Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 524
    • Issues 524
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 99
    • Merge requests 99
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #1652

Closed
Open
Created Mar 02, 2020 by Jan Zizka@ziza

nslookup: assertion at soa_6.c:302: REQUIRE(rdata->length != 0) failed, back trace

Summary

While running a test with malformed DNS responses, the nslookup asserts when trying to print SOA. The nslookup must be run with -q=CNAME. I didn't manage to get the same reproduced with dig.

BIND version used

Can be reproduced for example on Fedora 31 with:

BIND 9.11.14-RedHat-9.11.14-2.fc31 (Extended Support Version) <id:ea40923>
running on Linux x86_64 5.5.5-200.fc31.x86_64 #1 SMP Wed Feb 19 23:28:07 UTC 2020
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--enable-openssl-hash' '--with-geoip2' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-lmdb=yes' '--with-libjson' '--enable-dnstap' '--with-cmocka' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 9.2.1 20190827 (Red Hat 9.2.1-1)
compiled with OpenSSL version: OpenSSL 1.1.1d FIPS  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d FIPS  10 Sep 2019
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

default paths:
  named configuration:  /etc/named.conf
  rndc configuration:   /etc/rndc.conf
  DNSSEC root key:      /etc/bind.keys
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/named.pid
  named lock file:      /var/run/named/named.lock
  geoip-directory:      /usr/share/GeoIP

Steps to reproduce

Run the reproduce.sh script:

./reproduce.sh nslookup

It sends a malformed packet as response for querry sent by nslookup, the malformed response is encoded in the reproducer script.

Output of the script on Fedora 31:

$ ./reproduce.sh nslookup
;; Warning: ID mismatch: expected ID 3079, got 51829

dnssuitelocal;; Warning: Message parser reports malformed message packet.
Server:		127.0.0.1
Address:	127.0.0.1#4444

Non-authoritative answer:
dns.suite.local
./../../../lib/dns/rdata/generic/soa_6.c:302: REQUIRE(rdata->length != 0) failed, back trace
#0 0x7fd7a85622da in ??
#1 0x7fd7a8562210 in ??
#2 0x7fd7a87334b2 in ??
#3 0x7fd7a8740187 in ??
#4 0x55af1cffa112 in ??
#5 0x55af1cffb57c in ??
#6 0x55af1cffb739 in ??
#7 0x55af1d00a312 in ??
#8 0x7fd7a8587ebe in ??
#9 0x7fd7a82294e2 in ??
#10 0x7fd7a81586d3 in ??
Ncat: Idle timeout expired (1000 ms). QUITTING.
./reproduce.sh: line 72: 28063 Aborted                 (core dumped) nslookup -q=CNAME -port=4444 dns.suite.local 127.0.0.1

The script can be run with normal user priviledges. With -d option (requires sudo) the tcpdump is run to capture the packets and also gdb backtrace collected. This creates reproducer.log and reproducer.pcap:

./reproduce.sh nslookup -d

What is the current bug behavior?

When nslookup parses malformed response it asserts.

What is the expected correct behavior?

nslookup should gracefully quit when malformed response is received.

Relevant configuration files

None this requires only nslookup without any further configuration.

Relevant logs and/or screenshots

#0  0x00007f161850d625 in raise () from /lib64/libc.so.6
#1  0x00007f16184f68d9 in abort () from /lib64/libc.so.6
#2  0x00007f16189dc215 in isc_assertion_failed (file=file@entry=0x7f1618c93b98 "./../../../lib/dns/rdata/generic/soa_6.c", line=line@entry=302, 
    type=type@entry=isc_assertiontype_require, cond=cond@entry=0x7f1618c917fb "rdata->length != 0") at ../../../lib/isc/assertions.c:52
#3  0x00007f1618bad4b2 in tostruct_soa (rdata=<optimized out>, target=0x7f1617d5e540, mctx=mctx@entry=0x0) at ./../../../lib/dns/rdata/generic/soa_6.c:339
#4  0x00007f1618bba187 in dns_rdata_tostruct (rdata=0x7f1617d5ea70, target=0x7f1617d5e540, mctx=0x0) at ../../../lib/dns/rdata.c:1211
#5  0x000055b42a9c6112 in printsoa (rdata=<optimized out>) at ../../../bin/dig/nslookup.c:185
#6  0x000055b42a9c757c in printsection (msg=0x7f1617d6d1d8, section=1, headers=<optimized out>, query=<optimized out>) at ../../../bin/dig/nslookup.c:296
#7  0x000055b42a9c7739 in printmessage (query=0x7f1617d72018, msg=0x7f1617d6d1d8, headers=<optimized out>) at ../../../bin/dig/nslookup.c:512
#8  0x000055b42a9d6312 in recv_done (task=<optimized out>, event=<optimized out>) at ../../../bin/dig/dighost.c:4255
#9  0x00007f1618a01ebe in dispatch (manager=0x7f1617d66010) at ../../../lib/isc/task.c:1145
#10 run (uap=0x7f1617d66010) at ../../../lib/isc/task.c:1319
#11 0x00007f16186a34e2 in start_thread () from /lib64/libpthread.so.0
#12 0x00007f16185d26d3 in clone () from /lib64/libc.so.6

Log file output of reproducer script:

reproduce.log

Captured malformed packet:

reproduce.pcap

Possible fixes

Assert happens at https://gitlab.isc.org/isc-projects/bind9/blob/master/lib/dns/rdata/generic/soa_6.c#L309

With quick look I couldn't tell what would be the propper way to fix this :(

Assignee
Assign to
Time tracking