Ilya Bakulin
2012-Aug-27 14:02 UTC
[nsd-users] nsd-zonec SIGSEGV when record is longer than 255 characters
Hi, We have found incorrect processing of long records by nsd-zonec. Suppose we have such record in zone file:>>>>>>>>>>>>>>>>>>longrecord TXT "aaa....aaa">>>>>>>>>>>>>>>>>>where "aaa...aaa" is longer than 255 characters. Then by parsing this zone file nsd-zonec prints error message and then segfaults:>>>>>>>>>>>>>>>>>>root at ggd114:# nsd-zonec -c /cage/nsd/etc/nsd-auth_policy.conf /cage/nsd/var/nsd/zones/second_zone.zone:15: error: text string is longer than 255 characters, try splitting it into multiple parts Segmentation fault (core dumped)>>>>>>>>>>>>>>>>>>gdb output:>>>>>>>>>>>>>>>>>>$ gdb obj/nsd-zonec nsd-zonec.core GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-openbsd5.1"... Core was generated by `nsd-zonec'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libcrypto.so.20.1...done. Loaded symbols for /usr/lib/libcrypto.so.20.1 Reading symbols from /usr/lib/libc.so.62.0...done. Loaded symbols for /usr/lib/libc.so.62.0 Reading symbols from /usr/libexec/ld.so...done. Loaded symbols for /usr/libexec/ld.so #0 0x1c016d3d in zadd_rdata_txt_wireformat (data=0x0, first=1) at /data/home/ibaku/nsd/zonec.c:970 970 if ((size_t)rd->data[0] + (size_t)data[0] > 65535) { (gdb) bt #0 0x1c016d3d in zadd_rdata_txt_wireformat (data=0x0, first=1) at /data/home/ibaku/nsd/zonec.c:970 #1 0x1c01b3ad in yyparse () at zparser.y:337 #2 0x1c016392 in zone_read (name=0x88904350 "zone2", zonefile=0x88904384 "/cage/nsd/var/nsd/zones/second_zone.zone", nsd_options=0x88904000) at /data/home/ibaku/nsd/zonec.c:1418 #3 0x1c016980 in main (argc=0, argv=0x0) at /data/home/ibaku/nsd/zonec.c:1605>>>>>>>>>>>>>>>>>>The real problem is that the function zparser_conv_text() returns NULL pointer when it tries to process this long string. This is then used without further checks at zonec.c:970, that causes null pointer dereference. I'm not sure how to better fix this, but probably it's safe to return _some_ valid pointer to let nsd-zonec scan file to the end and produce error output without coredumping. I have tested this and it works. Thanks! -- Best regards, Ilya Bakulin genua Gesellschaft fuer Netzwerk- und Unix-Administration mbH Domagkstrasse 7, 85551 Kirchheim bei Muenchen tel +49 89 991950-0, fax -999, www.genua.de Geschaeftsfuehrer: Dr. Magnus Harlander, Dr. Michaela Harlander, Bernhard Schneck. Amtsgericht Muenchen HRB 98238 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120827/5b71a4bb/attachment.bin>
Yuri Schaeffer
2012-Aug-27 15:41 UTC
[nsd-users] nsd-zonec SIGSEGV when record is longer than 255 characters
Hi Ilya, Thank you for reporting.> I'm not sure how to better fix this, but probably it's safe to return _some_ > valid pointer to let nsd-zonec scan file to the end and produce error output > without coredumping. I have tested this and it works.I agree. A fix has been applied to the NSD_3_2 branch in r3639. Zonec simply continues with the first 255 characters. Regards, Yuri Schaeffer