Bug#798515: libc6: getaddrinfo returns garbage when nscd is running
control: fixed -1 2.21-0experimental1
control: severity -1 importnat
On 2015-09-10 09:23, Remy Oudompheng wrote:
> Package: libc6
> Version: 2.19-18+deb8u1
> Severity: grave
> Tags: upstream
> Justification: renders package unusable
This is clearly an important bug, but I don't think it's a grave one.
> Dear Maintainer,
>
> The glibc package is affected by the following upstream bug:
> https://sourceware.org/bugzilla/show_bug.cgi?id=16743
>
> When nscd is running, getaddrinfo() may return uninitialized data
> leading to corruption/crashes in various programs.
>
> The issue can be reproduced in Python:
>
> $ python
> >>> import socket
> >>> socket.getaddrinfo('localhost', 22, socket.AF_INET, 0, 0, socket.AI_CANONNAME)
> [(2, 1, 6, 'localhost', ('127.0.0.1', 22)), (2, 2, 17, '', ('127.0.0.1', 22)), (2, 3, 0, '', ('127.0.0.1', 22)), (65535, 1, 6, '', (65535, '\x00\x16\x00\x90\xdf\xb6\x00\x00\x00\x00\x00\x00\x00\x00')), (65535, 2, 17, '', (65535, '\x00\x16\x00\x90\xdf\xb6\x00\x00\x00\x00\x00\x00\x00\x00')), (65535, 3, 0, '', (65535, '\x00\x16\x00\x90\xdf\xb6\x00\x00\x00\x00\x00\x00\x00\x00'))]
>
> or with an equivalent program in C:
>
> #include <string.h>
> #include <stdio.h>
> #include <netdb.h>
>
> int main(int argc, char **argv) {
> int err;
> struct addrinfo hints, *result, *p;
>
> bzero(&hints, sizeof(struct addrinfo));
> hints.ai_family = AF_INET;
> hints.ai_flags = AI_CANONNAME;
> err = getaddrinfo("localhost", "22", &hints, &result);
> if (err)
> return err;
>
> for (p = result; p; p = p->ai_next)
> printf("family=%d\n", p->ai_family);
>
> return 0;
> }
>
> $ ./a.out
> family=2
> family=2
> family=2
> family=33956
> family=33956
> family=33956
>
> A patch has already been delivered upstream:
> https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a071766ebfd853179ac39f9773f894029bf86d36
The bug is fixed in the experimental branch. For jessie, we'll try to
include it for the next stable release.
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurelien@aurel32.net http://www.aurel32.net
Reply to: