Hi, I had sendmail crashes because of invalid pointers in _res.dnsrch. I have 4 nameservers in /etc/resolv.conf, the last one is IPv6.
/usr/include/resolv.h: #define MAXNS 3 /* max # name servers we'll track */ struct __res_state { ... struct sockaddr_in nsaddr_list[MAXNS]; /* address of name server */ unsigned short id; /* current message id */ char *dnsrch[MAXDNSRCH+1]; /* components of domain to search */ After calling res_init(3), _res.dnsrch contained part of the IPv6 nameserver address as pointer. The reason is a missing overflow check when filling _res.nsaddr_list. The sendmail crashes started when I updated and recomiled my libc today. I have no idea, why this bug did not appear before. ok? bluhm Index: lib/libc/asr/res_init.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/lib/libc/asr/res_init.c,v retrieving revision 1.6 diff -u -p -r1.6 res_init.c --- lib/libc/asr/res_init.c 5 Oct 2015 02:57:16 -0000 1.6 +++ lib/libc/asr/res_init.c 5 Nov 2015 21:30:08 -0000 @@ -39,7 +39,7 @@ res_init(void) { _THREAD_PRIVATE_MUTEX(init); struct asr_ctx *ac; - int i; + int i, j; ac = _asr_use_resolver(NULL); @@ -58,9 +58,13 @@ res_init(void) strlcpy(_res.lookups, ac->ac_db, sizeof(_res.lookups)); _res.nscount = ac->ac_nscount; - for (i = 0; i < ac->ac_nscount; i++) { - memcpy(&_res.nsaddr_list[i], ac->ac_ns[i], + for (i = 0, j = 0; i < ac->ac_nscount && j < MAXNS; i++) { + if (ac->ac_ns[i]->sa_family != AF_INET || + ac->ac_ns[i]->sa_len > sizeof(_res.nsaddr_list[j])) + continue; + memcpy(&_res.nsaddr_list[j], ac->ac_ns[i], ac->ac_ns[i]->sa_len); + j++; } _res.options |= RES_INIT; }