Hi
I'm using libspf2 version 1.0.4.
I'm seeing core dumps with stack trace as -
=>[1] __ns_name_skip(0xfb5ef22c, 0xfb5f87be, 0x1ce, 0x0, 0x0, 0xce), at
0xfe5d1bc8
[2] dn_skipname(0xfb5f77b0, 0xfb5f87be, 0xfb5f0508, 0x3, 0x29a5bac,
0xfb5f03f0), at 0xfe5d8e10
[3] __ns_skiprr(0xfb5efc1e, 0xfb5f87be, 0x1, 0xfb5f87be, 0x4f4,
0xfb5f77b0), at 0xfe5d1f54
[4] __ns_initparse(0xfb5f87be, 0xfb5efbbc, 0xfb5efbbc, 0x1, 0xfb5efbb8,
0xfb5efc1e), at 0xfe5d2124
[5] SPF_dns_lookup_resolv(0x20a0378, 0xfb5f0490, 0xc, 0x1, 0xfd1e8720,
0xdb), at 0xfd1e8b4c
[6] SPF_dns_rlookup(0x20a0378, 0xfb5f05b4, 0xc, 0x1, 0x20, 0x20), at
0xfd1e5160
[7] SPF_eval_id(0x4d1298, 0x4c2a18, 0x20a0378, 0x1, 0x0, 0x0), at
0xfd1ebf88
[8] SPF_result(0x4d1298, 0x20a0378, 0x0, 0xfb5f0988, 0x4cbb9c, 0x1c00), at
0xfd1e72a8
On further debugging, it looks like, there is an issue with the code in the
function 'SPF_dns_lookup_resolv' (spf_dns_resolv.c).
The code that calls res_query is -
/*
* try resolving the name
*/
#if HAVE_DECL_RES_NINIT
dns_len = res_nquery( &spfhook->res_state, domain, ns_c_in, rr_type,
response, sizeof( response ) );
#else
dns_len = res_query( domain, ns_c_in, rr_type,
response, sizeof( response ) );
#endif
The Solaris manpage says -
The res_nquery() and res_query() routines return a length
that may be **bigger** than anslen. In that case, retry the
query with a larger buf. The answer to the second query may
be larger still], so it is recommended that you supply a buf
larger than the answer returned by the previous query.
answer must be large enough to receive a maximum UDP
response from the server or parts of the answer will be
silently discarded. The default maximum UDP response size
is 512 bytes.
In this core dump I saw that dns_len was greater than response size.
response in code is response[2048]. Whereas, dns_len was set to 50K plus.
Calling res_nquery with this faulty length caused the core dump.
Has anyone experienced this issue before ?
Any plans to fix this ? I checked version 1.2.5 and the code is same. So the
issue would exist in latest code as well.
Could anyone point me to the bug database please ?
Thanks,
Manish.
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1007
I'm using libspf2 version 1.0.4.
I'm seeing core dumps with stack trace as -
=>[1] __ns_name_skip(0xfb5ef22c, 0xfb5f87be, 0x1ce, 0x0, 0x0, 0xce), at
0xfe5d1bc8
[2] dn_skipname(0xfb5f77b0, 0xfb5f87be, 0xfb5f0508, 0x3, 0x29a5bac,
0xfb5f03f0), at 0xfe5d8e10
[3] __ns_skiprr(0xfb5efc1e, 0xfb5f87be, 0x1, 0xfb5f87be, 0x4f4,
0xfb5f77b0), at 0xfe5d1f54
[4] __ns_initparse(0xfb5f87be, 0xfb5efbbc, 0xfb5efbbc, 0x1, 0xfb5efbb8,
0xfb5efc1e), at 0xfe5d2124
[5] SPF_dns_lookup_resolv(0x20a0378, 0xfb5f0490, 0xc, 0x1, 0xfd1e8720,
0xdb), at 0xfd1e8b4c
[6] SPF_dns_rlookup(0x20a0378, 0xfb5f05b4, 0xc, 0x1, 0x20, 0x20), at
0xfd1e5160
[7] SPF_eval_id(0x4d1298, 0x4c2a18, 0x20a0378, 0x1, 0x0, 0x0), at
0xfd1ebf88
[8] SPF_result(0x4d1298, 0x20a0378, 0x0, 0xfb5f0988, 0x4cbb9c, 0x1c00), at
0xfd1e72a8
On further debugging, it looks like, there is an issue with the code in the
function 'SPF_dns_lookup_resolv' (spf_dns_resolv.c).
The code that calls res_query is -
/*
* try resolving the name
*/
#if HAVE_DECL_RES_NINIT
dns_len = res_nquery( &spfhook->res_state, domain, ns_c_in, rr_type,
response, sizeof( response ) );
#else
dns_len = res_query( domain, ns_c_in, rr_type,
response, sizeof( response ) );
#endif
The Solaris manpage says -
The res_nquery() and res_query() routines return a length
that may be **bigger** than anslen. In that case, retry the
query with a larger buf. The answer to the second query may
be larger still], so it is recommended that you supply a buf
larger than the answer returned by the previous query.
answer must be large enough to receive a maximum UDP
response from the server or parts of the answer will be
silently discarded. The default maximum UDP response size
is 512 bytes.
In this core dump I saw that dns_len was greater than response size.
response in code is response[2048]. Whereas, dns_len was set to 50K plus.
Calling res_nquery with this faulty length caused the core dump.
Has anyone experienced this issue before ?
Any plans to fix this ? I checked version 1.2.5 and the code is same. So the
issue would exist in latest code as well.
Could anyone point me to the bug database please ?
Thanks,
Manish.
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1007