[nsd-users] nsd-zonec SIGSEGV when record is longer than 255 characters
Ilya Bakulin
Ilya_Bakulin at genua.de
Mon Aug 27 14:02:18 UTC 2012
Hi,
We have found incorrect processing of long records by nsd-zonec.
Suppose we have such record in zone file:
>>>>>>>>>>>>>>>>>>
longrecord TXT "aaa....aaa"
>>>>>>>>>>>>>>>>>>
where "aaa...aaa" is longer than 255 characters. Then by parsing this zone
file nsd-zonec prints error message and then segfaults:
>>>>>>>>>>>>>>>>>>
root at ggd114:# nsd-zonec -c /cage/nsd/etc/nsd-auth_policy.conf
/cage/nsd/var/nsd/zones/second_zone.zone:15: error: text string is longer than
255 characters, try splitting it into multiple parts
Segmentation fault (core dumped)
>>>>>>>>>>>>>>>>>>
gdb output:
>>>>>>>>>>>>>>>>>>
$ gdb obj/nsd-zonec nsd-zonec.core
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-openbsd5.1"...
Core was generated by `nsd-zonec'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libcrypto.so.20.1...done.
Loaded symbols for /usr/lib/libcrypto.so.20.1
Reading symbols from /usr/lib/libc.so.62.0...done.
Loaded symbols for /usr/lib/libc.so.62.0
Reading symbols from /usr/libexec/ld.so...done.
Loaded symbols for /usr/libexec/ld.so
#0 0x1c016d3d in zadd_rdata_txt_wireformat (data=0x0, first=1)
at /data/home/ibaku/nsd/zonec.c:970
970 if ((size_t)rd->data[0] + (size_t)data[0] > 65535) {
(gdb) bt
#0 0x1c016d3d in zadd_rdata_txt_wireformat (data=0x0, first=1)
at /data/home/ibaku/nsd/zonec.c:970
#1 0x1c01b3ad in yyparse () at zparser.y:337
#2 0x1c016392 in zone_read (name=0x88904350 "zone2",
zonefile=0x88904384 "/cage/nsd/var/nsd/zones/second_zone.zone",
nsd_options=0x88904000)
at /data/home/ibaku/nsd/zonec.c:1418
#3 0x1c016980 in main (argc=0, argv=0x0) at /data/home/ibaku/nsd/zonec.c:1605
>>>>>>>>>>>>>>>>>>
The real problem is that the function zparser_conv_text() returns NULL pointer
when it tries to process this long string. This is then used without further
checks at zonec.c:970, that causes null pointer dereference.
I'm not sure how to better fix this, but probably it's safe to return _some_
valid pointer to let nsd-zonec scan file to the end and produce error output
without coredumping. I have tested this and it works.
Thanks!
--
Best regards,
Ilya Bakulin
genua
Gesellschaft fuer Netzwerk- und Unix-Administration mbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de
Geschaeftsfuehrer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht Muenchen HRB 98238
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120827/5b71a4bb/attachment.bin>
More information about the nsd-users
mailing list