From john@nlc.net.au Mon Mar  1 18:35:53 1999
Return-Path: <john@nlc.net.au>
Received: from nhj.nlc.net.au (nhj.nlc.net.au [203.24.133.1])
	by hub.freebsd.org (Postfix) with SMTP id 02319153AB
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  1 Mar 1999 18:33:00 -0800 (PST)
	(envelope-from john@nlc.net.au)
Received: (qmail 7571 invoked from network); 2 Mar 1999 13:32:36 +1100
Received: from grunt.nlc.net.au (203.24.133.5)
  by nhj.nlc.net.au with SMTP; 2 Mar 1999 13:32:36 +1100
Received: (qmail 64409 invoked by uid 1000); 2 Mar 1999 13:32:32 +1100
Message-Id: <19990302023232.64408.qmail@grunt.nlc.net.au>
Date: 2 Mar 1999 13:32:32 +1100
From: john@nlc.net.au
Reply-To: john@nlc.net.au
To: FreeBSD-gnats-submit@freebsd.org
Subject: Core dump in gethostbyaddr for 199.93.70.2
X-Send-Pr-Version: 3.2

>Number:         10344
>Category:       bin
>Synopsis:       Core dump in gethostbyaddr for 199.93.70.2
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    fenner
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar  1 18:40:00 PST 1999
>Closed-Date:    Thu Jul 13 07:27:37 PDT 2000
>Last-Modified:  Thu Jul 13 07:29:27 PDT 2000
>Originator:     John Saunders
>Release:        FreeBSD 3.1-STABLE i386
>Organization:
Northlink Communications
>Environment:

3.1-STABLE cvsupped on Feb 23rd 1999.

>Description:

The IP address 199.93.70.2 has many PTR records associated
with it. It appears that doing a gethostbyaddr overflows
some buffer which causes a signal 10 core dump.

The problem was originally discovered with the dnsserver
process on squid core dumping. The Backtrace is...

#0  0x280cc964 in __ns_name_unpack ()
#1  0x280ccb75 in __ns_name_uncompress ()
#2  0x280cc246 in __dn_expand ()
#3  0x280c1074 in _gethostbyhtaddr ()
#4  0x280c19c2 in _gethostbydnsaddr ()
#5  0x280c04a6 in gethostbyaddr ()
#6  0x8048881 in lookup (buf=0xefbfda4c "199.93.70.2") at dnsserver.c:198
#7  0x8048b2e in main (argc=1, argv=0xefbfdc78) at dnsserver.c:341
#8  0x8048755 in _start ()

Compiling ns_name.c with -g and linking to dnsserver gives a bit
more information.

#0  __ns_name_unpack (msg=0xefbfd5b8 "[q\203\200",
    eom=0xefc0354d <Address 0xefc0354d out of bounds>,
    src=0xefbfd9ae "\003www\bntyamXY?o&\024\f(\004Z?o\004",
    dst=0xefbfcbf0 "\003www\bntyamXY?in-addr\004arpa", dstsiz=255)
    at ns_name.c:307
#1  0x80492e4 in __ns_name_uncompress (msg=0xefbfd5b8 "[q\203\200",
    eom=0xefc0354d <Address 0xefc0354d out of bounds>,
    src=0xefbfd9ae "\003www\bntyamXY?o&\024\f(\004Z?o\004",
    dst=0x280f3e41 "2.70.93.199.in-addr.arpa", dstsiz=7567) at ns_name.c:430

>How-To-Repeat:

The problem is in the resolver library so it can be repeated
with any process that does a reverse lookup. Try the following:

nslookup -type=ptr 199.93.70.2

Strangely if you don't specify -type=ptr then only the first PTR
record is returned and everything works. It appears that if you
want to list _all_ PTR records it comes to grief.

>Fix:

Unknown. Although I suspect it's an access through the srcp pointer
in the while loop.


>Release-Note:
>Audit-Trail:

From: Bill Fenner <fenner@parc.xerox.com>
To: john@nlc.net.au
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/10344: Core dump in gethostbyaddr for 199.93.70.2 
Date: Mon, 1 Mar 1999 22:29:10 PST

 I can't replicate this; I've tried "host", your suggested "nslookup", and
 perl -e 'print join(",",gethostbyaddr(pack(C4,split(/\./,"199.93.70.2")),2))'.
 I'm using a 3.0-STABLE world but cvs says that src/lib/libc/net
 hasn't changed since 3.0-RELEASE.  Has something changed in the DNS
 since you submitted the PR, or can you still get it to happen on your
 system?
 
   Bill
 

From: Bill Fenner <fenner@parc.xerox.com>
To: "John Saunders" <john@nlc.net.au>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/10344: Core dump in gethostbyaddr for 199.93.70.2 
Date: Mon, 1 Mar 1999 23:56:22 PST

 Aha!  I must be using a name server that's truncating - I only got
 14 answers.  If I set my name server to monster.nlc.net.au, I get
 lots of answers and a core dump.  tcpdump shows that the clean 14
 answers come in a UDP packet and then it opens a TCP connection.
 "dig" says that the TCP response is malformed.  Since "dig" complains
 about a malformed packet instead of dumping core, that might be a
 better place to start to try to figure out what's going on.  (The
 header claims to contain 810 answers but dig only prints 272 before
 printing an error.  The 24k of data on the wire contains much more
 than dig displays, but I don't have a good way of telling whether
 or not it's really malformed.)
 
 Another odd thing is that the connection ends with a TCP reset; the
 last few segments are really weird.  Instead of the >FIN, <FIN/ACK, >ACK,
 it's >FIN, <FIN/ACK, >ACK, <ACK, >ACK, <RST.  This could be what's
 causing the truncation, since a RST flushes any queued data.
 
   Bill
 

From: Bill Fenner <fenner@parc.xerox.com>
To: Michael Fuhr <mfuhr@dimensional.com>
Cc: Bill Fenner <fenner@parc.xerox.com>,
	freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: bin/10344: Core dump in gethostbyaddr for 199.93.70.2 
Date: Thu, 4 Mar 1999 15:39:35 PST

 In message <19990302041744.B29139@flatland.dimensional.com>you write:
 >After adding a check for loops in the DNS name compression mechanism,
 >I discovered that the first record in the answer section has a loop:
 
 I've been trying this lately and just get SERVFAIL's from shields.burlee.com.
 There's still a problem with the C resolver (which John appears to
 have tracked down to a compiler bug), as pointing Net::DNS at one
 of the other name servers (nic3.barrnet.net or nic.near.net)
 successfully returns 817 records but "dig" still croaks.
 
 So, I think there are 2 issues:
 1. shields.burlee.com is confused, returning either SERVFAIL (my experience)
    or misformatted records (Michael's experience)
 2. The C resolver can't handle this answer if compiled with -O.
 
   Bill
 
Responsible-Changed-From-To: freebsd-bugs->fenner 
Responsible-Changed-By: msmith 
Responsible-Changed-When: Wed Jun 23 16:59:12 PDT 1999 
Responsible-Changed-Why:  
Bill has been working on this one. 

From: Travis Mikalson <bofh@terranova.net>
To: freebsd-gnats-submit@FreeBSD.org
Cc: john@nlc.net.au, fenner@parc.xerox.com
Subject: Re: bin/10344: Core dump in gethostbyaddr for 199.93.70.2
Date: Tue, 15 Feb 2000 11:46:31 -0500

 My MTA is running in to this bug:
 pid 33739 (smtpd), uid 90: exited on signal 10
 
 I am also able to easily demonstrate it with telnet (it goes to do a
 gethostbyaddr() by default if you just 'telnet 206.244.186.11'):
 pid 65568 (telnet), uid 1000: exited on signal 10 (core dumped)
 
 I can make telnet sig 10 in FreeBSD 2.2.6, 3.3-STABLE and 3.4-STABLE.
 
 
 So, in case you're having a problem finding another IP address that will
 tickle this, try 206.244.186.11. I don't know about you, but 199.93.70.2 does
 NOT tickle the problem for me as of right now.
 
 $ dig @tog.net txt any 11.186.244.206.in-addr.arpa
 I get 246 PTR responses.
 
