[nsd-users] nsd-zonec SIGSEGV when record is longer than 255 characters

Ilya Bakulin Ilya_Bakulin at genua.de
Mon Aug 27 14:02:18 UTC 2012


Hi,
We have found incorrect processing of long records by nsd-zonec.
Suppose we have such record in zone file:
>>>>>>>>>>>>>>>>>>
longrecord                             TXT     "aaa....aaa"
>>>>>>>>>>>>>>>>>>
where "aaa...aaa" is longer than 255 characters. Then by parsing this zone 
file nsd-zonec prints error message and then segfaults:

>>>>>>>>>>>>>>>>>>
root at ggd114:# nsd-zonec -c /cage/nsd/etc/nsd-auth_policy.conf
/cage/nsd/var/nsd/zones/second_zone.zone:15: error: text string is longer than 
255 characters, try splitting it into multiple parts
Segmentation fault (core dumped)
>>>>>>>>>>>>>>>>>>

gdb output:
>>>>>>>>>>>>>>>>>>
$ gdb obj/nsd-zonec nsd-zonec.core                                                                       
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-openbsd5.1"...
Core was generated by `nsd-zonec'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libcrypto.so.20.1...done.
Loaded symbols for /usr/lib/libcrypto.so.20.1
Reading symbols from /usr/lib/libc.so.62.0...done.
Loaded symbols for /usr/lib/libc.so.62.0
Reading symbols from /usr/libexec/ld.so...done.
Loaded symbols for /usr/libexec/ld.so
#0  0x1c016d3d in zadd_rdata_txt_wireformat (data=0x0, first=1) 
at /data/home/ibaku/nsd/zonec.c:970
970             if ((size_t)rd->data[0] + (size_t)data[0] > 65535) {
(gdb) bt
#0  0x1c016d3d in zadd_rdata_txt_wireformat (data=0x0, first=1) 
at /data/home/ibaku/nsd/zonec.c:970
#1  0x1c01b3ad in yyparse () at zparser.y:337
#2  0x1c016392 in zone_read (name=0x88904350 "zone2", 
    zonefile=0x88904384 "/cage/nsd/var/nsd/zones/second_zone.zone", 
nsd_options=0x88904000)
    at /data/home/ibaku/nsd/zonec.c:1418
#3  0x1c016980 in main (argc=0, argv=0x0) at /data/home/ibaku/nsd/zonec.c:1605
>>>>>>>>>>>>>>>>>>

The real problem is that the function zparser_conv_text() returns NULL pointer 
when it tries to process this long string. This is then used without further 
checks at zonec.c:970, that causes null pointer dereference.

I'm not sure how to better fix this, but probably it's safe to return _some_ 
valid pointer to let nsd-zonec scan file to the end and produce error output 
without coredumping. I have tested this and it works.

Thanks!

--
Best regards,
Ilya Bakulin

genua
Gesellschaft fuer Netzwerk- und Unix-Administration mbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de
Geschaeftsfuehrer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht Muenchen HRB 98238
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120827/5b71a4bb/attachment.bin>


More information about the nsd-users mailing list