Bug#550428: getaddrinfo: AI_CANNONAME should not do PTR lookups

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#550428: getaddrinfo: AI_CANNONAME should not do PTR lookups
From: Alan Curry <pacman@kosh.dhis.org>
Date: Fri, 09 Oct 2009 19:22:28 -0500
Message-id: <[🔎] 20091010002228.21344.12290.reportbug@kosh.dhis.org>
Reply-to: Alan Curry <pacman@kosh.dhis.org>, 550428@bugs.debian.org

Package: libc6
Version: 2.7-18
Severity: normal


I'm reporting essentially a duplicate of this old bug:
  http://sources.redhat.com/bugzilla/show_bug.cgi?id=304

That bug is marked "resolved" but it clearly isn't resolved, since
getaddrinfo() still has a __gethostbyaddr_r() call in it (see
sysdeps/posix/getaddrinfo.c). This bug isn't resolved until that code is
dead! As far as I can tell, that code is still present in the newest glibc
and eglibc too.

Here's a little demonstration, with actual DNS records that exist today:

mail.gnu.org.		300	IN	A	199.232.76.166
166.76.232.199.in-addr.arpa. 23360 IN	CNAME	rev-c76-166.gnu.org.
rev-c76-166.gnu.org.	300	IN	PTR	mail.gnu.org.
rev-c76-166.gnu.org.	300	IN	PTR	mx10.gnu.org.
mx10.gnu.org.		300	IN	A	199.232.76.166

mail.gnu.org does not have a CNAME record. If you ask for the canonical name
of mail.gnu.org, the correct answer is mail.gnu.org. But glibc does a reverse
lookup, picks one of the PTRs at not-quite-random, and half the time you get
mx10.gnu.org instead:

$ cat canon.c
#include <stdio.h>
#include <sys/socket.h>
#include <netdb.h>

int main(void)
{
  struct addrinfo *res, hints={.ai_family=AF_INET, .ai_flags=AI_CANONNAME};
  int err;

  puts((err=getaddrinfo("mail.gnu.org", NULL, &hints, &res)) ?
       gai_strerror(err) : res->ai_canonname);
  return err;
}
$ cc canon.c -o canon
$ ./canon
mx10.gnu.org
$ ./canon
mail.gnu.org
$ ./canon
mx10.gnu.org

Neither mx10.gnu.org nor mail.gnu.org is the canonical name of the other. No
such relationship exists between those 2 names, and no such relationship can
ever be implied by any PTR records. glibc's behavior is completely bogus.

I believe a correct fix would be to reduce that entire block containing the
__gethostbyaddr_r() call to just these 2 lines:
  if (canon == NULL)
    canon = orig_name;

But there's a sign that may not be enough. Each time I run the demo program
above, it generates the bogus PTR query twice. I wonder if removing the
__gethostbyaddr_r will take care of both of them, or if there's a similar bug
in the nss_dns module.

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: powerpc (ppc)

Kernel: Linux 2.6.31.2
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages libc6 depends on:
ii  libgcc1                      1:4.3.2-1.1 GCC support library

libc6 recommends no packages.

Versions of packages libc6 suggests:
ii  glibc-doc                     2.7-18     GNU C Library: Documentation
pn  locales                       <none>     (no description available)

-- debconf information:
* glibc/upgrade: true
  glibc/restart-failed:
* glibc/restart-services: rsync openbsd-inetd lpd cron atd

Reply to:

Prev by Date: Bug#548842: Apt alignment trap.
Next by Date: Bug#550428: 133668 looks similar
Previous by thread: Processed: Re: Apt alignment trap.
Next by thread: Bug#550428: 133668 looks similar
Index(es):
- Date
- Thread