 FreeBSD's gethostbyaddr() is not happy with that.
 
 tog.net is running BIND 8.2.2-P5 that I compiled from source
 
 You can probably get any FreeBSD 3.x system to generate plenty of coredumps
 to play with if you use a nameserver that doesn't truncate.
 Go ahead and use tog.net if you want :)
 
 If by any chance you're interested in a backtrace of smtpd, you can view it
 at http://tog.net/bt
 
 Please let me know if I can help in any way or provide more information.
 
 Thanks,
 -T
 -- 
 TerraNovaNet Internet Services - Key Largo, FL
 Voice: (305)453-4011        Fax: (305)451-5991
 http://www.terranova.net/
 ----------------------------------------------
 Life's not fair, but the root password helps.
 
State-Changed-From-To: open->analyzed 
State-Changed-By: billf 
State-Changed-When: Tue Feb 15 10:17:07 PST 2000 
State-Changed-Why:  
Just as a datapoint, the telnet litmus test shown in the example no longer works: 

[hawk-billf] /home/billf/telnet > lcvs diff -D"3 weeks ago" |grep gethostbyaddr 
<               host = gethostbyaddr((char *)&temp, sizeof(temp), AF_INET); 

I cannot reproduce the crash in a crappy test program I wrote to see if 
gethostbyaddr() was still borked. Crappy test program available on request. 

[hawk-billf] /home/billf/telnet > ./foo 199.93.70.2 
www.burlee.com 


From: Bill Fenner <fenner@research.att.com>
To: bofh@terranova.net
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/10344: Core dump in gethostbyaddr for 199.93.70.2
Date: Tue, 15 Feb 2000 11:27:30 -0800

 Thanks for the pointer, I can indeed replicate the problem on both
 3.x and 4.0 with:
 
 perl -e 'print gethostbyaddr(pack(C4,206,244,186,11),2)'
 
 (using applications such as ping and telnet relies on their
 behavior, and at least telnet has changed between 3.x and 4.0
 to not do a gethostbyaddr...)
 
 I'll see if I can work on this.
 
   Bill
 

From: Bill Fenner <fenner@research.att.com>
To: billf@freebsd.org
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/10344: Core dump in gethostbyaddr for 199.93.70.2
Date: Tue, 15 Feb 2000 13:48:05 -0800

 The history has a new IP address to try (and a perl script to
 replicate the problem).  It still exists in 4.0-CURRENT as of
 Feb 8.
 
    Bill
 

From: Bill Fumerola <billf@chc-chimes.com>
To: Bill Fenner <fenner@research.att.com>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/10344: Core dump in gethostbyaddr for 199.93.70.2
Date: Tue, 15 Feb 2000 18:12:52 -0500

 On Tue, Feb 15, 2000 at 01:48:05PM -0800, Bill Fenner wrote:
 
 > The history has a new IP address to try (and a perl script to
 > replicate the problem).  It still exists in 4.0-CURRENT as of
 > Feb 8.
 
 Crap. perl crashes for here as well for that one. My cheesy test
 program doesn't however. Do we even know why this is happening?
 
 -- 
 Bill Fumerola - Network Architect
 Computer Horizons Corp - CVM
 e-mail: billf@chc-chimes.com / billf@FreeBSD.org
 Office: 800-252-2421 x128 / Cell: 248-761-7272
 
 
 
 
 

From: Bill Fenner <fenner@research.att.com>
To: billf@chc-chimes.com
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/10344: Core dump in gethostbyaddr for 199.93.70.2
Date: Tue, 15 Feb 2000 16:09:30 -0800

 >Crap. perl crashes for here as well for that one. My cheesy test
 >program doesn't however. Do we even know why this is happening?
 
 libc's gethostbyaddr dies when there are too many PTR records associated
 with a given host.  Haven't gotten much farther than that.
 
   Bill
 

From: Bill Fenner <fenner@research.att.com>
To: billf@chc-chimes.com
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/10344: Core dump in gethostbyaddr for 199.93.70.2
Date: Tue, 15 Feb 2000 19:11:39 -0800

 >Do we even know why this is happening?
  
