]> git.ipfire.org Git - thirdparty/glibc.git/blob - resolv/nss_dns/dns-host.c
projects / thirdparty / glibc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]
[thirdparty/glibc.git] / resolv / nss_dns / dns-host.c
1 /* Copyright (C) 1996-2015 Free Software Foundation, Inc.
2 This file is part of the GNU C Library.
3 Extended from original form by Ulrich Drepper <drepper@cygnus.com>, 1996.
4
5 The GNU C Library is free software; you can redistribute it and/or
6 modify it under the terms of the GNU Lesser General Public
7 License as published by the Free Software Foundation; either
8 version 2.1 of the License, or (at your option) any later version.
9
10 The GNU C Library is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Lesser General Public License for more details.
14
15 You should have received a copy of the GNU Lesser General Public
16 License along with the GNU C Library; if not, see
17 <http://www.gnu.org/licenses/>. */
18
19 /* Parts of this file are plain copies of the file `gethtnamadr.c' from
20 the bind package and it has the following copyright. */
21
22 /*
23 * ++Copyright++ 1985, 1988, 1993
24 * -
25 * Copyright (c) 1985, 1988, 1993
26 * The Regents of the University of California. All rights reserved.
27 *
28 * Redistribution and use in source and binary forms, with or without
29 * modification, are permitted provided that the following conditions
30 * are met:
31 * 1. Redistributions of source code must retain the above copyright
32 * notice, this list of conditions and the following disclaimer.
33 * 2. Redistributions in binary form must reproduce the above copyright
34 * notice, this list of conditions and the following disclaimer in the
35 * documentation and/or other materials provided with the distribution.
36 * 4. Neither the name of the University nor the names of its contributors
37 * may be used to endorse or promote products derived from this software
38 * without specific prior written permission.
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 * -
52 * Portions Copyright (c) 1993 by Digital Equipment Corporation.
53 *
54 * Permission to use, copy, modify, and distribute this software for any
55 * purpose with or without fee is hereby granted, provided that the above
56 * copyright notice and this permission notice appear in all copies, and that
57 * the name of Digital Equipment Corporation not be used in advertising or
58 * publicity pertaining to distribution of the document or software without
59 * specific, written prior permission.
60 *
61 * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
62 * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
63 * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT
64 * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
65 * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
66 * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
67 * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
68 * SOFTWARE.
69 * -
70 * --Copyright--
71 */
72
73 #include <assert.h>
74 #include <ctype.h>
75 #include <errno.h>
76 #include <netdb.h>
77 #include <stdio.h>
78 #include <stdlib.h>
79 #include <stddef.h>
80 #include <string.h>
81 #include <sys/syslog.h>
82
83 #include "nsswitch.h"
84
85 /* Get implementation for some internal functions. */
86 #include <resolv/mapv4v6addr.h>
87 #include <resolv/mapv4v6hostent.h>
88
89 #define RESOLVSORT
90
91 #if PACKETSZ > 65536
92 # define MAXPACKET PACKETSZ
93 #else
94 # define MAXPACKET 65536
95 #endif
96 /* As per RFC 1034 and 1035 a host name cannot exceed 255 octets in length. */
97 #ifdef MAXHOSTNAMELEN
98 # undef MAXHOSTNAMELEN
99 #endif
100 #define MAXHOSTNAMELEN 256
101
102 static const char AskedForGot[] = "\
103 gethostby*.getanswer: asked for \"%s\", got \"%s\"";
104
105
106 /* We need this time later. */
107 typedef union querybuf
108 {
109 HEADER hdr;
110 u_char buf[MAXPACKET];
111 } querybuf;
112
113 /* These functions are defined in res_comp.c. */
114 #define NS_MAXCDNAME 255 /* maximum compressed domain name */
115 extern int __ns_name_ntop (const u_char *, char *, size_t);
116 extern int __ns_name_unpack (const u_char *, const u_char *,
117 const u_char *, u_char *, size_t);
118
119
120 static enum nss_status getanswer_r (const querybuf *answer, int anslen,
121 const char *qname, int qtype,
122 struct hostent *result, char *buffer,
123 size_t buflen, int *errnop, int *h_errnop,
124 int map, int32_t *ttlp, char **canonp);
125
126 static enum nss_status gaih_getanswer (const querybuf *answer1, int anslen1,
127 const querybuf *answer2, int anslen2,
128 const char *qname,
129 struct gaih_addrtuple **pat,
130 char *buffer, size_t buflen,
131 int *errnop, int *h_errnop,
132 int32_t *ttlp);
133
134 extern enum nss_status _nss_dns_gethostbyname3_r (const char *name, int af,
135 struct hostent *result,
136 char *buffer, size_t buflen,
137 int *errnop, int *h_errnop,
138 int32_t *ttlp,
139 char **canonp);
140 hidden_proto (_nss_dns_gethostbyname3_r)
141
142 enum nss_status
143 _nss_dns_gethostbyname3_r (const char *name, int af, struct hostent *result,
144 char *buffer, size_t buflen, int *errnop,
145 int *h_errnop, int32_t *ttlp, char **canonp)
146 {
147 union
148 {
149 querybuf *buf;
150 u_char *ptr;
151 } host_buffer;
152 querybuf *orig_host_buffer;
153 char tmp[NS_MAXDNAME];
154 int size, type, n;
155 const char *cp;
156 int map = 0;
157 int olderr = errno;
158 enum nss_status status;
159
160 if (__res_maybe_init (&_res, 0) == -1)
161 return NSS_STATUS_UNAVAIL;
162
163 switch (af) {
164 case AF_INET:
165 size = INADDRSZ;
166 type = T_A;
167 break;
168 case AF_INET6:
169 size = IN6ADDRSZ;
170 type = T_AAAA;
171 break;
172 default:
173 *h_errnop = NO_DATA;
174 *errnop = EAFNOSUPPORT;
175 return NSS_STATUS_UNAVAIL;
176 }
177
178 result->h_addrtype = af;
179 result->h_length = size;
180
181 /*
182 * if there aren't any dots, it could be a user-level alias.
183 * this is also done in res_query() since we are not the only
184 * function that looks up host names.
185 */
186 if (strchr (name, '.') == NULL
187 && (cp = res_hostalias (&_res, name, tmp, sizeof (tmp))) != NULL)
188 name = cp;
189
190 host_buffer.buf = orig_host_buffer = (querybuf *) alloca (1024);
191
192 n = __libc_res_nsearch (&_res, name, C_IN, type, host_buffer.buf->buf,
193 1024, &host_buffer.ptr, NULL, NULL, NULL, NULL);
194 if (n < 0)
195 {
196 switch (errno)
197 {
198 case ESRCH:
199 status = NSS_STATUS_TRYAGAIN;
200 h_errno = TRY_AGAIN;
201 break;
202 /* System has run out of file descriptors. */
203 case EMFILE:
204 case ENFILE:
205 h_errno = NETDB_INTERNAL;
206 /* Fall through. */
207 case ECONNREFUSED:
208 case ETIMEDOUT:
209 status = NSS_STATUS_UNAVAIL;
210 break;
211 default:
212 status = NSS_STATUS_NOTFOUND;
213 break;
214 }
215 *h_errnop = h_errno;
216 if (h_errno == TRY_AGAIN)
217 *errnop = EAGAIN;
218 else
219 __set_errno (olderr);
220
221 /* If we are looking for an IPv6 address and mapping is enabled
222 by having the RES_USE_INET6 bit in _res.options set, we try
223 another lookup. */
224 if (af == AF_INET6 && (_res.options & RES_USE_INET6))
225 n = __libc_res_nsearch (&_res, name, C_IN, T_A, host_buffer.buf->buf,
226 host_buffer.buf != orig_host_buffer
227 ? MAXPACKET : 1024, &host_buffer.ptr,
228 NULL, NULL, NULL, NULL);
229
230 if (n < 0)
231 {
232 if (host_buffer.buf != orig_host_buffer)
233 free (host_buffer.buf);
234 return status;
235 }
236
237 map = 1;
238
239 result->h_addrtype = AF_INET;
240 result->h_length = INADDRSZ;
241 }
242
243 status = getanswer_r (host_buffer.buf, n, name, type, result, buffer, buflen,
244 errnop, h_errnop, map, ttlp, canonp);
245 if (host_buffer.buf != orig_host_buffer)
246 free (host_buffer.buf);
247 return status;
248 }
249 hidden_def (_nss_dns_gethostbyname3_r)
250
251
252 enum nss_status
253 _nss_dns_gethostbyname2_r (const char *name, int af, struct hostent *result,
254 char *buffer, size_t buflen, int *errnop,
255 int *h_errnop)
256 {
257 return _nss_dns_gethostbyname3_r (name, af, result, buffer, buflen, errnop,
258 h_errnop, NULL, NULL);
259 }
260
261
262 enum nss_status
263 _nss_dns_gethostbyname_r (const char *name, struct hostent *result,
264 char *buffer, size_t buflen, int *errnop,
265 int *h_errnop)
266 {
267 enum nss_status status = NSS_STATUS_NOTFOUND;
268
269 if (_res.options & RES_USE_INET6)
270 status = _nss_dns_gethostbyname3_r (name, AF_INET6, result, buffer,
271 buflen, errnop, h_errnop, NULL, NULL);
272 if (status == NSS_STATUS_NOTFOUND)
273 status = _nss_dns_gethostbyname3_r (name, AF_INET, result, buffer,
274 buflen, errnop, h_errnop, NULL, NULL);
275
276 return status;
277 }
278
279
280 enum nss_status
281 _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
282 char *buffer, size_t buflen, int *errnop,
283 int *herrnop, int32_t *ttlp)
284 {
285 if (__res_maybe_init (&_res, 0) == -1)
286 return NSS_STATUS_UNAVAIL;
287
288 /*
289 * if there aren't any dots, it could be a user-level alias.
290 * this is also done in res_query() since we are not the only
291 * function that looks up host names.
