From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 64B183858D28; Wed, 1 Nov 2023 21:43:08 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 64B183858D28 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1698874988; bh=FDoqpICUzOdgZBxIbeVLKJpwsCMHmMUxNB1JGK9BJXM=; h=From:To:Subject:Date:From; b=nzHpGpCqLMxFVUAYLlBjUlukecMn0ACd6V3eME/2D9iwImAL/UpGHppeY+KWJD7wt m3MW9uhJBohZKJ3XADMAQLe6B5yFywlSUZlSdwx9oKM0GgJK744lwwvS9HyoIYvLZh p9P1bO0VspgZ2gS/lP0035WQ2CQhVgXc/XzDc5Ik= From: "joshua at joshua dot hu" To: glibc-bugs@sourceware.org Subject: [Bug libc/31025] New: infinite loop in sortlist handling Date: Wed, 01 Nov 2023 21:43:07 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: 2.40 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: joshua at joshua dot hu X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security? X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone flagtypes.name Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D31025 Bug ID: 31025 Summary: infinite loop in sortlist handling Product: glibc Version: 2.40 Status: UNCONFIRMED Severity: normal Priority: P2 Component: libc Assignee: unassigned at sourceware dot org Reporter: joshua at joshua dot hu CC: drepper.fsp at gmail dot com Target Milestone: --- Flags: security? Hi there, I have found an infinite loop in resolv's handling of the "sortlist" option. The issue resides in resolv/res_init.c: while (true) { while (*cp =3D=3D ' ' || *cp =3D=3D '\t') cp++; if (*cp =3D=3D '\0' || *cp =3D=3D '\n' || *cp =3D=3D ';') break; char *net =3D cp; while (*cp && !is_sort_mask (*cp) && *cp !=3D ';' && isascii (*cp) && !isspace (*cp)) cp++; char separator =3D *cp; *cp =3D 0; struct resolv_sortlist_entry e; if (__inet_aton (net, &a)) { [..] } *cp =3D separator; } If __inet_aton() returns false, the value of the sortlist option is repeate= dly tried over and over, leading to an infinite loop. A quick example: printf "sortlist 192.0\3212.0" >> /etc/resolv.conf ; ping example.com Setting this option on some type of embedded devices (think: switches, mode= ms, BMCs, and so on, which likely have some type of option to change /etc/resolv.conf) will likely be completely bricked after a reboot. Any cal= l to res_init either implicitly or explicitly will hang forever. I'm not sure the best fix here, as it's not obvious to me whether invalid sortlist values are "allowed" (in the sense that they are skipped and processing continues if there is still other values), or one invalid value negates the whole line. Cheers, Josh --=20 You are receiving this mail because: You are on the CC list for the bug.=