RE: [ID 20010630.004] Segfault on gethostbyaddr call which returns multiple PTR records

Nicholas,

It looks like it's definitely the resolver library that's crashing-
the "ns_name_unpack" code should protect itself against garbage.

Here's an mdb stack trace on Solaris 8 / Perl 5.6.0:

mdb /usr/local/bin/perl5.6.0 core
Loading modules: [ ]
> $c
libresolv.so.2`__ns_name_unpack+0x28(ffbecb84, 560e, ffbf05bc, ffbec528, ff,
0)
libresolv.so.2`__ns_name_uncompress+0x14(ffbecb84, ffbf2192, ffbf05bc,
101bdc,
1d5c, e)
libresolv.so.2`dn_expand+0x14(ffbecb84, ffbf2192, ffbf05bc, 101bdc, 1d5c,
2e)
libresolv.so.2`gethostans+0x218(ffbecf84, 2f0, 10181c, 29, 101808, ffbf2192)
libresolv.so.2`ho_byaddr+0x1dc(ebca0, 4, 0, 2, ff0b2000, f21d8)
libresolv.so.2`ho_byaddr+0x48(ebce0, ffffffff, 4, 2, f0374, 4)
libresolv.so.2`res_gethostbyaddr+0xf8(ebce0, 4, 2, 2, 4, f21d8)
nss_dns.so.1`_gethostbyaddr+0x20(ffbed760, f21d8, 4, 2, ffbed760, ff0d4000)
nss_dns.so.1`__nss_dns_getbyaddr+0x118(f23b8, ffbed760, ff0d4000, f5334,
ffbed738, 0)
libc.so.1`nss_search+0x1cc(1, ff23af4c, ff23f54c, ff0c10a4, f5268, f23b8)
libnsl.so.1`_switch_gethostbyaddr_r+0x4c(f21d8, 4, 2, fc814, fc828, 920)
libnsl.so.1`_door_gethostbyaddr_r+0xec(e81d8, ffbed7cc, 2, fc814, fc828,
920)
libnsl.so.1`_get_hostserv_inetnetdir_byaddr+0x1e8(7f000001, ffbef8c0, 0,
ff31ae30, ffbef8c8, ff320b8c)
libnsl.so.1`gethostbyaddr_r+0x9c(e81d8, f5e00, 2, fc814, fc828, 920)
libnsl.so.1`gethostbyaddr+0x8c(ff322f34, e81d8, 0, 0, 4, f21d8)
Perl_pp_ghostent+0x114(0, 0, 0, 0, 0, 0)
Perl_pp_ghbyaddr+4(aa2e8, e8800, e90d6, 0, 0, 1)
Perl_runops_standard+0x10(e8400, f4408, fb0f8, ffbefd10, c3698, 0)
S_run_body+0x130(1, e7c00, e7c00, e984c, 0, e828d)
perl_run+0x8c(0, 212b4, 2, ffbefcac, 0, 0)
main+0x78(0, ffbefcac, ffbefcb8, e7cfc, 0, 0)
_start+0x5c(0, 0, 0, 0, 0, 0)
>

I guess I will pursue this with Sun.... you can close this bug.

Thanks!

   - Bob


-----Original Message-----
From: Nicholas Clark [mailto:nick@ccl4.org]
Sent: Saturday, June 30, 2001 6:24 PM
To: Nicholas Clark
Cc: Bob Fillmore; perl5-porters@perl.org; perlbug@rfi.net
Subject: Re: [ID 20010630.004] Segfault on gethostbyaddr call which
returns multiple PTR records


On Sat, Jun 30, 2001 at 06:12:26PM +0100, Nicholas Clark wrote:
> On Sat, Jun 30, 2001 at 11:14:06AM -0400, Bob Fillmore wrote:
> > 
> > This is a bug report for perl from fillmore@nrn1.nrcan.gc.ca,
> > generated with the help of perlbug 1.28 running under perl v5.6.0.
> > 
> > 
> > -----------------------------------------------------------------
> > [Please enter your report here]
> > 
> > The following code generates a segfault on Solaris 2.6 and Solaris 8:
> > 
> >    $addr = pack('C4', split(/\./,'195.226.128.9'));
> >    $addrtype = 2;
> >    ($name, $rest) = gethostbyaddr($addr, $addrtype);
> 
> FreeBSD on bleadperl goes Bus error (core dumped)
> nd in gdb I get
> 
> (gdb) where
> #0  0x8100e1c in __ns_name_unpack ()
> #1  0x8101081 in __ns_name_uncompress ()
> #2  0x80fb9b1 in __dn_expand ()
> #3  0x80fc7db in irs_dns_ho ()
> #4  0x80fc52b in irs_dns_ho ()
> #5  0x80f4b60 in irs_gen_ho ()
> #6  0x80f0ea7 in gethostbyaddr ()
> #7  0x80ce095 in Perl_pp_ghostent ()
> #8  0x80cdf9f in Perl_pp_ghbyaddr ()
> #9  0x809c3f4 in Perl_runops_standard ()
> #10 0x805fb58 in S_run_body ()
> #11 0x805f898 in perl_run ()
> #12 0x805d3fd in main ()
> #13 0x805d2ed in _start ()
> 
> 
> 5.00502 and 5.6.0 pass, 5.6.1 also goes bus error on bleadperl as far back
as
> 8102 (which is the earliest I can find.

Forgot to ask - are you able to run a debugger and get a stack backtrace on
Solaris? It's quite possible that nslookup on Solaris links against
different
libraries or is using different code.

I think I know why 5.6.1 on this machine SIGBUSes, 5.6.0 doesn't:

$ ldd /usr/local/bin/perl5.6.0
/usr/local/bin/perl5.6.0:
        libm.so.2 => /usr/lib/libm.so.2 (0x280f8000)
        libc.so.3 => /usr/lib/libc.so.3 (0x28113000)
        libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x28195000)
$ ldd /usr/local/bin/perl5.6.1
/usr/local/bin/perl5.6.1:
        libm.so.2 => /usr/lib/libm.so.2 (0x28146000)
        libc.so.4 => /usr/lib/libc.so.4 (0x28161000)
        libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x281f6000)
        libutil.so.3 => /usr/lib/libutil.so.3 (0x2820b000)

Different libc, plus libutil.so, although I don't know what that is.

I suspect that your SEGV on Solaris is actually an OS bug but can't really
prove/disprove this without a backtrace on Solaris.

Something certainly *is* broken with the DNS at the far end, as host here
gives:

host 195.226.128.9
9.128.226.195.IN-ADDR.ARPA domain name pointer www.guernsey.net
9.128.226.195.IN-ADDR.ARPA domain name pointer cccars.guernsey.net
9.128.226.195.IN-ADDR.ARPA domain name pointer advantage.guernsey.net
9.128.226.195.IN-ADDR.ARPA domain name pointer bsi.guernsey.net
9.128.226.195.IN-ADDR.ARPA domain name pointer sarkcomputers.sark.net
9.128.226.195.IN-ADDR.ARPA domain name pointer chamberpo.com
9.128.226.195.IN-ADDR.ARPA domain name pointer scatreasury.guernsey.net
9.128.226.195.IN-ADDR.ARPA domain name pointer c-photo.guernsey.net
9.128.226.195.IN-ADDR.ARPA domain name pointer evans-co.guernsey.net
9.128.226.195.IN-ADDR.ARPA domain name pointer swimarathon.guernsey.net
9.128.226.195.IN-ADDR.ARPA domain name pointer herring.guernsey.net
9.128.226.195.IN-ADDR.ARPA domain name pointer antiquefind.guernsey.net
9.128.226.195.IN-ADDR.ARPA domain name pointer gyc.guernsey.net
9.128.226.195.IN-ADDR.ARPA domain name pointer ms-consulting.com
9.128.226.195.IN-ADDR.ARPA domain name pointer trainingplus.guernsey.net
9.128.226.195.IN-ADDR.ARPA domain name pointer harlequin.guernsey.net
9.128.226.195.IN-ADDR.ARPA domain name pointer gybobb.guernsey.net
9.128.226.195.IN-ADDR.ARPA domain name pointer gdi.guernsey.net
9.128.226.195.IN-ADDR.ARPA domain name pointer osa.guernsey.net
9.128.226.195.IN-ADDR.ARPA domain name pointer
9.128.226.195.IN-ADDR.ARPApacket size error (0x0 != 0xbfbff054)


but it seems that the bug is in the system libraries, not perl, which is
unfortunate, as we can't fix those sort of bugs.
[And worse, I can't see how perl can work round this bug, if it is OS]

Nicholas Clark

• RE: [ID 20010630.004] Segfault on gethostbyaddr call which returns multiple PTR records by Fillmore, Bob
• [ID 20010630.004] Segfault on gethostbyaddr call which returnsmultiple PTR records by Bob Fillmore
• Re: [ID 20010630.004] Segfault on gethostbyaddr call which returns multiple PTR records by Nicholas Clark
• Re: [ID 20010630.004] Segfault on gethostbyaddr call which returns multiple PTR records by Nicholas Clark
• Re: [ID 20010630.004] Segfault on gethostbyaddr call which returns multiple PTR records by Nicholas Clark