netbsd-bugs: bin/12128: bind-8.2.3 segfault in ns

Subject: bin/12128: bind-8.2.3 segfault in ns_resp()
To: None <gnats-bugs@gnats.netbsd.org>
From: Simon J. Gerraty <sjg@quick.com.au>
List: netbsd-bugs
Date: 02/04/2001 01:02:20
>Number:         12128
>Category:       bin
>Synopsis:       bind-8.2.3 from 1.5 branch core dumps in ns_resp()
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Feb 04 01:05:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Simon J. Gerraty
>Release:        1.5.1
>Organization:
Zen Programming...
>Environment:
	
NetBSD gate 1.5.1_ALPHA NetBSD 1.5.1_ALPHA (GATE) #0: Fri Jan 26 09:26:29 PST 2001     root@gate:/var/obj/GATE sparc

>Description:
	
Just built and installed bind-8.2.3 from the 1.5 branch and it dumps core
pretty well immediately on startup.

This GDB was configured as "sparc--netbsd"...
Core was generated by `named'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/libexec/ld.elf_so...done.
Reading symbols from /usr/lib/libc.so.12...done.
#0  0x3a2ec in ns_resp (msg=0xeffff360 "Hï¤\200", msglen=28, from={
      sin_len = 16 '\020', sin_family = 2 '\002', sin_port = 53, sin_addr = {
        s_addr = 3474032925}, sin_zero = "\000\000\000\000\000\000\000"}, 
    qsp=0x0)
    at /u3/NetBSD/1.5.X/src/usr.sbin/bind/named/../../../dist/bind/bin/named/ns_resp.c:459
459                     if (ina_equal(fwd->fwddata->fwdaddr.sin_addr, from.sin_addr))
(gdb) p fwd
$1 = (struct fwdinfo *) 0x0
(gdb) p from
$2 = {sin_len = 16 '\020', sin_family = 2 '\002', sin_port = 53, sin_addr = {
    s_addr = 3474032925}, sin_zero = "\000\000\000\000\000\000\000"}

The code at that point looks ok btw:

	for (fwd = NS_ZFWDTAB(qp->q_fzone); fwd; fwd = fwd->next)
		if (ina_equal(fwd->fwddata->fwdaddr.sin_addr, from.sin_addr))
			break;

we should not reach the if with fwd==NULL
and in this core file, qp->q_fzone != NULL nor is 
qp->q_fzone->z_fwdtab->fwddata

(gdb) p/x *qp->q_fzone->z_fwdtab
$18 = {next = 0x41001084, fwddata = 0x3a2ec}
(gdb) p/x *qp->q_fzone->z_fwdtab->fwddata
$19 = {fwdaddr = {sin_len = 0xd0, sin_family = 0x0, sin_port = 0x6004, 
    sin_addr = {s_addr = 0xd0022004}, sin_zero = {0x80, 0xa2, 0x0, 0x9, 0x2, 
      0x80, 0x0, 0x8}}, ns = 0x53ffffa, nsdata = 0x8410a090, 
  ref_count = 0x8400801e}
(gdb) p/x *qp->q_fzone->z_fwdtab->next
Cannot access memory at address 0x41001084.
(gdb) 

but qp->q_fzone->z_fwdtab->next is bogus, and since 
the address in qp->q_fzone->z_fwdtab->fwddata does not match from, we go
to the next entry and die.

named.conf lists two forwarders.

>How-To-Repeat:

	
>Fix:
	
>Release-Note:
>Audit-Trail:
>Unformatted: