From nobody@FreeBSD.org  Wed Aug 29 03:28:57 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id F22C037B405
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 29 Aug 2001 03:28:56 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f7TASur75103;
	Wed, 29 Aug 2001 03:28:56 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200108291028.f7TASur75103@freefall.freebsd.org>
Date: Wed, 29 Aug 2001 03:28:56 -0700 (PDT)
From: John Morrow <jmorrow@inktomi.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: getaddrinfo does not handle incorrect servname
X-Send-Pr-Version: www-1.0

>Number:         30186
>Category:       kern
>Synopsis:       [libc] getaddrinfo(3) does not handle incorrect servname
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-net
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 29 03:30:00 PDT 2001
>Closed-Date:    
>Last-Modified:  Mon Mar 23 21:33:40 UTC 2009
>Originator:     John Morrow
>Release:        4.4-PRERELEASE
>Organization:
>Environment:
FreeBSD dagobah.uk.inktomi.com 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #9: Mon Aug  6 12:29:02 BST 2001     jmorrow@dagobah.uk.inktomi.com:/usr/src/sys/compile/DAGOBAH  i386

>Description:
If I call getaddrinfo("127.0.0.1", "80", &hints, &res) as a non-root
user and then bind using the returned socket address structure my
program is bound to the wrong address and port. I would have expected
a correctly filled out socket address structure and then a EACCESS
from bind(2).

$ ./a.out 127.0.0.1 80 & sockstat -l4 | grep a.out
jmorrow  a.out    30004    3 tcp4   *:1045                *:*

$ ./a.out 127.0.0.1 8000 & sockstat -l4 | grep a.out
jmorrow  a.out    30009    3 tcp4   127.0.0.1:8000        *:*

Also putting negative or high port numbers into this program
never causes getaddrinfo to return an error.

>How-To-Repeat:
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>

int
main(int argc, char **argv)
{
    struct addrinfo hints, *res;
    int error, sock;

    (void)memset(&hints, 0, sizeof(hints));
    hints.ai_family = PF_UNSPEC;
    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
    hints.ai_socktype = SOCK_STREAM;
    error = getaddrinfo(argv[1], argv[2], &hints, &res);
    if ( error ) {
        (void)printf("%s: %s\n", argv[1], gai_strerror(error));
        return 1;
    }
    sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
    bind(sock, res->ai_addr, res->ai_addrlen);
    listen(sock, 5);
    sleep(60);
    freeaddrinfo(res);
    return 0;
}
>Fix:

>Release-Note:
>Audit-Trail:

From: David Malone <dwmalone@maths.tcd.ie>
To: John Morrow <jmorrow@inktomi.com>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/30186: getaddrinfo does not handle incorrect servname
Date: Wed, 29 Aug 2001 14:23:38 +0100

 On Wed, Aug 29, 2001 at 03:28:56AM -0700, John Morrow wrote:
 > >Description:
 > If I call getaddrinfo("127.0.0.1", "80", &hints, &res) as a non-root
 > user and then bind using the returned socket address structure my
 > program is bound to the wrong address and port. I would have expected
 > a correctly filled out socket address structure and then a EACCESS
 > from bind(2).
 
 Bind(2) is returning -1 and setting errno to EACCESS, but you didn't
 check the return value from bind, so your program didn't notice.
 Then, when you call listen(2), an ephemeral port is assigned to
 your program so that it can listen.
 
 > Also putting negative or high port numbers into this program
 > never causes getaddrinfo to return an error.
 
 I guess that's another issue - I assume it's taking them mod
 65536.
 
 	David.
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: brucec 
Responsible-Changed-When: Mon Mar 23 21:33:10 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=30186 
>Unformatted:
