False failure in capsforid fallback due to additional rrset ordering

Wouter Wijngaards wouter at nlnetlabs.nl
Thu Feb 14 08:17:38 UTC 2019


Hi Jacob,

On 2/14/19 6:29 AM, Jacob Hoffman-Andrews via Unbound-users wrote:
> On 2/4/19 7:24 AM, Wouter Wijngaards via Unbound-users wrote:
>>> That's not a problem in itself, but I believe Unbound may be
>>> occasionally triggering a false positive failure during capsforid
>>> fallback.
>>
>> Thanks for the detailed report.  Yes, you are right, it should get
>> sorted.  I have made a fix, also in the code repository that sorts the
>> rrsets before comparison.
> 
> Thanks very much for writing this patch. I've been doing some local
> testing and have found a segfault. To produce the segfault, I used
> https://github.com/letsencrypt/dns-lots-of-lookups, which simply does a
> lot of lookups for a long list of names. I suspect any long list of name
> would do but I can provide an example if it would be helpful.

Thank you for the details.  I think the patch below can fix the issue.
It was dereferencing the pointer, instead of the pointer to the pointer.

The fix is also in the code repository.

Best regards, Wouter


Index: iterator/iter_utils.c
===================================================================
--- iterator/iter_utils.c	(revision 5113)
+++ iterator/iter_utils.c	(working copy)
@@ -888,8 +888,8 @@
 static int
 rrset_canonical_sort_cmp(const void* x, const void* y)
 {
-	struct ub_packed_rrset_key* rrx = (struct ub_packed_rrset_key*)x;
-	struct ub_packed_rrset_key* rry = (struct ub_packed_rrset_key*)y;
+	struct ub_packed_rrset_key* rrx = *(struct ub_packed_rrset_key**)x;
+	struct ub_packed_rrset_key* rry = *(struct ub_packed_rrset_key**)y;
 	int r = dname_canonical_compare(rrx->rk.dname, rry->rk.dname);
 	if(r != 0)
 		return r;


> 
> Stack trace is attached. Binary with debug symbold and core file are at:
> 
> https://jacob.hoffman-andrews.com/rrsort-crash/core
> https://jacob.hoffman-andrews.com/rrsort-crash/unbound
> 
> I've confirmed that reverting this patch fixes the crash.
> 
> Thanks,
> Jacob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190214/82eaf4e2/attachment.bin>


More information about the Unbound-users mailing list