Service for getaddrinfo#257
Service for getaddrinfo#257bradh352 merged 13 commits intoc-ares:masterfrom ki11roy:service_for_getaddrinfo
Conversation
|
Before I do a full review on this, can you go ahead and clean up the legacy code? Think you referred to ares_parse_a/aaaa_reply, probably those just need to be made into wrappers right? |
|
@bradh352 sure |
|
I have tried and there is a problem. I need to add aliases to ares_addrinfo to completely replace the functions, but it seems too much, because there are already two extra fields ai_ttl and ai_cname_ttl (and ai_cname itself). So there are two separate parts which badly fit into the same struct. |
|
Again, I wouldn't worry about standards conformance since we're already making modifications to the struct and it is namespaced. And memory these days is cheap, especially what we're talking about here. I also think its probably silly for getaddrinfo to return technically less information than gethostbyname in any area at all. My vote would be to make the ai_canonname an array structure holding the name and ttl ` struct ares_addrinfo { |
|
I need to fix the tests and wrap the functions, finally. |
|
Hmm, I'd think the cname + ttl struct would be an array since the recursive DNS server being queried could return multiple CNAMEs which are the aliases. I'm not sure why you have a char **aliases at all. We might as well save the ttl for each if we're already saving the cname for each. |
| char *ai_canonname; | ||
| struct sockaddr *ai_addr; | ||
| struct ares_addrinfo *ai_next; | ||
| struct ares_addrinfo_cname cname; |
There was a problem hiding this comment.
make this an array, also need a length member for the array length. Or for consistency, I guess it could be a NULL-term linked list.
| struct sockaddr *ai_addr; | ||
| struct ares_addrinfo *ai_next; | ||
| struct ares_addrinfo_cname cname; | ||
| char **aliases; |
| /* Take the min of the TTLs we see in the CNAME chain. */ | ||
| if (ai->cname.ttl > rr_ttl) | ||
| ai->cname.ttl = rr_ttl; | ||
|
|
There was a problem hiding this comment.
no reason to record a minimum, instead record the ttl associated with the cname entry in the array
| if (ai->cname.ttl > rr_ttl) | ||
| ai->cname.ttl = rr_ttl; | ||
|
|
||
| ares_free(ai->cname.name); |
There was a problem hiding this comment.
No need to free prior cname, should be a new array entry
|
Got your point, but for the aliases I need them to populate hostent structure in ares_parse_a_reply. I see no similar structure in regular addrinfo and it is not CNAME itself, but a label of CNAME as per RFC2181 section 10.1.1. So I wanted to have labels as aliases and one value (multiple values as you suggested) as CNAME (that part is unfinished). |
|
Fixed the tests and replaced ares_parse_a/aaaa_reply with ares__parse_into_addrinfo. It is private, but considering #238 and #259 I think it is would be better to make it public? There are some new structures, like: I need the structure to populate hostent as it wants both aliases and canonical name in ares_parse_a/aaaa_record. |
|
I'm inclined to merge this and deal with any tweaks or fallout later. It looks pretty good and provides a very nice implementation with more features (mainly ttls) than a native getaddrinfo which is nice. @bagder any problems with this? |
|
Looks like there's a Windows build failure with this (AppVeyor): |
|
Also, I'm getting some OSS-Fuzz failure reports from this, in a couple of variants:
|
|
@daviddrysdale thanks! i'll check it. |
Looks like EnvValue is conditionalized against Windows for some reason. I've removed that condition and fixed the build. |
#262 should fix this one |
Suspect problems were introduced by 7d3591e ("getaddrinfo enhancements (c-ares#257)"), and revolve around: - ares_parse_a_reply.c:160 : WRITE stack buffer overflow - ares_parse_aaaa_reply.c:156 : READ heap buffer overflow. Reproduce by building with ASAN enabled and running (e.g.): ./test/aresfuzz ./test/fuzzinput/clusterfuzz-5650695891451904
Suspect problems were introduced by 7d3591e ("getaddrinfo enhancements (c-ares#257)"), and revolve around: - ares_parse_a_reply.c:160 : WRITE stack buffer overflow - ares_parse_aaaa_reply.c:156 : READ heap buffer overflow. Reproduce by building with ASAN enabled and running (e.g.): ./test/aresfuzz ./test/fuzzinput/clusterfuzz-5650695891451904
Suspect problems were introduced by 7d3591e ("getaddrinfo enhancements (c-ares#257)"), and revolve around: - ares_parse_a_reply.c:160 : WRITE stack buffer overflow - ares_parse_aaaa_reply.c:156 : READ heap buffer overflow. Reproduce by building with ASAN enabled and running (e.g.): ./test/aresfuzz ./test/fuzzinput/clusterfuzz-5650695891451904
Suspect problems were introduced by 7d3591e ("getaddrinfo enhancements (c-ares#257)"), and include: - ares_parse_a_reply.c:170 : WRITE stack buffer overflow - ares_parse_aaaa_reply.c:170,172 : WRITE stack buffer overflow - ares_parse_a_reply:149 : leak - ares_parse_aaaa_reply.c:151 : leak Reproduce by building with ASAN enabled and running (e.g.): ./test/aresfuzz ./test/fuzzinput/clusterfuzz-5650695891451904
Suspect problems were introduced by 7d3591e ("getaddrinfo enhancements (c-ares#257)"), and include: - ares_parse_a_reply.c:170 : WRITE stack buffer overflow - ares_parse_aaaa_reply.c:170,172 : WRITE stack buffer overflow - ares_parse_a_reply:149 : leak - ares_parse_aaaa_reply.c:151 : leak Reproduce by building with ASAN enabled and running (e.g.): ./test/aresfuzz ./test/fuzzinput/clusterfuzz-5650695891451904
|
Adding "Service for ares_getaddrinfo" also changed the order search domains for T_A and T_AAAA requests are tried (If I'm not wrong). Before: Now: This slows down the entire lookup. In comparison to this, glibc uses parallel searches with the intention of not slowing down. |
|
@ChristianAmmer I agree that queries for ipv4 & ipv6 should be done in parallel |
|
As far as I remember the initial purpose of that code was to fixing the incorrect behavior, which was done in mostly invasive way. So I just fixed it the other way. Everything above this is an optimization. I do agree with the statement about the parallel queries, but in my opinion the first step is fixing the code (its done) and the second is implementing the optimization. I will think on how to return it in the most painless way. |
* Service support has been added to getaddrinfo. * ares_parse_a/aaaa_record now share code with the addrinfo parser. * Private ares_addrinfo structure with useful extensions such as ttls (including cname ttls), as well as the ability to list multiple cnames in chain of lookups Work By: Andrew Selivanov @ki11roy
* Service support has been added to getaddrinfo. * ares_parse_a/aaaa_record now share code with the addrinfo parser. * Private ares_addrinfo structure with useful extensions such as ttls (including cname ttls), as well as the ability to list multiple cnames in chain of lookups Work By: Andrew Selivanov @ki11roy
If there are more ttls returned than the maximum provided by the requestor, then the *naddrttls response would be larger than the actual number of elements in the addrttls array. This bug could lead to invalid memory accesses in applications using c-ares. This behavior appeared to break with PR #257 Fixes: #371 Reported By: Momtchil Momtchev (@mmomtchev) Fix By: Brad House (@bradh352)
Original commit message: If there are more ttls returned than the maximum provided by the requestor, then the *naddrttls response would be larger than the actual number of elements in the addrttls array. This bug could lead to invalid memory accesses in applications using c-ares. This behavior appeared to break with PR c-ares/c-ares#257 Fixes: c-ares/c-ares#371 Reported By: Momtchil Momtchev (@mmomtchev) Fix By: Brad House (@bradh352) Refs: https://github.com/nodejs/node/issues/36063 Signed-off-by: Michael Dawson <[email protected]> CVE-ID: CVE-2020-8277 PR-URL: nodejs-private/node-private#231 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
If there are more ttls returned than the maximum provided by the requestor, then the *naddrttls response would be larger than the actual number of elements in the addrttls array. This bug could lead to invalid memory accesses in applications using c-ares. This behavior appeared to break with PR c-ares#257 Fixes: c-ares#371 Reported By: Momtchil Momtchev (@mmomtchev) Fix By: Brad House (@bradh352)
Original commit message: If there are more ttls returned than the maximum provided by the requestor, then the *naddrttls response would be larger than the actual number of elements in the addrttls array. This bug could lead to invalid memory accesses in applications using c-ares. This behavior appeared to break with PR c-ares/c-ares#257 Fixes: c-ares/c-ares#371 Reported By: Momtchil Momtchev (@mmomtchev) Fix By: Brad House (@bradh352) Refs: https://github.com/nodejs/node/issues/36063 Signed-off-by: Michael Dawson <[email protected]> CVE-ID: CVE-2020-8277 PR-URL: nodejs-private/node-private#231 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
Original commit message: If there are more ttls returned than the maximum provided by the requestor, then the *naddrttls response would be larger than the actual number of elements in the addrttls array. This bug could lead to invalid memory accesses in applications using c-ares. This behavior appeared to break with PR c-ares/c-ares#257 Fixes: c-ares/c-ares#371 Reported By: Momtchil Momtchev (@mmomtchev) Fix By: Brad House (@bradh352) Refs: https://github.com/nodejs/node/issues/36063 Signed-off-by: Michael Dawson <[email protected]> CVE-ID: CVE-2020-8277 PR-URL: nodejs-private/node-private#231 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
5 participants
This branch is a development of #232.
Some major changes are support of search domains and combining of ares_parse_a/aaaa_reply into ares__parse_into_addrinfo, though I haven't touched the original functions yet.
I had to introduce additional flag ARES_AI_NOSORT to disable connecting to mock addresses while sorting. My first idea was to use ares_socket_functions, but there is no "getsockname" mock, so flag seems a better variant.
Struct ares_addrinfo extended to keep ai_ttl and ai_cname_ttl.
The latest ares_getaddrinfo fixes are not actual anymore, because the code is removed.