Bug 19096

On Wed, Jun 07, 2000 at 09:50:03AM -0700, liveevil@tasam.com wrote:
> 
> Number:         19096
> Synopsis:       core dump using ftp and telnet
> Severity:       non-critical
> Priority:       low
> Release:        4.0-STABLE FreeBSD 4.0-STABLE
> 
It turns out to be the problem with libc.
Maybe, _hpcopy() should check for value of *errp???

Script started on Wed Jun  7 21:06:04 2000
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `ftp'.
Program terminated with signal 11, Segmentation fault.
#0  0x807321e in _hpcopy (hp=0xbfbff4a0, errp=0xbfbff590)
    at /usr/src/lib/libc/../libc/net/name6.c:559
559				if (**pp != '\0') {
(gdb) l
554		size = sizeof(struct hostent);
555		if (hp->h_name != NULL && *hp->h_name != '\0')
556			size += strlen(hp->h_name) + 1;
557		if ((pp = hp->h_aliases) != NULL) {
558			for (i = 0; *pp != NULL; i++, pp++) {
559				if (**pp != '\0') {
560					size += strlen(*pp) + 1;
561					nalias++;
562				}
563			}
(gdb) print pp
$1 = (char **) 0xbfbff0a4
(gdb) print *pp
$2 = 0x1000100 <Address 0x1000100 out of bounds>
(gdb) up
#1  0x8074714 in _res_search_multi (name=0x80bb0a0 "*.exitmoney.com", 
    rtl=0xbfbff4dc, errp=0xbfbff590)
    at /usr/src/lib/libc/../libc/net/name6.c:1352
1352					hp = _hpcopy(&hpbuf, errp);
(gdb) l
1347					hpbuf.h_addrtype = (rtl->rtl_type == T_AAAA)
1348					    ? AF_INET6 : AF_INET;
1349					hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
1350					hp = getanswer(&buf, ret, name, rtl->rtl_type,
1351							    &hpbuf, errp);
1352					hp = _hpcopy(&hpbuf, errp);
1353					hp0 = _hpmerge(hp0, hp, errp);
1354				}
1355			}
1356			if (hp0 != NULL)
(gdb) print *errp
$3 = 3
(gdb) quit

Script done on Wed Jun  7 21:07:30 2000

-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

On Wed, Jun 07, 2000 at 11:20:01AM -0700, Ruslan Ermilov wrote:
> 
>  On Wed, Jun 07, 2000 at 09:50:03AM -0700, liveevil@tasam.com wrote:
>  > 
>  > Number:         19096
>  > Synopsis:       core dump using ftp and telnet
>  > Severity:       non-critical
>  > Priority:       low
>  > Release:        4.0-STABLE FreeBSD 4.0-STABLE
>  > 
>  It turns out to be the problem with libc.
>  Maybe, _hpcopy() should check for value of *errp???
>  
Something like this should be done (IN ALL PLACES):

Index: name6.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/net/name6.c,v
retrieving revision 1.6.2.3
diff -u -r1.6.2.3 name6.c
--- name6.c	2000/05/13 18:46:13	1.6.2.3
+++ name6.c	2000/06/07 18:55:12
@@ -1349,7 +1349,8 @@
 				hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
 				hp = getanswer(&buf, ret, name, rtl->rtl_type,
 						    &hpbuf, errp);
-				hp = _hpcopy(&hpbuf, errp);
+				if (hp != NULL)
+					hp = _hpcopy(&hpbuf, errp);
 				hp0 = _hpmerge(hp0, hp, errp);
 			}
 		}


Which gives the correct behaviour:

Script started on Wed Jun  7 21:53:48 2000
ftp: *.exitmoney.com: Non-recoverable failure in name resolution
ftp> quit

Script done on Wed Jun  7 21:53:50 2000

-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

>   [1]Navigation Bar
>   
>                                                  Problem Report bin/19096
>                                                              
>   libc core dump using ftp and telnet
>   
>   Confidential
>          no
>          
>   Severity
>          critical
>          
>   Priority
>          high
>          
>   Responsible
>          [2]freebsd-bugs@FreeBSD.org
>          
>   State
>          open
>          
>   Class
>          sw-bug
>          
>   Submitter-Id
>          current-users
>          
>   Arrival-Date
>          Wed Jun 07 10:00:00 PDT 2000
>          
>   Last-Modified
>          Wed Jun 7 12:00:01 PDT 2000
>          
>   Originator
>          LiVeeViL <[3]liveevil@tasam.com>
>          
>   Release
>          4.0-STABLE FreeBSD 4.0-STABLE
>          
>   Organization
>          
>NONE
>
>   Environment
>          
>4.0-STABLE FreeBSD 4.0-STABLE
>
>   Description
>          
>some how a URL (easymoney.com) was able to change my default webpage to there's.  I did a query on there domain name, and fo
>und a entry in there dns zone file.  One of the entry names is *.exitmoney.com.  I wanted to see if I could establish a conn
>ection using that hostname.
>
>Here is what I got:
>
>bash-2.03$ telnet
>telnet> o
>(to) *.exitmoney.com
>Segmentation fault (core dumped)
>
>Also the same using FTP server (Version 6.00LS)
>
>bash-2.03$ ftp
>ftp> o
>(to) *.exitmoney.com
>Segmentation fault (core dumped)
>bash-2.03$
>
>-rw-------    1 liveevil  liveevil   380928 Jun  7 12:41 telnet.core
>-rw-------    1 liveevil  liveevil   454656 Jun  7 12:42 ftp.core
>
>
>   How-To-Repeat
>          
>bash-2.03$ telnet
>telnet> o
>(to) *.exitmoney.com
>Segmentation fault (core dumped)
>
>Also the same using FTP server (Version 6.00LS)
>
>bash-2.03$ ftp
>ftp> o
>(to) *.exitmoney.com
>Segmentation fault (core dumped)
>bash-2.03$
>
>   Fix
>          
>It seems like both ftp and telnet have trouble with input from host names with "*"'s in them.  I have also try to reproduce
>the same results using ping, nslookup and traceroute without any luck.  I do not know how to fix this problem.
>
>
>   Audit-Trail
>          
>From: Ruslan Ermilov <ru@sunbay.com>
>To: liveevil@tasam.com
>Cc: freebsd-gnats-submit@FreeBSD.org
>Subject: Re: bin/19096: core dump using ftp and telnet
>Date: Wed, 7 Jun 2000 21:12:59 +0300
>
> On Wed, Jun 07, 2000 at 09:50:03AM -0700, liveevil@tasam.com wrote:
> >
> > Number:         19096
> > Synopsis:       core dump using ftp and telnet
> > Severity:       non-critical
> > Priority:       low
> > Release:        4.0-STABLE FreeBSD 4.0-STABLE
> >
> It turns out to be the problem with libc.
> Maybe, _hpcopy() should check for value of *errp???
>
> Script started on Wed Jun  7 21:06:04 2000
> GNU gdb 4.18
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-unknown-freebsd"...
> Core was generated by `ftp'.
> Program terminated with signal 11, Segmentation fault.
> #0  0x807321e in _hpcopy (hp=0xbfbff4a0, errp=0xbfbff590)
>     at /usr/src/lib/libc/../libc/net/name6.c:559
> 559                            if (**pp != '\0') {
> (gdb) l
> 554            size = sizeof(struct hostent);
> 555            if (hp->h_name != NULL && *hp->h_name != '\0')
> 556                    size += strlen(hp->h_name) + 1;
> 557            if ((pp = hp->h_aliases) != NULL) {
> 558                    for (i = 0; *pp != NULL; i++, pp++) {
> 559                            if (**pp != '\0') {
> 560                                    size += strlen(*pp) + 1;
> 561                                    nalias++;
> 562                            }
> 563                    }
> (gdb) print pp
> $1 = (char **) 0xbfbff0a4
> (gdb) print *pp
> $2 = 0x1000100 <Address 0x1000100 out of bounds>
> (gdb) up
> #1  0x8074714 in _res_search_multi (name=0x80bb0a0 "*.exitmoney.com",
>     rtl=0xbfbff4dc, errp=0xbfbff590)
>     at /usr/src/lib/libc/../libc/net/name6.c:1352
> 1352                                   hp = _hpcopy(&hpbuf, errp);
> (gdb) l
> 1347                                   hpbuf.h_addrtype = (rtl->rtl_type == T_AAAA)
> 1348                                       ? AF_INET6 : AF_INET;
> 1349                                   hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
> 1350                                   hp = getanswer(&buf, ret, name, rtl->rtl_type,
> 1351                                                       &hpbuf, errp);
> 1352                                   hp = _hpcopy(&hpbuf, errp);
> 1353                                   hp0 = _hpmerge(hp0, hp, errp);
> 1354                           }
> 1355                   }
> 1356                   if (hp0 != NULL)
> (gdb) print *errp
> $3 = 3
> (gdb) quit
>
> Script done on Wed Jun  7 21:07:30 2000
>
> --
> Ruslan Ermilov         Oracle Developer/DBA,
> ru@sunbay.com          Sunbay Software AG,
> ru@FreeBSD.org         FreeBSD committer,
> +380.652.512.251       Simferopol, Ukraine
>
> [4]http://www.FreeBSD.org      The Power To Serve
> [5]http://www.oracle.com       Enabling The Information Age
>
>
>From: Ruslan Ermilov <ru@sunbay.com>
>To: bug-followup@FreeBSD.org
>Cc:
>Subject: Re: bin/19096: core dump using ftp and telnet
>Date: Wed, 7 Jun 2000 21:57:29 +0300
>
> On Wed, Jun 07, 2000 at 11:20:01AM -0700, Ruslan Ermilov wrote:
> >
> >  On Wed, Jun 07, 2000 at 09:50:03AM -0700, liveevil@tasam.com wrote:
> >  >
> >  > Number:         19096
> >  > Synopsis:       core dump using ftp and telnet
> >  > Severity:       non-critical
> >  > Priority:       low
> >  > Release:        4.0-STABLE FreeBSD 4.0-STABLE
> >  >
> >  It turns out to be the problem with libc.
> >  Maybe, _hpcopy() should check for value of *errp???
> >
> Something like this should be done (IN ALL PLACES):
>
> Index: name6.c
> ===================================================================
> RCS file: /home/ncvs/src/lib/libc/net/name6.c,v
> retrieving revision 1.6.2.3
> diff -u -r1.6.2.3 name6.c
> --- name6.c    2000/05/13 18:46:13     1.6.2.3
> +++ name6.c    2000/06/07 18:55:12
> @@ -1349,7 +1349,8 @@
>                                hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
>                                hp = getanswer(&buf, ret, name, rtl->rtl_type,
>                                                    &hpbuf, errp);
> -                              hp = _hpcopy(&hpbuf, errp);
> +                              if (hp != NULL)
> +                                      hp = _hpcopy(&hpbuf, errp);
>                                hp0 = _hpmerge(hp0, hp, errp);
>                        }
>                }
>
>
> Which gives the correct behaviour:
>
> Script started on Wed Jun  7 21:53:48 2000
> ftp: *.exitmoney.com: Non-recoverable failure in name resolution
> ftp> quit
>
> Script done on Wed Jun  7 21:53:50 2000
>
> --
> Ruslan Ermilov         Oracle Developer/DBA,
> ru@sunbay.com          Sunbay Software AG,
> ru@FreeBSD.org         FreeBSD committer,
> +380.652.512.251       Simferopol, Ukraine
>
> [6]http://www.FreeBSD.org      The Power To Serve
> [7]http://www.oracle.com       Enabling The Information Age
>
>   [8]Submit Followup
>     ______________________________________________________________________________________________________________
>   
>   
>    [9]www@FreeBSD.org

I just submitted a bug report yesterday that didn't seem to make it 
to the database about
"gethostbyname() fails if there are 'bad' chars in the hostname", 
with an equivalent fix.   The failure happens when the hostname
resolves,  but has 'illegal' chars in it, for example, 
mail_dxb.zu.ac.ae (I found this one when I noticed that our
inetd is dumping core).

Hopefully someone closes my bug report if it makes it to the 
database, because #19096 is essentially the same thing.

	Vladimir
	vladimir@math.uic.edu

Comment 4 ru 2000-07-03 09:22:31 UTC

State Changed
From-To: open->closed

Fixed in src/lib/libc/net/name6.c, revs 1.13 (HEAD) and 1.6.2.4 (RELENG_4).