292 */
293 if (strchr (name, '.') == NULL)
294 {
295 char *tmp = alloca (NS_MAXDNAME);
296 const char *cp = res_hostalias (&_res, name, tmp, NS_MAXDNAME);
297 if (cp != NULL)
298 name = cp;
299 }
300
301 union
302 {
303 querybuf *buf;
304 u_char *ptr;
305 } host_buffer;
306 querybuf *orig_host_buffer;
307 host_buffer.buf = orig_host_buffer = (querybuf *) alloca (2048);
308 u_char *ans2p = NULL;
309 int nans2p = 0;
310 int resplen2 = 0;
311 int ans2p_malloced = 0;
312
313 int olderr = errno;
314 enum nss_status status;
315 int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,
316 host_buffer.buf->buf, 2048, &host_buffer.ptr,
317 &ans2p, &nans2p, &resplen2, &ans2p_malloced);
318 if (n >= 0)
319 {
320 status = gaih_getanswer (host_buffer.buf, n, (const querybuf *) ans2p,
321 resplen2, name, pat, buffer, buflen,
322 errnop, herrnop, ttlp);
323 }
324 else
325 {
326 switch (errno)
327 {
328 case ESRCH:
329 status = NSS_STATUS_TRYAGAIN;
330 h_errno = TRY_AGAIN;
331 break;
332 /* System has run out of file descriptors. */
333 case EMFILE:
334 case ENFILE:
335 h_errno = NETDB_INTERNAL;
336 /* Fall through. */
337 case ECONNREFUSED:
338 case ETIMEDOUT:
339 status = NSS_STATUS_UNAVAIL;
340 break;
341 default:
342 status = NSS_STATUS_NOTFOUND;
343 break;
344 }
345
346 *herrnop = h_errno;
347 if (h_errno == TRY_AGAIN)
348 *errnop = EAGAIN;
349 else
350 __set_errno (olderr);
351 }
352
353 /* Check whether ans2p was separately allocated. */
354 if (ans2p_malloced)
355 free (ans2p);
356
357 if (host_buffer.buf != orig_host_buffer)
358 free (host_buffer.buf);
359
360 return status;
361 }
362
363
364 extern enum nss_status _nss_dns_gethostbyaddr2_r (const void *addr,
365 socklen_t len, int af,
366 struct hostent *result,
367 char *buffer, size_t buflen,
368 int *errnop, int *h_errnop,
369 int32_t *ttlp);
370 hidden_proto (_nss_dns_gethostbyaddr2_r)
371
372 enum nss_status
373 _nss_dns_gethostbyaddr2_r (const void *addr, socklen_t len, int af,
374 struct hostent *result, char *buffer, size_t buflen,
375 int *errnop, int *h_errnop, int32_t *ttlp)
376 {
377 static const u_char mapped[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0xff,0xff };
378 static const u_char tunnelled[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0,0 };
379 static const u_char v6local[] = { 0,0, 0,1 };
380 const u_char *uaddr = (const u_char *)addr;
381 struct host_data
382 {
383 char *aliases[MAX_NR_ALIASES];
384 unsigned char host_addr[16]; /* IPv4 or IPv6 */
385 char *h_addr_ptrs[MAX_NR_ADDRS + 1];
386 char linebuffer[0];
387 } *host_data = (struct host_data *) buffer;
388 union
389 {
390 querybuf *buf;
391 u_char *ptr;
392 } host_buffer;
393 querybuf *orig_host_buffer;
394 char qbuf[MAXDNAME+1], *qp = NULL;
395 size_t size;
396 int n, status;
397 int olderr = errno;
398
399 uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
400 buffer += pad;
401 buflen = buflen > pad ? buflen - pad : 0;
402
403 if (__glibc_unlikely (buflen < sizeof (struct host_data)))
404 {
405 *errnop = ERANGE;
406 *h_errnop = NETDB_INTERNAL;
407 return NSS_STATUS_TRYAGAIN;
408 }
409
410 host_data = (struct host_data *) buffer;
411
412 if (__res_maybe_init (&_res, 0) == -1)
413 return NSS_STATUS_UNAVAIL;
414
415 if (af == AF_INET6 && len == IN6ADDRSZ
416 && (memcmp (uaddr, mapped, sizeof mapped) == 0
417 || (memcmp (uaddr, tunnelled, sizeof tunnelled) == 0
418 && memcmp (&uaddr[sizeof tunnelled], v6local, sizeof v6local))))
419 {
420 /* Unmap. */
421 addr += sizeof mapped;
422 uaddr += sizeof mapped;
423 af = AF_INET;
424 len = INADDRSZ;
425 }
426
427 switch (af)
428 {
429 case AF_INET:
430 size = INADDRSZ;
431 break;
432 case AF_INET6:
433 size = IN6ADDRSZ;
434 break;
435 default:
436 *errnop = EAFNOSUPPORT;
437 *h_errnop = NETDB_INTERNAL;
438 return NSS_STATUS_UNAVAIL;
439 }
440 if (size > len)
441 {
442 *errnop = EAFNOSUPPORT;
443 *h_errnop = NETDB_INTERNAL;
444 return NSS_STATUS_UNAVAIL;
445 }
446
447 host_buffer.buf = orig_host_buffer = (querybuf *) alloca (1024);
448
449 switch (af)
450 {
451 case AF_INET:
452 sprintf (qbuf, "%u.%u.%u.%u.in-addr.arpa", (uaddr[3] & 0xff),
453 (uaddr[2] & 0xff), (uaddr[1] & 0xff), (uaddr[0] & 0xff));
454 break;
455 case AF_INET6:
456 /* Only lookup with the byte string format if the user wants it. */
457 if (__glibc_unlikely (_res.options & RES_USEBSTRING))
