public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/31025] New: infinite loop in sortlist handling
@ 2023-11-01 21:43 joshua at joshua dot hu
2023-11-02 10:07 ` [Bug network/31025] " joshua at joshua dot hu
0 siblings, 1 reply; 2+ messages in thread
From: joshua at joshua dot hu @ 2023-11-01 21:43 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31025
Bug ID: 31025
Summary: infinite loop in sortlist handling
Product: glibc
Version: 2.40
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: joshua at joshua dot hu
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Flags: security?
Hi there,
I have found an infinite loop in resolv's handling of the "sortlist" option.
The issue resides in resolv/res_init.c:
while (true)
{
while (*cp == ' ' || *cp == '\t')
cp++;
if (*cp == '\0' || *cp == '\n' || *cp == ';')
break;
char *net = cp;
while (*cp && !is_sort_mask (*cp) && *cp != ';'
&& isascii (*cp) && !isspace (*cp))
cp++;
char separator = *cp;
*cp = 0;
struct resolv_sortlist_entry e;
if (__inet_aton (net, &a))
{
[..]
}
*cp = separator;
}
If __inet_aton() returns false, the value of the sortlist option is repeatedly
tried over and over, leading to an infinite loop.
A quick example: printf "sortlist 192.0\3212.0" >> /etc/resolv.conf ; ping
example.com
Setting this option on some type of embedded devices (think: switches, modems,
BMCs, and so on, which likely have some type of option to change
/etc/resolv.conf) will likely be completely bricked after a reboot. Any call to
res_init either implicitly or explicitly will hang forever.
I'm not sure the best fix here, as it's not obvious to me whether invalid
sortlist values are "allowed" (in the sense that they are skipped and
processing continues if there is still other values), or one invalid value
negates the whole line.
Cheers,
Josh
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug network/31025] infinite loop in sortlist handling
2023-11-01 21:43 [Bug libc/31025] New: infinite loop in sortlist handling joshua at joshua dot hu
@ 2023-11-02 10:07 ` joshua at joshua dot hu
0 siblings, 0 replies; 2+ messages in thread
From: joshua at joshua dot hu @ 2023-11-02 10:07 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31025
Joshua Rogers <joshua at joshua dot hu> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|libc |network
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-11-02 10:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-11-01 21:43 [Bug libc/31025] New: infinite loop in sortlist handling joshua at joshua dot hu
2023-11-02 10:07 ` [Bug network/31025] " joshua at joshua dot hu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).