likewise.
        * sysdeps/mach/hurd/openat.c (__openat): Likewise.
        * sysdeps/posix/open64.c (__libc_open64): Likewise.
        * sysdeps/unix/sysv/linux/dl-openat64.c (openat64): Likewise.
        * sysdeps/unix/sysv/linux/generic/open.c (__libc_open): Likewise.
        (__open_nocancel): Likewise.
        * sysdeps/unix/sysv/linux/generic/open64.c (__libc_open64): Likewise.
        * sysdeps/unix/sysv/linux/open64.c (__libc_open64): Likewise.
        * sysdeps/unix/sysv/linux/openat.c (__OPENAT): Likewise.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3e3002ffead0526d088c353f97475400367087da

commit 3e3002ffead0526d088c353f97475400367087da
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Tue Feb 24 12:57:26 2015 +0530

    Skip logging for DNSSEC responses [BZ 14841]

    DNSSEC defines a number of response types that one me expect when the
    DO bit is set.  We don't process any of them, but since we do allow
    setting the DO bit, skip them without logging an error since it is
    only a nuisance.

    Tested on x86_64.

        [BZ #14841]
        * resolv/gethnamaddr.c (getanswer): Skip logging if
        RES_USE_DNSSEC is set.
        * resolv/nss_dns/dns-host.c (getanswer_r): Likewise.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                |   31 ++++++++++++++++++++++++++++++
 NEWS                                     |    6 ++--
 io/bits/fcntl2.h                         |   18 ++++++++--------
 io/fcntl.h                               |   14 +++++++++++-
 io/open.c                                |    4 +-
 io/open64.c                              |    4 +-
 io/open64_2.c                            |    4 +-
 io/open_2.c                              |    4 +-
 io/openat.c                              |    4 +-
 io/openat64.c                            |    4 +-
 io/openat64_2.c                          |    4 +-
 io/openat_2.c                            |    4 +-
 resolv/gethnamaddr.c                     |   25 +++++++++--------------
 resolv/nss_dns/dns-host.c                |   23 +++++++--------------
 sysdeps/mach/hurd/open.c                 |    4 +-
 sysdeps/mach/hurd/openat.c               |    4 +-
 sysdeps/posix/open64.c                   |    4 +-
 sysdeps/unix/sysv/linux/dl-openat64.c    |    2 +-
 sysdeps/unix/sysv/linux/generic/open.c   |    6 ++--
 sysdeps/unix/sysv/linux/generic/open64.c |    4 +-
 sysdeps/unix/sysv/linux/open64.c         |    4 +-
 sysdeps/unix/sysv/linux/openat.c         |    6 ++--
 22 files changed, 106 insertions(+), 77 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/14841] RRSIG confuses getaddrinfo: getaddrinfo*.gaih_getanswer: got type "46"

[siddhesh at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=14841

Siddhesh Poyarekar <siddhesh at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #4 from Siddhesh Poyarekar <siddhesh at redhat dot com> ---
Fixed in master.

-- 
You are receiving this mail because:
You are on the CC list for the bug.