Bug#64192: libc6: getaddrinfo bug

To: submit@bugs.debian.org
Subject: Bug#64192: libc6: getaddrinfo bug
From: Jason Gunthorpe <jgg@gpu.srv.ualberta.ca>
Date: Tue, 16 May 2000 00:09:31 -0600
Message-id: <[🔎] E12raXr-000329-00@wakko.deltatee.com>
Reply-to: Jason Gunthorpe <jgg@gpu.srv.ualberta.ca>, 64192@bugs.debian.org

Package: libc6
Version: 2.1.3-10
Severity: normal

It seems there is something very wrong with the getaddrinfo function. Here 
is a test program,

#include <netdb.h>
#include <netinet/in.h>
#include <stdio.h>
#include <string.h>

int main(int argc,const char *argv[])
{
   struct addrinfo *HostAddr = 0;
   struct addrinfo Hints;
   char Name[NI_MAXHOST];
	 
   memset(&Hints,0,sizeof(Hints));
   Hints.ai_socktype = SOCK_STREAM;
   Hints.ai_protocol = IPPROTO_TCP;

   printf("getaddrinfo = %i\n",getaddrinfo(argv[1],"http",&Hints,&HostAddr));

   Name[0] = 0;
   getnameinfo(HostAddr->ai_addr,HostAddr->ai_addrlen,
               Name,sizeof(Name),0,0,NI_NUMERICHOST);
               printf("Name: %s\n",Name);
			   
   return 0;
}
   
To show what is happening I have turned on the query log on my local 
nameserver.

I also have this in /etc/resolv.conf:
domain deltatee.com
search deltatee.com debian.org priv.deltatee.com dyn.deltatee.com
nameserver 127.0.0.1

[The search line is important to the problem at hand]

If the program above is exectued as:

$ /tmp/test samosa.debian.org
[multi-min pause]

Watching the query log from bind shows up this information:

May 15 23:50:31 wakko named[11491]: XX+/127.0.0.1/samosa.debian.org/AAAA/IN
May 15 23:50:31 wakko named[11491]: XX+/127.0.0.1/samosa.debian.org.deltatee.com/AAAA/IN
May 15 23:50:31 wakko named[11491]: XX+/127.0.0.1/samosa.debian.org.debian.org/AAAA/IN
May 15 23:50:31 wakko named[11491]: XX+/127.0.0.1/samosa.debian.org.priv.deltatee.com/AAAA/IN
May 15 23:50:46 wakko last message repeated 2 times
May 15 23:51:06 wakko named[11491]: XX+/127.0.0.1/samosa.debian.org.priv.deltatee.com/AAAA/IN
May 15 23:51:46 wakko named[11491]: XX+/127.0.0.1/samosa.debian.org.dyn.deltatee.com/AAAA/IN
May 15 23:52:21 wakko last message repeated 3 times
May 15 23:52:42 wakko named[11491]: XX+/127.0.0.1/samosa.debian.org/A/IN

Notice that libc asks bind to resolve all the possible AAAA combinations and
then starts trying the A possibilities. It seems to me that this is very
counter intuitive, it may even be a security risk!

The above is done without doing anything 'evil'. For me it is a really nasty
problem because priv.deltatee.com and dyn.deltatee.com have firewalled name 
servers I cannot communicate with [their resolutions all time out when my IP
tunnel is not active]. This effectively crippled all programs using
getaddrinfo for resolution since it takes about 1.5 mins to get a response.

However, that is minor compared to this problem, which is actually a serious
bug. I control the deltatee.com domain, and have done this:

$ host -a samosa.debian.org.deltatee.com
samosa.debian.org.deltatee.com  AAAA    3FFE:600:8000:8:0:0:0:32

Watch:

Wakko{root}~/work/apt/build/bin#/tmp/a.out samosa.debian.org
getaddrinfo = 0
Name: 3ffe:600:8000:8::32

Nasty!

I have managed to redirect all queries for samosa.debian.org to my IPv6
machine! 

This is certainly a bug, the resolver library should try to find AAAA
records for samosa.debian.org, then A records. An order like this:
samosa.debian.org AAAA?
samosa.debian.org A?
samosa.debian.org.deltatee.com AAAA?
samosa.debian.org.deltatee.com A?
samosa.debian.org.priv.deltatee.com AAAA?
samosa.debian.org.priv.deltatee.com A?

And not like this:
samosa.debian.org AAAA?
samosa.debian.org.deltatee.com AAAA?
samosa.debian.org.priv.deltatee.com AAAA?
samosa.debian.org A?
samosa.debian.org.deltatee.com A?
samosa.debian.org.priv.deltatee.com A?

Thanks,
Jason

Reply to:

Prev by Date: Bug#42944: I've found the cause of Debian bug 42944.
Next by Date: nscd problems
Previous by thread: Bug#42944: I've found the cause of Debian bug 42944.
Next by thread: nscd problems
Index(es):
- Date
- Thread