Bug 477 - segmentation fault in unbound-anchor when edns responses are blocked
segmentation fault in unbound-anchor when edns responses are blocked
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
1.4.18
i386 Linux
: P5 normal
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-30 16:00 CET by Richard Wall
Modified: 2012-10-30 17:02 CET (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Wall 2012-10-30 16:00:44 CET
We get a segmentation fault in unbound-anchor when edns responses are
blocked (eg by a misconfigured upstream firewall)

* Backtrace

  {{{
  (ubuntu-11.04-i386)richard@largo:~/tmp/packwork$ gdb --batch --eval-command 'backtrace' usr/sbin/unbound-anchor core.unbound-anchor.9928
  [New Thread 9928]

  warning: Can't read pathname for load map: Input/output error.
  Core was generated by `usr/sbin/unbound-anchor -v -F -a rootkey'.
  Program terminated with signal 11, Segmentation fault.
  #0  0x0804d81e in resolve_host_ip (ctx=0x89ca118, host=0x8073da5 "data.iana.org", port=443, tp=1, head=0xffa3aa2c, cl=1) at smallapp/unbound-anchor.c:543
  543		for(i = 0; res->data[i]; i++) {
  #0  0x0804d81e in resolve_host_ip (ctx=0x89ca118, host=0x8073da5 "data.iana.org", port=443, tp=1, head=0xffa3aa2c, cl=1) at smallapp/unbound-anchor.c:543
  #1  0x0804ef66 in resolve_name (argc=<value optimized out>, argv=<value optimized out>) at smallapp/unbound-anchor.c:623
  #2  do_certupdate (argc=<value optimized out>, argv=<value optimized out>) at smallapp/unbound-anchor.c:1767
  #3  do_root_update_work (argc=<value optimized out>, argv=<value optimized out>) at smallapp/unbound-anchor.c:2070
  #4  main (argc=<value optimized out>, argv=<value optimized out>) at smallapp/unbound-anchor.c:2162
  }}}

* Environment
  Unbound:
  * unbound-1.4.18
  * ldns-1.6.13

  Environment:
  * ubuntu-11.04-i386 (chroot)
  * Linux Kernel 3.2.0-32-generic

  But the problem also occurs in the field on a fairly standard
  Slackware i386 system.


* To recreated the problem:

  1. Drop udp packets whose length is 512 to 4096

     sudo iptables -I INPUT -p udp -m length --length 512:4096 -j DROP

  2. Verify that edns is dropped

     $ dig dig com. SOA @a.gtld-servers.net. +norecurse +dnssec +bufsize=1024 +ignore +short
     ;; connection timed out; no servers could be reached

     $ dig dig com. SOA @a.gtld-servers.net. +norecurse +dnssec +bufsize=512 +ignore +short
     a.gtld-servers.net. nstld.verisign-grs.com. 1351609070 1800 900 604800 86400
     SOA 8 1 900 20121106155750 20121030134750 34367 com. qUfjy4z4QrTxEMbA6rCsCzplqg0KvqB3UqbXhbpGdeakuIdRlxNcNgxQ bfW1IOAmjiNtY7yli3ii+E/o4cfzRw6KwrJQaL2BENpmhuvMMKLv4KjM hB1VbB87ZAu1tqyYydHZKgJssU63a1rOubvRovZCldzcrAD4tmVj6QU7 4Qk=

  3. Run unbound-anchor

     (ubuntu-11.04-i386)richard@largo:~/tmp/packwork$ LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/home/richard/tmp/packwork/usr/lib" usr/sbin/unbound-anchor -v -F -a rootkey
     rootkey has content
     debug cert update forced
     /var/chroot/recursive/etc/unbound/icannbundle.pem: No such file or directory
     using builtin certificate
     have 1 trusted certificates
     Segmentation fault (core dumped)
Comment 1 Richard Wall 2012-10-30 16:02:59 CET
Couldn't find version 1.4.18 in the bugzilla dropdown list.

I can upload the corefile and our executable if it helps.
Comment 2 Wouter Wijngaards 2012-10-30 16:14:11 CET
Hi,

Fixed the version number in the bug desc.

The patch is below.  I have also fixed it for the upcoming release.

Thank you for reporting the bug (with a stacktrace too!) :-)

Best regards,
   Wouter

Index: smallapp/unbound-anchor.c
===================================================================
--- smallapp/unbound-anchor.c	(revision 2777)
+++ smallapp/unbound-anchor.c	(working copy)
@@ -540,6 +540,11 @@
 		ub_ctx_delete(ctx);
 		exit(0);
 	}
+	if(!res->havedata || res->rcode || !res->data) {
+		if(verb) printf("resolve %s %s: no result\n", host,
+			(tp==LDNS_RR_TYPE_A)?"A":"AAAA");
+		return;
+	}
 	for(i = 0; res->data[i]; i++) {
 		struct ip_list* ip = RR_to_ip(tp, res->data[i], res->len[i],
 			port);
Comment 3 Richard Wall 2012-10-30 17:02:15 CET
Thanks Wouter.

That was very quick! The patch works for me. :)

{{{
(ubuntu-11.04-i386)richard@largo:~/tmp/packwork/unbound-1.4.18$ LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/home/richard/tmp/packwork/unbound-1.4.18/.libs" ./unbound-anchor -v -F -a rootkey
rootkey does not exist
debug cert update forced
/var/chroot/recursive/etc/unbound/icannbundle.pem: No such file or directory
using builtin certificate
have 1 trusted certificates
resolve data.iana.org A: no result
resolve data.iana.org AAAA: no result
data.iana.org has no IP addresses I can use
}}}

Do you think it would be better to distinguish between "no result" and "no response" ?

"no result" could imply that the query was answered but that the domain name has no associated A or AAAA records.

Just a thought.

-RichardW.