[glibc] resolv: Fix endless loop in __res_context_query

[Stefan Liebler <stli@sourceware.org>]

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0aabf15a3515a996bd415ff37e29326286c8007e

commit 0aabf15a3515a996bd415ff37e29326286c8007e
Author: Stefan Liebler <stli@linux.ibm.com>
Date:   Thu Jan 11 14:01:18 2024 +0100

    resolv: Fix endless loop in __res_context_query
    
    Starting with commit 40c0add7d48739f5d89ebba255c1df26629a76e2
    "resolve: Remove __res_context_query alloca usage"
    there is an endless loop in __res_context_query if
    __res_context_mkquery fails e.g. if type is invalid.  Then the
    scratch buffer is resized to MAXPACKET size and it is retried again.
    
    Before the mentioned commit, it was retried only once and with the
    mentioned commit, there is no check and it retries in an endless loop.
    
    This is observable with xtest resolv/tst-resolv-qtypes which times out
    after 300s.
    
    This patch retries mkquery only once as before the mentioned commit.
    Furthermore, scratch_buffer_set_array_size is now only called with
    nelem=2 if type is T_QUERY_A_AND_AAAA (also see mentioned commit).
    The test tst-resolv-qtypes is also adjusted to verify that <func>
    is really returning with -1 in case of an invalid type.
    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>

Diff:
---
 resolv/res_query.c         | 8 ++++++--
 resolv/tst-resolv-qtypes.c | 4 ++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/resolv/res_query.c b/resolv/res_query.c
index 1b148a2a05..bd55453552 100644
--- a/resolv/res_query.c
+++ b/resolv/res_query.c
@@ -81,6 +81,7 @@
 #include <string.h>
 #include <shlib-compat.h>
 #include <scratch_buffer.h>
+#include <stdbool.h>
 
 #if PACKETSZ > 65536
 #define MAXPACKET	PACKETSZ
@@ -116,6 +117,7 @@ __res_context_query (struct resolv_context *ctx, const char *name,
 	UHEADER *hp = (UHEADER *) answer;
 	UHEADER *hp2;
 	int n;
+	bool retried = false;
 
 	/* It requires 2 times QUERYSIZE for type == T_QUERY_A_AND_AAAA.  */
 	struct scratch_buffer buf;
@@ -182,13 +184,15 @@ __res_context_query (struct resolv_context *ctx, const char *name,
 	    nquery1 = n;
 	  }
 
-	if (__glibc_unlikely (n <= 0)) {
+	if (__glibc_unlikely (n <= 0) && !retried) {
 		/* Retry just in case res_nmkquery failed because of too
 		   short buffer.  Shouldn't happen.  */
 		if (scratch_buffer_set_array_size (&buf,
-						   T_QUERY_A_AND_AAAA ? 2 : 1,
+						   (type == T_QUERY_A_AND_AAAA)
+						   ? 2 : 1,
 						   MAXPACKET)) {
 			query1 = buf.data;
+			retried = true;
 			goto again;
 		}
 	}
diff --git a/resolv/tst-resolv-qtypes.c b/resolv/tst-resolv-qtypes.c
index 3fa566c7ea..973c4e15d3 100644
--- a/resolv/tst-resolv-qtypes.c
+++ b/resolv/tst-resolv-qtypes.c
@@ -154,8 +154,8 @@ test_function (const char *fname,
         }
     }
 
-  TEST_VERIFY (func (-1, buf, sizeof (buf) == -1));
-  TEST_VERIFY (func (65536, buf, sizeof (buf) == -1));
+  TEST_VERIFY (func (-1, buf, sizeof (buf)) == -1);
+  TEST_VERIFY (func (65536, buf, sizeof (buf)) == -1);
 }
 
 static int