Ubuntu
glibc package

EDNS0: res_nopt truncates buffer size incorrectly

Bug #395196 reported by Hauke Lampe
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GLibC
Fix Released
Low
glibc (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Resolver functions allow buffer sizes > 65535 bytes. If RES_USE_EDNS0 is set, res_nopt() truncates this value to 16 bit, resulting in an incorrect buffer size advertised in EDNS query headers.

portable OpenSSH triggers this behaviour, as described here:
http://marc.info/?l=openssh-unix-dev&m=124625332427704&w=2

openbsd-compat/getrrsetbyname() sets a buffer size of 65536 bytes. In the glibc stub-resolver, it is eventually passed on as "anslen" to __res_nopt() in resolv/res_mkquery.c:
[...]
        NS_PUT16(anslen & 0xffff, cp); /* CLASS = UDP payload size */

and sent out to the recursor (UDPsize: 0xf0000 & 0xffff == 0)

| IP 127.0.0.1.44138 > 127.0.0.1.53: 31454+ [1au] SSHFP?
orbit.attraktor.org. ar: . OPT UDPsize=0 (48)
| IP 127.0.0.1.53 > 127.0.0.1.44138: 31454 ServFail-| [0q] 0/0/0 (12)

Revision history for this message
Hauke Lampe (hauke) wrote :
Revision history for this message
In , Bugzilla-webform (bugzilla-webform) wrote :

Resolver functions allow buffer sizes > 65535 bytes. If RES_USE_EDNS0 is set,
res_nopt() truncates this value to 16 bit, resulting in an incorrect buffer size
advertised in EDNS query headers.

portable OpenSSH triggers this behaviour, as described here:
http://marc.info/?l=openssh-unix-dev&m=124625332427704&w=2

openbsd-compat/getrrsetbyname() sets a buffer size of 65536 bytes. In the glibc
stub-resolver, it is eventually passed on as "anslen" to __res_nopt() in
resolv/res_mkquery.c:
[...]
        NS_PUT16(anslen & 0xffff, cp); /* CLASS = UDP payload size */

and sent out to the recursor (UDPsize: 0xf0000 & 0xffff == 0)

| IP 127.0.0.1.44138 > 127.0.0.1.53: 31454+ [1au] SSHFP?
orbit.attraktor.org. ar: . OPT UDPsize=0 (48)
| IP 127.0.0.1.53 > 127.0.0.1.44138: 31454 ServFail-| [0q] 0/0/0 (12)

Revision history for this message
In , Bugzilla-webform (bugzilla-webform) wrote :

Created attachment 4035
cap anslen in res_nopt() at 0xffff. assert() inserted because I'm not sure if negative values could be passed to res_nopt()

cap anslen in res_nopt() at 0xffff

assert() inserted because I'm not sure if negative values could be passed to
res_nopt()

Revision history for this message
Hauke Lampe (hauke) wrote :

reported upstream: http://sources.redhat.com/bugzilla/show_bug.cgi?id=10360

Revision history for this message
In , Drepper-fsp (drepper-fsp) wrote :

The code comes from bind upstream. I've checked in a similar patch.

Revision history for this message
Hauke Lampe (hauke) wrote :

fixed upstream:
http://sources.redhat.com/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1c0ab5bd34159d2ae53390571113844ebadc161b

Daniel Holbach (dholbach)
tags: added: patch patch-accepted-upstream
Bug Watch Updater (bug-watch-updater)
Changed in glibc:
status: Unknown → Fix Released
Revision history for this message
Matthias Klose (doko) wrote :

fixed in lucid and maverick

Changed in glibc (Ubuntu):
status: New → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in glibc:
importance: Unknown → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.