From nobody@FreeBSD.ORG  Wed Jun  7 09:50:03 2000
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id CDD0637BDD0; Wed,  7 Jun 2000 09:50:03 -0700 (PDT)
Message-Id: <20000607165003.CDD0637BDD0@hub.freebsd.org>
Date: Wed,  7 Jun 2000 09:50:03 -0700 (PDT)
From: liveevil@tasam.com
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@FreeBSD.org
Subject: core dump using ftp and telnet
X-Send-Pr-Version: www-1.0

>Number:         19096
>Category:       bin
>Synopsis:       libc core dump using ftp and telnet
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 07 10:00:00 PDT 2000
>Closed-Date:    Mon Jul 3 01:22:31 PDT 2000
>Last-Modified:  Mon Jul 03 01:26:08 PDT 2000
>Originator:     LiVeeViL
>Release:        4.0-STABLE FreeBSD 4.0-STABLE
>Organization:
NONE
>Environment:
4.0-STABLE FreeBSD 4.0-STABLE
>Description:
some how a URL (easymoney.com) was able to change my default webpage to there's.  I did a query on there domain name, and found a entry in there dns zone file.  One of the entry names is *.exitmoney.com.  I wanted to see if I could establish a connection using that hostname.  

Here is what I got:

bash-2.03$ telnet 
telnet> o
(to) *.exitmoney.com
Segmentation fault (core dumped)

Also the same using FTP server (Version 6.00LS) 

bash-2.03$ ftp
ftp> o
(to) *.exitmoney.com
Segmentation fault (core dumped)
bash-2.03$ 

-rw-------    1 liveevil  liveevil   380928 Jun  7 12:41 telnet.core
-rw-------    1 liveevil  liveevil   454656 Jun  7 12:42 ftp.core


>How-To-Repeat:
bash-2.03$ telnet 
telnet> o
(to) *.exitmoney.com
Segmentation fault (core dumped)

Also the same using FTP server (Version 6.00LS) 

bash-2.03$ ftp
ftp> o
(to) *.exitmoney.com
Segmentation fault (core dumped)
bash-2.03$ 

>Fix:
It seems like both ftp and telnet have trouble with input from host names with "*"'s in them.  I have also try to reproduce the same results using ping, nslookup and traceroute without any luck.  I do not know how to fix this problem.  


>Release-Note:
>Audit-Trail:

From: Ruslan Ermilov <ru@sunbay.com>
To: liveevil@tasam.com
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/19096: core dump using ftp and telnet
Date: Wed, 7 Jun 2000 21:12:59 +0300

 On Wed, Jun 07, 2000 at 09:50:03AM -0700, liveevil@tasam.com wrote:
 > 
 > Number:         19096
 > Synopsis:       core dump using ftp and telnet
 > Severity:       non-critical
 > Priority:       low
 > Release:        4.0-STABLE FreeBSD 4.0-STABLE
 > 
 It turns out to be the problem with libc.
 Maybe, _hpcopy() should check for value of *errp???
 
 Script started on Wed Jun  7 21:06:04 2000
 GNU gdb 4.18
 Copyright 1998 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-unknown-freebsd"...
 Core was generated by `ftp'.
 Program terminated with signal 11, Segmentation fault.
 #0  0x807321e in _hpcopy (hp=0xbfbff4a0, errp=0xbfbff590)
     at /usr/src/lib/libc/../libc/net/name6.c:559
 559				if (**pp != '\0') {
 (gdb) l
 554		size = sizeof(struct hostent);
 555		if (hp->h_name != NULL && *hp->h_name != '\0')
 556			size += strlen(hp->h_name) + 1;
 557		if ((pp = hp->h_aliases) != NULL) {
 558			for (i = 0; *pp != NULL; i++, pp++) {
 559				if (**pp != '\0') {
 560					size += strlen(*pp) + 1;
 561					nalias++;
 562				}
 563			}
 (gdb) print pp
 $1 = (char **) 0xbfbff0a4
 (gdb) print *pp
 $2 = 0x1000100 <Address 0x1000100 out of bounds>
 (gdb) up
 #1  0x8074714 in _res_search_multi (name=0x80bb0a0 "*.exitmoney.com", 
     rtl=0xbfbff4dc, errp=0xbfbff590)
     at /usr/src/lib/libc/../libc/net/name6.c:1352
 1352					hp = _hpcopy(&hpbuf, errp);
 (gdb) l
 1347					hpbuf.h_addrtype = (rtl->rtl_type == T_AAAA)
 1348					    ? AF_INET6 : AF_INET;
 1349					hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
 1350					hp = getanswer(&buf, ret, name, rtl->rtl_type,
 1351							    &hpbuf, errp);
 1352					hp = _hpcopy(&hpbuf, errp);
 1353					hp0 = _hpmerge(hp0, hp, errp);
 1354				}
 1355			}
 1356			if (hp0 != NULL)
 (gdb) print *errp
 $3 = 3
 (gdb) quit
 