458 {
459 qp = stpcpy (qbuf, "\\[x");
460 for (n = 0; n < IN6ADDRSZ; ++n)
461 qp += sprintf (qp, "%02hhx", uaddr[n]);
462 strcpy (qp, "].ip6.arpa");
463 n = __libc_res_nquery (&_res, qbuf, C_IN, T_PTR,
464 host_buffer.buf->buf, 1024, &host_buffer.ptr,
465 NULL, NULL, NULL, NULL);
466 if (n >= 0)
467 goto got_it_already;
468 }
469 qp = qbuf;
470 for (n = IN6ADDRSZ - 1; n >= 0; n--)
471 {
472 static const char nibblechar[16] = "0123456789abcdef";
473 *qp++ = nibblechar[uaddr[n] & 0xf];
474 *qp++ = '.';
475 *qp++ = nibblechar[(uaddr[n] >> 4) & 0xf];
476 *qp++ = '.';
477 }
478 strcpy(qp, "ip6.arpa");
479 break;
480 default:
481 /* Cannot happen. */
482 break;
483 }
484
485 n = __libc_res_nquery (&_res, qbuf, C_IN, T_PTR, host_buffer.buf->buf,
486 1024, &host_buffer.ptr, NULL, NULL, NULL, NULL);
487 if (n < 0 && af == AF_INET6 && (_res.options & RES_NOIP6DOTINT) == 0)
488 {
489 strcpy (qp, "ip6.int");
490 n = __libc_res_nquery (&_res, qbuf, C_IN, T_PTR, host_buffer.buf->buf,
491 host_buffer.buf != orig_host_buffer
492 ? MAXPACKET : 1024, &host_buffer.ptr,
493 NULL, NULL, NULL, NULL);
494 }
495 if (n < 0)
496 {
497 *h_errnop = h_errno;
498 __set_errno (olderr);
499 if (host_buffer.buf != orig_host_buffer)
500 free (host_buffer.buf);
501 return errno == ECONNREFUSED ? NSS_STATUS_UNAVAIL : NSS_STATUS_NOTFOUND;
502 }
503
504 got_it_already:
505 status = getanswer_r (host_buffer.buf, n, qbuf, T_PTR, result, buffer, buflen,
506 errnop, h_errnop, 0 /* XXX */, ttlp, NULL);
507 if (host_buffer.buf != orig_host_buffer)
508 free (host_buffer.buf);
509 if (status != NSS_STATUS_SUCCESS)
510 return status;
511
512 #ifdef SUNSECURITY
513 This is not implemented because it is not possible to use the current
514 source from bind in a multi-threaded program.
515 #endif
516
517 result->h_addrtype = af;
518 result->h_length = len;
519 memcpy (host_data->host_addr, addr, len);
520 host_data->h_addr_ptrs[0] = (char *) host_data->host_addr;
521 host_data->h_addr_ptrs[1] = NULL;
522 #if 0
523 /* XXX I think this is wrong. Why should an IPv4 address be
524 converted to IPv6 if the user explicitly asked for IPv4? */
525 if (af == AF_INET && (_res.options & RES_USE_INET6))
526 {
527 map_v4v6_address ((char *) host_data->host_addr,
528 (char *) host_data->host_addr);
529 result->h_addrtype = AF_INET6;
530 result->h_length = IN6ADDRSZ;
531 }
532 #endif
533 *h_errnop = NETDB_SUCCESS;
534 return NSS_STATUS_SUCCESS;
535 }
536 hidden_def (_nss_dns_gethostbyaddr2_r)
537
538
539 enum nss_status
540 _nss_dns_gethostbyaddr_r (const void *addr, socklen_t len, int af,
541 struct hostent *result, char *buffer, size_t buflen,
542 int *errnop, int *h_errnop)
543 {
544 return _nss_dns_gethostbyaddr2_r (addr, len, af, result, buffer, buflen,
545 errnop, h_errnop, NULL);
546 }
547
548 #ifdef RESOLVSORT
549 static void addrsort (char **ap, int num);
550
551 static void
552 addrsort (char **ap, int num)
553 {
554 int i, j;
555 char **p;
556 short aval[MAX_NR_ADDRS];
557 int needsort = 0;
558
559 p = ap;
560 if (num > MAX_NR_ADDRS)
561 num = MAX_NR_ADDRS;
562 for (i = 0; i < num; i++, p++)
563 {
564 for (j = 0 ; (unsigned)j < _res.nsort; j++)
565 if (_res.sort_list[j].addr.s_addr ==
566 (((struct in_addr *)(*p))->s_addr & _res.sort_list[j].mask))
567 break;
568 aval[i] = j;
569 if (needsort == 0 && i > 0 && j < aval[i-1])
570 needsort = i;
571 }
572 if (!needsort)
573 return;
574
575 while (needsort++ < num)
576 for (j = needsort - 2; j >= 0; j--)
577 if (aval[j] > aval[j+1])
578 {
579 char *hp;
580
581 i = aval[j];
582 aval[j] = aval[j+1];
583 aval[j+1] = i;
584
585 hp = ap[j];
586 ap[j] = ap[j+1];
587 ap[j+1] = hp;
588 }
589 else
590 break;
591 }
592 #endif
593
594 static enum nss_status
595 getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
596 struct hostent *result, char *buffer, size_t buflen,
597 int *errnop, int *h_errnop, int map, int32_t *ttlp, char **canonp)
598 {
599 struct host_data
600 {
601 char *aliases[MAX_NR_ALIASES];
602 unsigned char host_addr[16]; /* IPv4 or IPv6 */
603 char *h_addr_ptrs[0];
604 } *host_data;
605 int linebuflen;
606 const HEADER *hp;
607 const u_char *end_of_message, *cp;
608 int n, ancount, qdcount;
609 int haveanswer, had_error;
610 char *bp, **ap, **hap;
611 char tbuf[MAXDNAME];
612 const char *tname;
613 int (*name_ok) (const char *);
614 u_char packtmp[NS_MAXCDNAME];
615 int have_to_map = 0;
616 uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
617 buffer += pad;
618 buflen = buflen > pad ? buflen - pad : 0;
619 if (__glibc_unlikely (buflen < sizeof (struct host_data)))
620 {
621 /* The buffer is too small. */
622 too_small:
623 *errnop = ERANGE;
624 *h_errnop = NETDB_INTERNAL;
625 return NSS_STATUS_TRYAGAIN;
626 }
627 host_data = (struct host_data *) buffer;
628 linebuflen = buflen - sizeof (struct host_data);
629 if (buflen - sizeof (struct host_data) != linebuflen)
630 linebuflen = INT_MAX;
631
632 tname = qname;
633 result->h_name = NULL;
634 end_of_message = answer->buf + anslen;
635 switch (qtype)
636 {
637 case T_A:
638 case T_AAAA:
639 name_ok = res_hnok;
640 break;
641 case T_PTR:
642 name_ok = res_dnok;
643 break;
644 default:
645 *errnop = ENOENT;
646 return NSS_STATUS_UNAVAIL; /* XXX should be abort(); */
647 }
648
649 /*
650 * find first satisfactory answer
651 */
652 hp = &answer->hdr;
653 ancount = ntohs (hp->ancount);
654 qdcount = ntohs (hp->qdcount);
655 cp = answer->buf + HFIXEDSZ;
656 if (__builtin_expect (qdcount, 1) != 1)
657 {
658 *h_errnop = NO_RECOVERY;
659 return NSS_STATUS_UNAVAIL;
660 }
661 if (sizeof (struct host_data) + (ancount + 1) * sizeof (char *) >= buflen)
662 goto too_small;
663 bp = (char *) &host_data->h_addr_ptrs[ancount + 1];
664 linebuflen -= (ancount + 1) * sizeof (char *);
665
666 n = __ns_name_unpack (answer->buf, end_of_message, cp,
667 packtmp, sizeof packtmp);
668 if (n != -1 && __ns_name_ntop (packtmp, bp, linebuflen) == -1)
669 {
670 if (__builtin_expect (errno, 0) == EMSGSIZE)
671 goto too_small;
672
673 n = -1;
674 }
675
676 if (n > 0 && bp[0] == '.')
677 bp[0] = '\0';
678
679 if (__builtin_expect (n < 0 || ((*name_ok) (bp) == 0 && (errno = EBADMSG)),
680 0))
681 {
682 *errnop = errno;
683 *h_errnop = NO_RECOVERY;
684 return NSS_STATUS_UNAVAIL;
685 }
686 cp += n + QFIXEDSZ;
687
688 if (qtype == T_A || qtype == T_AAAA)
689 {
690 /* res_send() has already verified that the query name is the
691 * same as the one we sent; this just gets the expanded name
692 * (i.e., with the succeeding search-domain tacked on).
693 */
694 n = strlen (bp) + 1; /* for the \0 */
695 if (n >= MAXHOSTNAMELEN)
696 {
697 *h_errnop = NO_RECOVERY;
698 *errnop = ENOENT;
699 return NSS_STATUS_TRYAGAIN;
700 }
701 result->h_name = bp;
702 bp += n;
703 linebuflen -= n;
704 if (linebuflen < 0)
705 goto too_small;
706 /* The qname can be abbreviated, but h_name is now absolute. */
707 qname = result->h_name;
708 }
709
710 ap = host_data->aliases;
711 *ap = NULL;
712 result->h_aliases = host_data->aliases;
713 hap = host_data->h_addr_ptrs;
714 *hap = NULL;
715 result->h_addr_list = host_data->h_addr_ptrs;
716 haveanswer = 0;
717 had_error = 0;
718
719 while (ancount-- > 0 && cp < end_of_message && had_error == 0)
720 {
721 int type, class;
722
723 n = __ns_name_unpack (answer->buf, end_of_message, cp,
724 packtmp, sizeof packtmp);
725 if (n != -1 && __ns_name_ntop (packtmp, bp, linebuflen) == -1)
726 {
727 if (__builtin_expect (errno, 0) == EMSGSIZE)
728 goto too_small;
729
730 n = -1;
731 }
732
733 if (__glibc_unlikely (n < 0 || (*name_ok) (bp) == 0))
734 {
735 ++had_error;
736 continue;
737 }
738 cp += n; /* name */
739
740 if (__glibc_unlikely (cp + 10 > end_of_message))
741 {
742 ++had_error;
743 continue;
744 }
745
746 type = __ns_get16 (cp);
747 cp += INT16SZ; /* type */
748 class = __ns_get16 (cp);
749 cp += INT16SZ; /* class */
750 int32_t ttl = __ns_get32 (cp);
751 cp += INT32SZ; /* TTL */
752 n = __ns_get16 (cp);
753 cp += INT16SZ; /* len */
754 if (__glibc_unlikely (class != C_IN))
755 {
756 /* XXX - debug? syslog? */
757 cp += n;
758 continue; /* XXX - had_error++ ? */
759 }
760
761 if ((qtype == T_A || qtype == T_AAAA) && type == T_CNAME)
762 {
763 /* A CNAME could also have a TTL entry. */
764 if (ttlp != NULL && ttl < *ttlp)
765 *ttlp = ttl;
766
767 if (ap >= &host_data->aliases[MAX_NR_ALIASES - 1])
768 continue;
769 n = dn_expand (answer->buf, end_of_message, cp, tbuf, sizeof tbuf);
770 if (__glibc_unlikely (n < 0 || (*name_ok) (tbuf) == 0))
771 {
772 ++had_error;
773 continue;
774 }
775 cp += n;
776 /* Store alias. */
777 *ap++ = bp;
778 n = strlen (bp) + 1; /* For the \0. */
779 if (__builtin_expect (n, 0) >= MAXHOSTNAMELEN)
780 {
781 ++had_error;
782 continue;
783 }
784 bp += n;
785 linebuflen -= n;
786 /* Get canonical name. */
787 n = strlen (tbuf) + 1; /* For the \0. */
788 if (__glibc_unlikely (n > linebuflen))
789 goto too_small;
790 if (__builtin_expect (n, 0) >= MAXHOSTNAMELEN)
791 {
792 ++had_error;
793 continue;
794 }
795 result->h_name = bp;
796 bp = __mempcpy (bp, tbuf, n); /* Cannot overflow. */
797 linebuflen -= n;
798 continue;
799 }
800
801 if (qtype == T_PTR && type == T_CNAME)
802 {
803 n = dn_expand (answer->buf, end_of_message, cp, tbuf, sizeof tbuf);
804 if (__glibc_unlikely (n < 0 || res_dnok (tbuf) == 0))
805 {
806 ++had_error;
807 continue;
808 }
809 cp += n;
810 /* Get canonical name. */
811 n = strlen (tbuf) + 1; /* For the \0. */
812 if (__glibc_unlikely (n > linebuflen))
813 goto too_small;
814 if (__builtin_expect (n, 0) >= MAXHOSTNAMELEN)
815 {
816 ++had_error;
817 continue;
818 }
819 tname = bp;
820 bp = __mempcpy (bp, tbuf, n); /* Cannot overflow. */
821 linebuflen -= n;
822 continue;
823 }
824
825 if (type == T_A && qtype == T_AAAA && map)
826 have_to_map = 1;
827 else if (__glibc_unlikely (type != qtype))
828 {
829 /* Log a low priority message if we get an unexpected record, but
830 skip it if we are using DNSSEC since it uses many different types
831 in responses that do not match QTYPE. */
832 if ((_res.options & RES_USE_DNSSEC) == 0)
833 syslog (LOG_NOTICE | LOG_AUTH,
834 "gethostby*.getanswer: asked for \"%s %s %s\", "
835 "got type \"%s\"",
836 qname, p_class (C_IN), p_type (qtype), p_type (type));
837 cp += n;
838 continue; /* XXX - had_error++ ? */
839 }
840
841 switch (type)
842 {
843 case T_PTR:
844 if (__glibc_unlikely (strcasecmp (tname, bp) != 0))
845 {
846 syslog (LOG_NOTICE | LOG_AUTH, AskedForGot, qname, bp);
847 cp += n;
848 continue; /* XXX - had_error++ ? */
849 }
850
851 n = __ns_name_unpack (answer->buf, end_of_message, cp,
852 packtmp, sizeof packtmp);
853 if (n != -1 && __ns_name_ntop (packtmp, bp, linebuflen) == -1)
854 {
855 if (__builtin_expect (errno, 0) == EMSGSIZE)
856 goto too_small;
857
858 n = -1;
859 }
860
861 if (__glibc_unlikely (n < 0 || res_hnok (bp) == 0))
862 {
863 ++had_error;
864 break;
865 }
866 /* bind would put multiple PTR records as aliases, but we don't do
867 that. */
868 result->h_name = bp;
869 if (have_to_map)
870 {
871 n = strlen (bp) + 1; /* for the \0 */
872 if (__glibc_unlikely (n >= MAXHOSTNAMELEN))
873 {
874 ++had_error;
875 break;
876 }
877 bp += n;
878 linebuflen -= n;
879 if (map_v4v6_hostent (result, &bp, &linebuflen))
880 goto too_small;
881 }
882 *h_errnop = NETDB_SUCCESS;
883 return NSS_STATUS_SUCCESS;
884 case T_A:
885 case T_AAAA:
886 if (__builtin_expect (strcasecmp (result->h_name, bp), 0) != 0)
887 {
888 syslog (LOG_NOTICE | LOG_AUTH, AskedForGot, result->h_name, bp);
889 cp += n;
890 continue; /* XXX - had_error++ ? */
891 }
892 if (n != result->h_length)
893 {
894 cp += n;
895 continue;
896 }
897 if (!haveanswer)
898 {
899 int nn;
900
901 /* We compose a single hostent out of the entire chain of
902 entries, so the TTL of the hostent is essentially the lowest
903 TTL in the chain. */
904 if (ttlp != NULL && ttl < *ttlp)
905 *ttlp = ttl;
906 if (canonp != NULL)
907 *canonp = bp;
908 result->h_name = bp;
909 nn = strlen (bp) + 1; /* for the \0 */
910 bp += nn;
911 linebuflen -= nn;
912 }
913
914 linebuflen -= sizeof (align) - ((u_long) bp % sizeof (align));
915 bp += sizeof (align) - ((u_long) bp % sizeof (align));
916
917 if (__glibc_unlikely (n > linebuflen))
918 goto too_small;
919 bp = __mempcpy (*hap++ = bp, cp, n);
920 cp += n;
921 linebuflen -= n;
922 break;
923 default:
924 abort ();
925 }
926 if (had_error == 0)
927 ++haveanswer;
928 }
929
930 if (haveanswer > 0)
931 {
932 *ap = NULL;
933 *hap = NULL;
934 #if defined RESOLVSORT
935 /*
936 * Note: we sort even if host can take only one address
937 * in its return structures - should give it the "best"
938 * address in that case, not some random one
939 */
940 if (_res.nsort && haveanswer > 1 && qtype == T_A)
941 addrsort (host_data->h_addr_ptrs, haveanswer);
942 #endif /*RESOLVSORT*/
943
944 if (result->h_name == NULL)
945 {
946 n = strlen (qname) + 1; /* For the \0. */
947 if (n > linebuflen)
948 goto too_small;
949 if (n >= MAXHOSTNAMELEN)
950 goto no_recovery;
951 result->h_name = bp;
952 bp = __mempcpy (bp, qname, n); /* Cannot overflow. */
953 linebuflen -= n;
954 }
955
956 if (have_to_map)
957 if (map_v4v6_hostent (result, &bp, &linebuflen))
958 goto too_small;
959 *h_errnop = NETDB_SUCCESS;
960 return NSS_STATUS_SUCCESS;
961 }
962 no_recovery:
963 *h_errnop = NO_RECOVERY;
964 *errnop = ENOENT;
965 /* Special case here: if the resolver sent a result but it only
966 contains a CNAME while we are looking for a T_A or T_AAAA record,
967 we fail with NOTFOUND instead of TRYAGAIN. */
968 return ((qtype == T_A || qtype == T_AAAA) && ap != host_data->aliases
969 ? NSS_STATUS_NOTFOUND : NSS_STATUS_TRYAGAIN);
970 }
971
972
973 static enum nss_status
974 gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname,
975 struct gaih_addrtuple ***patp,
976 char **bufferp, size_t *buflenp,
977 int *errnop, int *h_errnop, int32_t *ttlp, int *firstp)
978 {
979 char *buffer = *bufferp;
980 size_t buflen = *buflenp;
981
982 struct gaih_addrtuple **pat = *patp;
983 const HEADER *hp = &answer->hdr;
984 int ancount = ntohs (hp->ancount);
985 int qdcount = ntohs (hp->qdcount);
986 const u_char *cp = answer->buf + HFIXEDSZ;
987 const u_char *end_of_message = answer->buf + anslen;
988 if (__glibc_unlikely (qdcount != 1))
989 {
990 *h_errnop = NO_RECOVERY;
991 return NSS_STATUS_UNAVAIL;
992 }
993
994 u_char packtmp[NS_MAXCDNAME];
995 int n = __ns_name_unpack (answer->buf, end_of_message, cp,
996 packtmp, sizeof packtmp);
997 /* We unpack the name to check it for validity. But we do not need
998 it later. */
999 if (n != -1 && __ns_name_ntop (packtmp, buffer, buflen) == -1)
1000 {
1001 if (__builtin_expect (errno, 0) == EMSGSIZE)
1002 {
1003 too_small:
1004 *errnop = ERANGE;
1005 *h_errnop = NETDB_INTERNAL;
1006 return NSS_STATUS_TRYAGAIN;
1007 }
1008
1009 n = -1;
1010 }
1011
1012 if (__builtin_expect (n < 0 || (res_hnok (buffer) == 0
1013 && (errno = EBADMSG)), 0))
1014 {
1015 *errnop = errno;
1016 *h_errnop = NO_RECOVERY;
1017 return NSS_STATUS_UNAVAIL;
1018 }
1019 cp += n + QFIXEDSZ;
1020
1021 int haveanswer = 0;
1022 int had_error = 0;
1023 char *canon = NULL;
1024 char *h_name = NULL;
1025 int h_namelen = 0;
1026
1027 if (ancount == 0)
1028 return NSS_STATUS_NOTFOUND;
1029
1030 while (ancount-- > 0 && cp < end_of_message && had_error == 0)
1031 {
1032 n = __ns_name_unpack (answer->buf, end_of_message, cp,
1033 packtmp, sizeof packtmp);
1034 if (n != -1 &&
1035 (h_namelen = __ns_name_ntop (packtmp, buffer, buflen)) == -1)
1036 {
1037 if (__builtin_expect (errno, 0) == EMSGSIZE)
1038 goto too_small;
1039
1040 n = -1;
1041 }
1042 if (__glibc_unlikely (n < 0 || res_hnok (buffer) == 0))
1043 {
1044 ++had_error;
1045 continue;
1046 }
1047 if (*firstp && canon == NULL)
1048 {
1049 h_name = buffer;
1050 buffer += h_namelen;
1051 buflen -= h_namelen;
1052 }
1053
1054 cp += n; /* name */
1055
1056 if (__glibc_unlikely (cp + 10 > end_of_message))
1057 {
1058 ++had_error;
1059 continue;
1060 }
1061
1062 int type = __ns_get16 (cp);
1063 cp += INT16SZ; /* type */
1064 int class = __ns_get16 (cp);
1065 cp += INT16SZ; /* class */
1066 int32_t ttl = __ns_get32 (cp);
1067 cp += INT32SZ; /* TTL */
1068 n = __ns_get16 (cp);
1069 cp += INT16SZ; /* len */
1070
1071 if (class != C_IN)
1072 {
1073 cp += n;
1074 continue;
1075 }
1076
1077 if (type == T_CNAME)
1078 {
1079 char tbuf[MAXDNAME];
1080
1081 /* A CNAME could also have a TTL entry. */
1082 if (ttlp != NULL && ttl < *ttlp)
1083 *ttlp = ttl;
1084
1085 n = dn_expand (answer->buf, end_of_message, cp, tbuf, sizeof tbuf);
1086 if (__glibc_unlikely (n < 0 || res_hnok (tbuf) == 0))
1087 {
1088 ++had_error;
1089 continue;
1090 }
1091 cp += n;
1092
1093 if (*firstp)
1094 {
1095 /* Reclaim buffer space. */
1096 if (h_name + h_namelen == buffer)
1097 {
1098 buffer = h_name;
1099 buflen += h_namelen;
1100 }
1101
1102 n = strlen (tbuf) + 1;
1103 if (__glibc_unlikely (n > buflen))
1104 goto too_small;
1105 if (__glibc_unlikely (n >= MAXHOSTNAMELEN))
1106 {
1107 ++had_error;
1108 continue;
1109 }
1110
1111 canon = buffer;
1112 buffer = __mempcpy (buffer, tbuf, n);
1113 buflen -= n;
1114 h_namelen = 0;
1115 }
1116 continue;
1117 }
1118 #if 1
1119 // We should not see any types other than those explicitly listed
1120 // below. Some types sent by server seem missing, though. Just
1121 // collect the data for now.
1122 if (__glibc_unlikely (type != T_A && type != T_AAAA))
1123 #else
1124 if (__builtin_expect (type == T_SIG, 0)
1125 || __builtin_expect (type == T_KEY, 0)
1126 || __builtin_expect (type == T_NXT, 0)
1127 || __builtin_expect (type == T_PTR, 0)
1128 || __builtin_expect (type == T_DNAME, 0))
1129 #endif
1130 {
1131 /* We don't support DNSSEC yet. For now, ignore the record
1132 and send a low priority message to syslog.
1133
1134 We also don't expect T_PTR or T_DNAME messages. */
1135 syslog (LOG_DEBUG | LOG_AUTH,
1136 "getaddrinfo*.gaih_getanswer: got type \"%s\"",
1137 p_type (type));
1138 cp += n;
1139 continue;
1140 }
1141 if (type != T_A && type != T_AAAA)
1142 abort ();
1143
1144 if (*pat == NULL)
1145 {
1146 uintptr_t pad = (-(uintptr_t) buffer
1147 % __alignof__ (struct gaih_addrtuple));
1148 buffer += pad;
1149 buflen = buflen > pad ? buflen - pad : 0;
1150
1151 if (__builtin_expect (buflen < sizeof (struct gaih_addrtuple),
1152 0))
1153 goto too_small;
1154
1155 *pat = (struct gaih_addrtuple *) buffer;
1156 buffer += sizeof (struct gaih_addrtuple);
1157 buflen -= sizeof (struct gaih_addrtuple);
1158 }
1159
1160 (*pat)->name = NULL;
1161 (*pat)->next = NULL;
1162
1163 if (*firstp)
1164 {
1165 /* We compose a single hostent out of the entire chain of
1166 entries, so the TTL of the hostent is essentially the lowest
1167 TTL in the chain. */
1168 if (ttlp != NULL && ttl < *ttlp)
1169 *ttlp = ttl;
1170
1171 (*pat)->name = canon ?: h_name;
1172
1173 *firstp = 0;
1174 }
1175
1176 (*pat)->family = type == T_A ? AF_INET : AF_INET6;
1177 if (__builtin_expect ((type == T_A && n != INADDRSZ)
1178 || (type == T_AAAA && n != IN6ADDRSZ), 0))
1179 {
1180 ++had_error;
1181 continue;
1182 }
1183 memcpy ((*pat)->addr, cp, n);
1184 cp += n;
1185 (*pat)->scopeid = 0;
1186
1187 pat = &((*pat)->next);
1188
1189 haveanswer = 1;
1190 }
1191
1192 if (haveanswer)
1193 {
1194 *patp = pat;
1195 *bufferp = buffer;
1196 *buflenp = buflen;
1197
1198 *h_errnop = NETDB_SUCCESS;
1199 return NSS_STATUS_SUCCESS;
1200 }
1201
1202 /* Special case here: if the resolver sent a result but it only
1203 contains a CNAME while we are looking for a T_A or T_AAAA record,
1204 we fail with NOTFOUND instead of TRYAGAIN. */
1205 return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
1206 }
1207
1208
1209 static enum nss_status
1210 gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2,
1211 int anslen2, const char *qname,
1212 struct gaih_addrtuple **pat, char *buffer, size_t buflen,
1213 int *errnop, int *h_errnop, int32_t *ttlp)
1214 {
1215 int first = 1;
1216
1217 enum nss_status status = NSS_STATUS_NOTFOUND;
1218
1219 if (anslen1 > 0)
1220 status = gaih_getanswer_slice(answer1, anslen1, qname,
1221 &pat, &buffer, &buflen,
1222 errnop, h_errnop, ttlp,
1223 &first);
1224 if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND
1225 || (status == NSS_STATUS_TRYAGAIN
1226 /* We want to look at the second answer in case of an
1227 NSS_STATUS_TRYAGAIN only if the error is non-recoverable, i.e.
1228 *h_errnop is NO_RECOVERY. If not, and if the failure was due to
1229 an insufficient buffer (ERANGE), then we need to drop the results
1230 and pass on the NSS_STATUS_TRYAGAIN to the caller so that it can
1231 repeat the query with a larger buffer. */
1232 && (*errnop != ERANGE || *h_errnop == NO_RECOVERY)))
1233 && answer2 != NULL && anslen2 > 0)
1234 {
1235 enum nss_status status2 = gaih_getanswer_slice(answer2, anslen2, qname,
1236 &pat, &buffer, &buflen,
1237 errnop, h_errnop, ttlp,
1238 &first);
1239 if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND)
1240 status = status2;
1241 }
1242
1243 return status;
1244 }
A mirror of the official glibc repository