 Setting RES_OPTIONS to "debug" helps some:
 
 ;; res_setoptions("debug", "env")..
 ;;      debug
 ;; res_query(11.186.244.206.in-addr.arpa, 1, 12)
 ;; res_mkquery(0, 11.186.244.206.in-addr.arpa, 1, 12)
 ;; res_send()
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57629
 ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
 ;;      11.186.244.206.in-addr.arpa, type = PTR, class = IN
 ;; Querying server (# 1) address = 205.152.191.15
 ;; truncated answer
 ;; Querying server (# 1) address = 205.152.191.15
 ;; response truncated
 ;; got answer:
 ;; ns_initparse: Message too long
 (no debugging symbols found)...(no debugging symbols found)...
 Program received signal SIGBUS, Bus error.
 0x2818ea74 in __ns_name_unpack (msg=0xbfbff5cc "\035\203\200", 
     eom=0xbfc012d6 <Error reading address 0xbfc012d6: Bad address>, 
     src=0xbfc011fc <Error reading address 0xbfc011fc: Bad address>, 
     dst=0xbfbfebcc "\00211\003186\003244\003206\ain-addr\004arpa", dstsiz=255)
     at /usr/src/lib/libc/../libc/net/ns_name.c:303
 303             }
 
 Note the "ns_initparse: Message too long" error.  This is because
 _gethostbydnsaddr() passes a 1024-byte buffer to res_query().  I don't
 know if res_query() is stomping beyond the length of the buffer, but it
 returns 7434.
 
 Silly answer: make _gethostbydnsaddr()'s buffer longer.  Less silly
 answer: figure out who forgot to check for buffer overrun (res_query()
 or _gethostbydnsaddr()) and fix it.  The easy thing (and what we
 should probably do for 4.0) is just to return no such host from
 _gethostbydnsaddr() if res_query() returns greater than sizeof(buf.buf) --
 this makes such hosts appear to not exist but is better than dumping
 core.  The long-term answer is presumably to malloc buf.buf.
 
   Bill
 

From: Bill Fenner <fenner@emachine.attlabs.att.com>
To: freebsd-gnats-submit@freebsd.org
Cc: billf@cfc-chimes.com.attlabs.att.com, bofh@terranova.net,
	john@nlc.net.au
Subject: Re: bin/10344
Date: Tue, 15 Feb 2000 19:25:39 -0800 (PST)

 Here's a suggested patch.  I haven't looked at newer bind resolvers
 to see if they solve it better.
 
 cvs diff: Diffing .
 Index: gethostbydns.c
 ===================================================================
 RCS file: /home/ncvs/src/lib/libc/net/gethostbydns.c,v
 retrieving revision 1.26
 diff -u -r1.26 gethostbydns.c
 --- gethostbydns.c	1999/12/28 07:21:08	1.26
 +++ gethostbydns.c	2000/02/16 03:20:39
 @@ -664,6 +664,10 @@
  		dprintf("res_query failed (%d)\n", n);
  		return (NULL);
  	}
 +	if (n > sizeof buf.buf) {
 +		dprintf("static buffer is too small (%d)\n", n);
 +		return (NULL);
 +	}
  	if (!(hp = gethostanswer(&buf, n, qbuf, T_PTR)))
  		return (NULL);	/* h_errno was set by gethostanswer() */
  #ifdef SUNSECURITY
 
 

From: Bill Fenner <fenner@research.att.com>
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: bin/10344: Core dump in gethostbyaddr for 199.93.70.2
Date: Tue, 15 Feb 2000 19:33:04 -0800

 And just for the record,I checked res_query() and it appears not to
 stomp on memory (it reads at most anslen bytes into the user's buffer
 and then discards the rest).
 
   Bill
 

From: Bill Fenner <fenner@research.att.com>
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: bin/10344
Date: Tue, 15 Feb 2000 19:56:27 -0800

 The bind 8.2.2 resolver doesn't appear to have this problem fixed;
 dns_ho.c still calls res_query() with a 1024-byte buffer and
 doesn't check the returned length.
 
   Bill
 

From: "John Saunders" <john@nlc.net.au>
To: "Bill Fenner" <fenner@emachine.attlabs.att.com>,
	<freebsd-gnats-submit@freebsd.org>
Cc: <billf@cfc-chimes.com.attlabs.att.com>, <bofh@terranova.net>
Subject: Re: bin/10344
Date: Thu, 17 Feb 2000 08:26:23 +1100

 From my reading of the bind 8.1.2 sources, res_query will (should?)
 never return 'n' greater than the buffer size. res_query makes its
 way to res_send where it sends the request and reads the result. If
 the result is larger than the buffer it marks the result as being
 truncated and returns 'n' set to the truncated size. However it only
 truncates when the result is read via TCP, if the result is read by
 UDP there is no code for truncating. It possibly assumes that the
 buffer is large enough for the largest UDP result.
 
 Cheers.
 --            +------------------------------------------------------------+
         .     | John Saunders  - mailto:john@nlc.net.au            (EMail) |
     ,--_|\    |                - http://www.nlc.net.au/              (WWW) |
    /  Oz  \   |                - 02-9489-4932 or 041-822-3814      (Phone) |
    \_,--\_/   | NORTHLINK COMMUNICATIONS - Supplying a professional,       |
          v    | and above all friendly, internet connection service.       |
               +------------------------------------------------------------+
 
 ----- Original Message -----
 From: "Bill Fenner" <fenner@emachine.attlabs.att.com>
 To: <freebsd-gnats-submit@freebsd.org>
 Cc: <billf@cfc-chimes.com.attlabs.att.com>; <bofh@terranova.net>;
 <john@nlc.net.au>
 Sent: Wednesday, February 16, 2000 2:25 PM
 Subject: Re: bin/10344
 
 
 > Here's a suggested patch.  I haven't looked at newer bind resolvers
 > to see if they solve it better.
 >
 > cvs diff: Diffing .
 > Index: gethostbydns.c
 > ===================================================================
 > RCS file: /home/ncvs/src/lib/libc/net/gethostbydns.c,v
 > retrieving revision 1.26
 > diff -u -r1.26 gethostbydns.c
 > --- gethostbydns.c 1999/12/28 07:21:08 1.26
 > +++ gethostbydns.c 2000/02/16 03:20:39
 > @@ -664,6 +664,10 @@
 >   dprintf("res_query failed (%d)\n", n);
 >   return (NULL);
 >   }
 > + if (n > sizeof buf.buf) {
 > + dprintf("static buffer is too small (%d)\n", n);
 > + return (NULL);
 > + }
 >   if (!(hp = gethostanswer(&buf, n, qbuf, T_PTR)))
 >   return (NULL); /* h_errno was set by gethostanswer() */
 >  #ifdef SUNSECURITY
 >
 >
 
 

From: Bill Fenner <fenner@research.att.com>
To: john@nlc.net.au
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/10344
Date: Wed, 16 Feb 2000 15:54:12 -0800

 I disagree -- bind 8.2.2p5's res_nsend() returns resplen, which is the
 non-adjusted length of the reply that was read from the server.
 
   Bill
 

From: "John Saunders" <john@nlc.net.au>
To: "Bill Fenner" <fenner@research.att.com>
Cc: <freebsd-gnats-submit@freebsd.org>,
	"FreeBSD stable" <freebsd-stable@FreeBSD.ORG>
Subject: Re: bin/10344
Date: Wed, 1 Mar 2000 15:32:15 +1100

 This is a multi-part message in MIME format.
 
 ------=_NextPart_000_019F_01BF8393.52335430
 Content-Type: text/plain;
 	charset="iso-8859-1"
 Content-Transfer-Encoding: 7bit
 
 > I disagree -- bind 8.2.2p5's res_nsend() returns resplen, which is the
 > non-adjusted length of the reply that was read from the server.
 
 I've done a complete analysis on the problem, what we have is a simple
 case of running off the end of the buffer.
 
 The function gethostanswer is passed a querybuf which has a size of
 1024 bytes (determined by the #define MAXPACKET), a DNS answer length
 (which in the test case is 7460), and 2 other paramters which don't
 concern the problem at hand.
 
 The function then constructs a pointer 'cp' to the starts of the 1024
 byte querybuf. It also constructs a pointer 'eom' to indicate the end
 of the buffer. Then inside a while statement it extracts each answer.
 The while loop terminates if either all answers have been extracted,
 or when 'cp' exceeds 'eom', or if an error occured.
 
 The problem is in the construction of the 'eom' pointer, currently
 the code uses the DNS answer length to calculate this. However in
 the test case the answer is greater than the buffer size. This
 allows the while loop to step the 'cp' pointer past the end of the
 buffer. The code is...
 
     eom = answer->buf + anslen;
 
 The corrected code is as follows. It correctly calculates the 'eom'
 position for the case of the DNS answer length being longer than
 the buffer the answer is provided in.
 
     eom = answer->buf + (anslen > MAXPACKET ? MAXPACKET : anslen);
 
 Other interesting info. If I redefine MAXPACKET to be 2048 I am able
 to get a few more results. If I change it to 4096 then a call to
 BOUNDS_CHECK fails and the function returns a NULL. The included
 patch alters the way BOUNDS_CHECK works so that the truncated
 packet can be handled nicely. I was able to increase some defines
 to get more answers back after this change.
 
 I am not sure of the affect on other parts of the system if suddenly
 more answers come back. So I would suggest that MAXADDRS and
 MAXALIASES remain at 35 and MAXPACKET at 1024.
 
 The patch also removes your "return (NULL)" that you committed, however
 I thought that leaving the dprintf in would be a good warning.
 
 Cheers.
 
 --- gethostbydns.c.orig Sat Feb 26 11:55:47 2000
 +++ gethostbydns.c Wed Mar  1 15:03:57 2000
 @@ -79,8 +79,8 @@
 
  #define SPRINTF(x) ((size_t)sprintf x)
 
 -#define MAXALIASES 35
 -#define MAXADDRS 35
 +#define MAXALIASES 300
 +#define MAXADDRS 300
 
  static const char AskedForGot[] =
    "gethostby*.gethostanswer: asked for \"%s\", got \"%s\"";
 @@ -99,7 +99,7 @@
  #if PACKETSZ > 1024
  #define MAXPACKET PACKETSZ
  #else
 -#define MAXPACKET 1024
 +#define MAXPACKET 8192
  #endif
 
  typedef union {
 @@ -142,12 +142,7 @@
   } while (0)
 
  #define BOUNDS_CHECK(ptr, count) \
 - do { \
 -  if ((ptr) + (count) > eom) { \
 -   h_errno = NO_RECOVERY; \
 -   return (NULL); \
 -  } \
 - } while (0)
 + ((ptr) + (count) > eom)
 
  static struct hostent *
  gethostanswer(answer, anslen, qname, qtype)
 @@ -170,7 +165,7 @@
 
   tname = qname;
   host.h_name = NULL;
 - eom = answer->buf + anslen;
 + eom = answer->buf + (anslen > MAXPACKET ? MAXPACKET : anslen);
   switch (qtype) {
   case T_A:
   case T_AAAA:
 @@ -235,7 +230,11 @@
     continue;
    }
    cp += n;   /* name */
 -  BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ);
 +  if (BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ))
 +  {
 +   had_error++;
 +   continue;
 +  }
    type = _getshort(cp);
     cp += INT16SZ;   /* type */
    class = _getshort(cp);
 @@ -245,7 +244,11 @@
    cp += INT32SZ;   /* TTL */
    n = _getshort(cp);
    cp += INT16SZ;   /* len */
 -  BOUNDS_CHECK(cp, n);
 +  if (BOUNDS_CHECK(cp, n))
 +  {
 +   had_error++;
 +   continue;
 +  }
    erdata = cp + n;
    if (class != C_IN) {
     /* XXX - debug? syslog? */
 @@ -666,7 +669,6 @@
   }
   if (n > sizeof buf.buf) {
    dprintf("static buffer is too small (%d)\n", n);
 -  return (NULL);
   }
   if (!(hp = gethostanswer(&buf, n, qbuf, T_PTR)))
    return (NULL); /* h_errno was set by gethostanswer() */
 
 --            +------------------------------------------------------------+
         .     | John Saunders  - mailto:john@nlc.net.au            (EMail) |
     ,--_|\    |                - http://www.nlc.net.au/              (WWW) |
    /  Oz  \   |                - 02-9489-4932 or 041-822-3814      (Phone) |
    \_,--\_/   | NORTHLINK COMMUNICATIONS P/L - Supplying a professional,   |
          v    | and above all friendly, internet connection service.       |
               +------------------------------------------------------------+
 
 
 ------=_NextPart_000_019F_01BF8393.52335430
 Content-Type: application/octet-stream;
 	name="gethostbydns.diff"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: attachment;
 	filename="gethostbydns.diff"
 
 --- gethostbydns.c.orig	Sat Feb 26 11:55:47 2000=0A=
 +++ gethostbydns.c	Wed Mar  1 15:03:57 2000=0A=
 @@ -79,8 +79,8 @@=0A=
  =0A=
  #define SPRINTF(x) ((size_t)sprintf x)=0A=
  =0A=
 -#define	MAXALIASES	35=0A=
 -#define	MAXADDRS	35=0A=
 +#define	MAXALIASES	300=0A=
 +#define	MAXADDRS	300=0A=
  =0A=
  static const char AskedForGot[] =3D=0A=
  		"gethostby*.gethostanswer: asked for \"%s\", got \"%s\"";=0A=
 @@ -99,7 +99,7 @@=0A=
  #if PACKETSZ > 1024=0A=
  #define	MAXPACKET	PACKETSZ=0A=
  #else=0A=
 -#define	MAXPACKET	1024=0A=
 +#define	MAXPACKET	8192=0A=
  #endif=0A=
  =0A=
  typedef union {=0A=
 @@ -142,12 +142,7 @@=0A=
  	} while (0)=0A=
  =0A=
  #define BOUNDS_CHECK(ptr, count) \=0A=
 -	do { \=0A=
 -		if ((ptr) + (count) > eom) { \=0A=
 -			h_errno =3D NO_RECOVERY; \=0A=
 -			return (NULL); \=0A=
 -		} \=0A=
 -	} while (0)=0A=
 +	((ptr) + (count) > eom)=0A=
  =0A=
  static struct hostent *=0A=
  gethostanswer(answer, anslen, qname, qtype)=0A=
 @@ -170,7 +165,7 @@=0A=
  =0A=
  	tname =3D qname;=0A=
  	host.h_name =3D NULL;=0A=
 -	eom =3D answer->buf + anslen;=0A=
 +	eom =3D answer->buf + (anslen > MAXPACKET ? MAXPACKET : anslen);=0A=
  	switch (qtype) {=0A=
  	case T_A:=0A=
  	case T_AAAA:=0A=
 @@ -235,7 +230,11 @@=0A=
  			continue;=0A=
  		}=0A=
  		cp +=3D n;			/* name */=0A=
 -		BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ);=0A=
 +		if (BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ))=0A=
 +		{=0A=
 +			had_error++;=0A=
 +			continue;=0A=
 +		}=0A=
  		type =3D _getshort(cp);=0A=
   		cp +=3D INT16SZ;			/* type */=0A=
  		class =3D _getshort(cp);=0A=
 @@ -245,7 +244,11 @@=0A=
  		cp +=3D INT32SZ;			/* TTL */=0A=
  		n =3D _getshort(cp);=0A=
  		cp +=3D INT16SZ;			/* len */=0A=
 -		BOUNDS_CHECK(cp, n);=0A=
 +		if (BOUNDS_CHECK(cp, n))=0A=
 +		{=0A=
 +			had_error++;=0A=
 +			continue;=0A=
 +		}=0A=
  		erdata =3D cp + n;=0A=
  		if (class !=3D C_IN) {=0A=
  			/* XXX - debug? syslog? */=0A=
 @@ -666,7 +669,6 @@=0A=
  	}=0A=
  	if (n > sizeof buf.buf) {=0A=
  		dprintf("static buffer is too small (%d)\n", n);=0A=
 -		return (NULL);=0A=
  	}=0A=
  	if (!(hp =3D gethostanswer(&buf, n, qbuf, T_PTR)))=0A=
  		return (NULL);	/* h_errno was set by gethostanswer() */=0A=
 
 ------=_NextPart_000_019F_01BF8393.52335430--
 
 
State-Changed-From-To: analyzed->closed 
State-Changed-By: nbm 
State-Changed-When: Thu Jul 13 07:27:37 PDT 2000 
State-Changed-Why:  
Fixed in 1.27 (4.0-RELEASE and above) and 1.23.2.3 (3.5-RELEASE has 
this) of gethostbydns.c 

http://www.freebsd.org/cgi/query-pr.cgi?pr=10344 
>Unformatted:
