This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/10484] getaddrinfo segfaults if /etc/hosts has a long line

From: "agl at imperialviolet dot org" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sources dot redhat dot com
Date: Fri, 7 Jan 2011 17:41:03 +0000
Subject: [Bug libc/10484] getaddrinfo segfaults if /etc/hosts has a long line
Auto-submitted: auto-generated
References: <bug-10484-131@http.sourceware.org/bugzilla/>

http://sourceware.org/bugzilla/show_bug.cgi?id=10484

Adam Langley <agl at imperialviolet dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |agl at imperialviolet dot
                   |                            |org

--- Comment #4 from Adam Langley <agl at imperialviolet dot org> 2011-01-07 17:40:48 UTC ---
The following program will blow its stack and crash if I have an /etc/hosts
line longer than 4Kish.

---
#include <string.h>

#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>

int main() {
  struct addrinfo hints, *res;

  memset(&hints, 0, sizeof(hints));
  hints.ai_family = PF_INET;
  getaddrinfo("www.google.com", "http", &hints, &res);

  return 0;
}
---

Setting the ai_family in the hints is required in order to reproduce the crash.

(File and line references in the following are relative to git
16c2895feabae0962e0eba2b9164c6a83014bfe4)

In sysdeps/posix/getaddrinfo.c:531 we have a loop in gaih_inet which allocas a
buffer and doubles the size of that buffer each time __gethostbyname2_r returns
with ERANGE.

The __gethostbyname2_r ends up in nss/nss_files/files-hosts.c:128:

      if (status == NSS_STATUS_SUCCESSÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ      \
ÂÂÂÂÂÂÂÂ  && _res_hconf.flags & HCONF_FLAG_MULTI)ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ      \
ÂÂÂÂÂÂÂÂ{ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ      \
ÂÂÂÂÂÂÂÂ  /* We have to get all host entries from the file.  */ÂÂÂÂÂÂÂÂÂ      \
ÂÂÂÂÂÂÂÂ  const size_t tmp_buflen = MIN (buflen, 4096);ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ      \
ÂÂÂÂÂÂÂÂ  char tmp_buffer[tmp_buflen]ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ      \
ÂÂÂÂÂÂÂÂ    __attribute__ ((__aligned__ (__alignof__ (struct hostent_data))));\

Here, if HCONF_FLAG_MULTI is set then a secondary buffer is created on the
stack for the use of internal_getent. This buffer is limited to 4K in size.

internal_getent will try to read lines from /etc/hosts and it will return
ERANGE if the line (plus an internal structure) doesn't fit into |tmp_buffer|.
When this happens the loop in getaddrinfo.c will try doubling the size of its
buffer. However, |tmp_buffer| was limited to 4K so __gethostbyname2_r
repeatedly returns ERANGE and gaih_inet uselessly expands the buffer on the
stack until the program crashes.

I believe that the best solution is to replace:
  const size_t tmp_buflen = MIN (buflen, 4096);
with:
  const size_t tmp_buflen = buflen;

I can confirm that this fixes the crash for me.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]