nslookup: assertion at soa_6.c:302: REQUIRE(rdata->length != 0) failed, back trace
Summary
While running a test with malformed DNS responses, the nslookup
asserts when trying to print SOA.
The nslookup
must be run with -q=CNAME
. I didn't manage to get the same reproduced with dig
.
BIND version used
Can be reproduced for example on Fedora 31
with:
BIND 9.11.14-RedHat-9.11.14-2.fc31 (Extended Support Version) <id:ea40923>
running on Linux x86_64 5.5.5-200.fc31.x86_64 #1 SMP Wed Feb 19 23:28:07 UTC 2020
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--enable-openssl-hash' '--with-geoip2' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-lmdb=yes' '--with-libjson' '--enable-dnstap' '--with-cmocka' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 9.2.1 20190827 (Red Hat 9.2.1-1)
compiled with OpenSSL version: OpenSSL 1.1.1d FIPS 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d FIPS 10 Sep 2019
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIP
Steps to reproduce
Run the reproduce.sh script:
./reproduce.sh nslookup
It sends a malformed packet as response for querry sent by nslookup
, the malformed
response is encoded in the reproducer script.
Output of the script on Fedora 31
:
$ ./reproduce.sh nslookup
;; Warning: ID mismatch: expected ID 3079, got 51829
dnssuitelocal;; Warning: Message parser reports malformed message packet.
Server: 127.0.0.1
Address: 127.0.0.1#4444
Non-authoritative answer:
dns.suite.local
./../../../lib/dns/rdata/generic/soa_6.c:302: REQUIRE(rdata->length != 0) failed, back trace
#0 0x7fd7a85622da in ??
#1 0x7fd7a8562210 in ??
#2 0x7fd7a87334b2 in ??
#3 0x7fd7a8740187 in ??
#4 0x55af1cffa112 in ??
#5 0x55af1cffb57c in ??
#6 0x55af1cffb739 in ??
#7 0x55af1d00a312 in ??
#8 0x7fd7a8587ebe in ??
#9 0x7fd7a82294e2 in ??
#10 0x7fd7a81586d3 in ??
Ncat: Idle timeout expired (1000 ms). QUITTING.
./reproduce.sh: line 72: 28063 Aborted (core dumped) nslookup -q=CNAME -port=4444 dns.suite.local 127.0.0.1
The script can be run with normal user priviledges. With -d
option (requires sudo
)
the tcpdump
is run to capture the packets and also gdb
backtrace collected.
This creates reproducer.log
and reproducer.pcap
:
./reproduce.sh nslookup -d
What is the current bug behavior?
When nslookup
parses malformed response it asserts.
What is the expected correct behavior?
nslookup
should gracefully quit when malformed response is received.
Relevant configuration files
None this requires only nslookup
without any further configuration.
Relevant logs and/or screenshots
#0 0x00007f161850d625 in raise () from /lib64/libc.so.6
#1 0x00007f16184f68d9 in abort () from /lib64/libc.so.6
#2 0x00007f16189dc215 in isc_assertion_failed (file=file@entry=0x7f1618c93b98 "./../../../lib/dns/rdata/generic/soa_6.c", line=line@entry=302,
type=type@entry=isc_assertiontype_require, cond=cond@entry=0x7f1618c917fb "rdata->length != 0") at ../../../lib/isc/assertions.c:52
#3 0x00007f1618bad4b2 in tostruct_soa (rdata=<optimized out>, target=0x7f1617d5e540, mctx=mctx@entry=0x0) at ./../../../lib/dns/rdata/generic/soa_6.c:339
#4 0x00007f1618bba187 in dns_rdata_tostruct (rdata=0x7f1617d5ea70, target=0x7f1617d5e540, mctx=0x0) at ../../../lib/dns/rdata.c:1211
#5 0x000055b42a9c6112 in printsoa (rdata=<optimized out>) at ../../../bin/dig/nslookup.c:185
#6 0x000055b42a9c757c in printsection (msg=0x7f1617d6d1d8, section=1, headers=<optimized out>, query=<optimized out>) at ../../../bin/dig/nslookup.c:296
#7 0x000055b42a9c7739 in printmessage (query=0x7f1617d72018, msg=0x7f1617d6d1d8, headers=<optimized out>) at ../../../bin/dig/nslookup.c:512
#8 0x000055b42a9d6312 in recv_done (task=<optimized out>, event=<optimized out>) at ../../../bin/dig/dighost.c:4255
#9 0x00007f1618a01ebe in dispatch (manager=0x7f1617d66010) at ../../../lib/isc/task.c:1145
#10 run (uap=0x7f1617d66010) at ../../../lib/isc/task.c:1319
#11 0x00007f16186a34e2 in start_thread () from /lib64/libpthread.so.0
#12 0x00007f16185d26d3 in clone () from /lib64/libc.so.6
Log file output of reproducer script:
Captured malformed packet:
Possible fixes
Assert happens at https://gitlab.isc.org/isc-projects/bind9/blob/master/lib/dns/rdata/generic/soa_6.c#L309
With quick look I couldn't tell what would be the propper way to fix this :(