Bug in gethostbyaddr and patch to solve

Mon, 25 Aug 2014 20:40:44 -0700 

Using tcpdump in a firewall with 5.5 (also happens with 5.4 and I guess with
current) and certain addres of the LAN I got always a segfault.
It is a bug within the function gethostbyaddr. It can be reproduced with the minimal test program available at: 
http://openbsd.7691.n7.nabble.com/problem-with-gethostbyaddr-on-OBSD-5-4-td242329.html
and the following steps:

1. Create a entry in /etc/hosts with IP address but without name, for example:
        echo 192.168.1.89 >> /etc/hosts
2. Compile the test program of the link
        cc -o gethostbyaddr gethostbyaddr.c
3. Run de test program with the address added to /etc/hosts without name:
        ./gethostbyaddr 192.168.1.89

Using gdb to trace the problem I got:

Loaded symbols for /home/vtamara/comp/OpenBSD/buggethostbyaddr/gethostbyaddr
Reading symbols from /usr/lib/libc.so.73.1...done.
Loaded symbols for /usr/lib/libc.so.73.1
Reading symbols from /usr/libexec/ld.so...done.
Loaded symbols for /usr/libexec/ld.so
#0  0x000018d69baa2ba2 in strlen (str=0x0)
   at /usr/src/lib/libc/string/strlen.c:43
43              for (s = str; *s; ++s)
(gdb) bt
#0  0x000018d69baa2ba2 in strlen (str=0x0)
   at /usr/src/lib/libc/string/strlen.c:43
#1 0x000018d69ba68d91 in hostent_set_cname (h=0x18d69bee9800, name=0x0, isdname=Variable "isdname" is not available. 
) at /usr/src/lib/libc/asr/gethostnamadr_async.c:579
#2 0x000018d69ba696bd in gethostnamadr_async_run (as=0x18d6957d3d00, ar=0x7f7fffff69c0) at /usr/src/lib/libc/asr/gethostnamadr_async.c:451 
#3  0x000018d69ba8078c in asr_async_run (as=0x18d6957d3d00, ar=0x7f7fffff69c0)
   at /usr/src/lib/libc/asr/asr.c:197
#4 0x000018d69ba8085b in asr_async_run_sync (as=0x18d6957d3d00, ar=0x7f7fffff69c0) at /usr/src/lib/libc/asr/asr.c:222 
#5  0x000018d69ba68824 in gethostbyaddr (addr=0x7f7fffff6a80, len=4, af=2)
   at /usr/src/lib/libc/asr/gethostnamadr.c:179
#6  0x000018d495400fbb in main ()
  from /home/vtamara/comp/OpenBSD/buggethostbyaddr/gethostbyaddr
As shown hostent_set_cname receives name in NULL and tries to call strlen with it, a simple patch is attached. 

--
Dios, gracias por tu amor infinito.
-- Vladimir Támara Patiño. http://vtamara.pasosdeJesus.org/ 
 http://www.pasosdejesus.org/dominio_publico_colombia.html


diff -ruN src55-orig/lib/libc/asr/gethostnamadr_async.c 
src/lib/libc/asr/gethostnamadr_async.c
--- src55-orig/lib/libc/asr/gethostnamadr_async.c       Wed Feb 26 15:00:08 2014
+++ src/lib/libc/asr/gethostnamadr_async.c      Mon Aug 25 15:34:18 2014
@@ -565,7 +565,7 @@
        char    buf[MAXDNAME];
        size_t  n;
 
-       if (h->h.h_name)
+       if (h->h.h_name || name == NULL)
                return (-1);
 
        if (isdname) {

Reply via email to