 Script done on Wed Jun  7 21:07:30 2000
 
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age
 

From: Ruslan Ermilov <ru@sunbay.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/19096: core dump using ftp and telnet
Date: Wed, 7 Jun 2000 21:57:29 +0300

 On Wed, Jun 07, 2000 at 11:20:01AM -0700, Ruslan Ermilov wrote:
 > 
 >  On Wed, Jun 07, 2000 at 09:50:03AM -0700, liveevil@tasam.com wrote:
 >  > 
 >  > Number:         19096
 >  > Synopsis:       core dump using ftp and telnet
 >  > Severity:       non-critical
 >  > Priority:       low
 >  > Release:        4.0-STABLE FreeBSD 4.0-STABLE
 >  > 
 >  It turns out to be the problem with libc.
 >  Maybe, _hpcopy() should check for value of *errp???
 >  
 Something like this should be done (IN ALL PLACES):
 
 Index: name6.c
 ===================================================================
 RCS file: /home/ncvs/src/lib/libc/net/name6.c,v
 retrieving revision 1.6.2.3
 diff -u -r1.6.2.3 name6.c
 --- name6.c	2000/05/13 18:46:13	1.6.2.3
 +++ name6.c	2000/06/07 18:55:12
 @@ -1349,7 +1349,8 @@
  				hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
  				hp = getanswer(&buf, ret, name, rtl->rtl_type,
  						    &hpbuf, errp);
 -				hp = _hpcopy(&hpbuf, errp);
 +				if (hp != NULL)
 +					hp = _hpcopy(&hpbuf, errp);
  				hp0 = _hpmerge(hp0, hp, errp);
  			}
  		}
 
 
 Which gives the correct behaviour:
 
 Script started on Wed Jun  7 21:53:48 2000
 ftp: *.exitmoney.com: Non-recoverable failure in name resolution
 ftp> quit
 
 Script done on Wed Jun  7 21:53:50 2000
 
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age
 

From: vladimir@math.uic.edu
To: freebsd-gnats-submit@FreeBSD.org, liveevil@tasam.com
Cc: vladimir@math.uic.edu
Subject: Re: bin/19096: libc core dump using ftp and telnet
Date: 11 Jun 2000 01:30:52 -0000

 >   [1]Navigation Bar
 >   
 >                                                  Problem Report bin/19096
 >                                                              
 >   libc core dump using ftp and telnet
 >   
 >   Confidential
 >          no
 >          
 >   Severity
 >          critical
 >          
 >   Priority
 >          high
 >          
 >   Responsible
 >          [2]freebsd-bugs@FreeBSD.org
 >          
 >   State
 >          open
 >          
 >   Class
 >          sw-bug
 >          
 >   Submitter-Id
 >          current-users
 >          
 >   Arrival-Date
 >          Wed Jun 07 10:00:00 PDT 2000
 >          
 >   Last-Modified
 >          Wed Jun 7 12:00:01 PDT 2000
 >          
 >   Originator
 >          LiVeeViL <[3]liveevil@tasam.com>
 >          
 >   Release
 >          4.0-STABLE FreeBSD 4.0-STABLE
 >          
 >   Organization
 >          
 >NONE
 >
 >   Environment
 >          
 >4.0-STABLE FreeBSD 4.0-STABLE
 >
 >   Description
 >          
 >some how a URL (easymoney.com) was able to change my default webpage to there's.  I did a query on there domain name, and fo
 >und a entry in there dns zone file.  One of the entry names is *.exitmoney.com.  I wanted to see if I could establish a conn
 >ection using that hostname.
 >
 >Here is what I got:
 >
 >bash-2.03$ telnet
 >telnet> o
 >(to) *.exitmoney.com
 >Segmentation fault (core dumped)
 >
 >Also the same using FTP server (Version 6.00LS)
 >
 >bash-2.03$ ftp
 >ftp> o
 >(to) *.exitmoney.com
 >Segmentation fault (core dumped)
 >bash-2.03$
 >
 >-rw-------    1 liveevil  liveevil   380928 Jun  7 12:41 telnet.core
 >-rw-------    1 liveevil  liveevil   454656 Jun  7 12:42 ftp.core
 >
 >
 >   How-To-Repeat
 >          
 >bash-2.03$ telnet
 >telnet> o
 >(to) *.exitmoney.com
 >Segmentation fault (core dumped)
 >
 >Also the same using FTP server (Version 6.00LS)
 >
 >bash-2.03$ ftp
 >ftp> o
 >(to) *.exitmoney.com
 >Segmentation fault (core dumped)
 >bash-2.03$
 >
 >   Fix
 >          
 >It seems like both ftp and telnet have trouble with input from host names with "*"'s in them.  I have also try to reproduce
 >the same results using ping, nslookup and traceroute without any luck.  I do not know how to fix this problem.
 >
 >
 >   Audit-Trail
 >          
 >From: Ruslan Ermilov <ru@sunbay.com>
 >To: liveevil@tasam.com
 >Cc: freebsd-gnats-submit@FreeBSD.org
 >Subject: Re: bin/19096: core dump using ftp and telnet
 >Date: Wed, 7 Jun 2000 21:12:59 +0300
 >
 > On Wed, Jun 07, 2000 at 09:50:03AM -0700, liveevil@tasam.com wrote:
 > >
 > > Number:         19096
 > > Synopsis:       core dump using ftp and telnet
 > > Severity:       non-critical
 > > Priority:       low
 > > Release:        4.0-STABLE FreeBSD 4.0-STABLE
 > >
 > It turns out to be the problem with libc.
 > Maybe, _hpcopy() should check for value of *errp???
 >
 > Script started on Wed Jun  7 21:06:04 2000
 > GNU gdb 4.18
 > Copyright 1998 Free Software Foundation, Inc.
 > GDB is free software, covered by the GNU General Public License, and you are
 > welcome to change it and/or distribute copies of it under certain conditions.
 > Type "show copying" to see the conditions.
 > There is absolutely no warranty for GDB.  Type "show warranty" for details.
 > This GDB was configured as "i386-unknown-freebsd"...
 > Core was generated by `ftp'.
 > Program terminated with signal 11, Segmentation fault.
 > #0  0x807321e in _hpcopy (hp=0xbfbff4a0, errp=0xbfbff590)
 >     at /usr/src/lib/libc/../libc/net/name6.c:559
 > 559                            if (**pp != '\0') {
 > (gdb) l
 > 554            size = sizeof(struct hostent);
 > 555            if (hp->h_name != NULL && *hp->h_name != '\0')
 > 556                    size += strlen(hp->h_name) + 1;
 > 557            if ((pp = hp->h_aliases) != NULL) {
 > 558                    for (i = 0; *pp != NULL; i++, pp++) {
 > 559                            if (**pp != '\0') {
 > 560                                    size += strlen(*pp) + 1;
 > 561                                    nalias++;
 > 562                            }
 > 563                    }
 > (gdb) print pp
 > $1 = (char **) 0xbfbff0a4
 > (gdb) print *pp
 > $2 = 0x1000100 <Address 0x1000100 out of bounds>
 > (gdb) up
 > #1  0x8074714 in _res_search_multi (name=0x80bb0a0 "*.exitmoney.com",
 >     rtl=0xbfbff4dc, errp=0xbfbff590)
 >     at /usr/src/lib/libc/../libc/net/name6.c:1352
 > 1352                                   hp = _hpcopy(&hpbuf, errp);
 > (gdb) l
 > 1347                                   hpbuf.h_addrtype = (rtl->rtl_type == T_AAAA)
 > 1348                                       ? AF_INET6 : AF_INET;
 > 1349                                   hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
 > 1350                                   hp = getanswer(&buf, ret, name, rtl->rtl_type,
 > 1351                                                       &hpbuf, errp);
 > 1352                                   hp = _hpcopy(&hpbuf, errp);
 > 1353                                   hp0 = _hpmerge(hp0, hp, errp);
 > 1354                           }
 > 1355                   }
 > 1356                   if (hp0 != NULL)
 > (gdb) print *errp
 > $3 = 3
 > (gdb) quit
 >
 > Script done on Wed Jun  7 21:07:30 2000
 >
 > --
 > Ruslan Ermilov         Oracle Developer/DBA,
 > ru@sunbay.com          Sunbay Software AG,
 > ru@FreeBSD.org         FreeBSD committer,
 > +380.652.512.251       Simferopol, Ukraine
 >
 > [4]http://www.FreeBSD.org      The Power To Serve
 > [5]http://www.oracle.com       Enabling The Information Age
 >
 >
 >From: Ruslan Ermilov <ru@sunbay.com>
 >To: bug-followup@FreeBSD.org
 >Cc:
 >Subject: Re: bin/19096: core dump using ftp and telnet
 >Date: Wed, 7 Jun 2000 21:57:29 +0300
 >
 > On Wed, Jun 07, 2000 at 11:20:01AM -0700, Ruslan Ermilov wrote:
 > >
 > >  On Wed, Jun 07, 2000 at 09:50:03AM -0700, liveevil@tasam.com wrote:
 > >  >
 > >  > Number:         19096
 > >  > Synopsis:       core dump using ftp and telnet
 > >  > Severity:       non-critical
 > >  > Priority:       low
 > >  > Release:        4.0-STABLE FreeBSD 4.0-STABLE
 > >  >
 > >  It turns out to be the problem with libc.
 > >  Maybe, _hpcopy() should check for value of *errp???
 > >
 > Something like this should be done (IN ALL PLACES):
 >
 > Index: name6.c
 > ===================================================================
 > RCS file: /home/ncvs/src/lib/libc/net/name6.c,v
 > retrieving revision 1.6.2.3
 > diff -u -r1.6.2.3 name6.c
 > --- name6.c    2000/05/13 18:46:13     1.6.2.3
 > +++ name6.c    2000/06/07 18:55:12
 > @@ -1349,7 +1349,8 @@
 >                                hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
 >                                hp = getanswer(&buf, ret, name, rtl->rtl_type,
 >                                                    &hpbuf, errp);
 > -                              hp = _hpcopy(&hpbuf, errp);
 > +                              if (hp != NULL)
 > +                                      hp = _hpcopy(&hpbuf, errp);
 >                                hp0 = _hpmerge(hp0, hp, errp);
 >                        }
 >                }
 >
 >
 > Which gives the correct behaviour:
 >
 > Script started on Wed Jun  7 21:53:48 2000
 > ftp: *.exitmoney.com: Non-recoverable failure in name resolution
 > ftp> quit
 >
 > Script done on Wed Jun  7 21:53:50 2000
 >
 > --
 > Ruslan Ermilov         Oracle Developer/DBA,
 > ru@sunbay.com          Sunbay Software AG,
 > ru@FreeBSD.org         FreeBSD committer,
 > +380.652.512.251       Simferopol, Ukraine
 >
 > [6]http://www.FreeBSD.org      The Power To Serve
 > [7]http://www.oracle.com       Enabling The Information Age
 >
 >   [8]Submit Followup
 >     ______________________________________________________________________________________________________________
 >   
 >   
 >    [9]www@FreeBSD.org
 
 I just submitted a bug report yesterday that didn't seem to make it 
 to the database about
 "gethostbyname() fails if there are 'bad' chars in the hostname", 
 with an equivalent fix.   The failure happens when the hostname
 resolves,  but has 'illegal' chars in it, for example, 
 mail_dxb.zu.ac.ae (I found this one when I noticed that our
 inetd is dumping core).
 
 Hopefully someone closes my bug report if it makes it to the 
 database, because #19096 is essentially the same thing.
 
 	Vladimir
 	vladimir@math.uic.edu
 
State-Changed-From-To: open->closed 
State-Changed-By: ru 
State-Changed-When: Mon Jul 3 01:22:31 PDT 2000 
State-Changed-Why:  
Fixed in src/lib/libc/net/name6.c, revs 1.13 (HEAD) and 1.6.2.4 (RELENG_4). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=19096 
>Unformatted:
