9.16.3 segmentation fault
Summary
BIND-9.16.3 terminated with signal 11, Segmentation fault.
BIND version used
BIND 9.16.3-RedHat-9.16.3-20200604153203.alios6 (Stable Release) <id:5ea41c1>
running on Linux x86_64 2.6.32-220.23.2.ali878.el6.x86_64 #1 SMP Mon Jan 28 17:12:52 CST 2013
built by make with '--build=x86_64-unknown-linux-gnu' '--host=x86_64-unknown-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-epoll' '--with-tuning=large' '--with-pic' '--with-python=/home/tops/bin/python2.7' '--with-python-install-dir=/home/tops' '--disable-geoip' '--enable-auto-validation=no' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--disable-shared' 'LIBUV_CFLAGS=-I/home/admin/145_20200603144849066_144601007_code/rpm_workspace/rpm/.dep_create/include' 'LIBUV_LIBS=-L/home/admin/145_20200603144849066_144601007_code/rpm_workspace/rpm/.dep_create/lib -luv -lrt -lpthread -lnsl -ldl' 'build_alias=x86_64-unknown-linux-gnu' 'host_alias=x86_64-unknown-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 4.4.6 20110731 (Red Hat 4.4.6-3)
compiled with OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
linked to OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
compiled with libxml2 version: 2.7.6
linked to libxml2 version: 20706
compiled with zlib version: 1.2.3
linked to zlib version: 1.2.3
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lockSteps to reproduce
Not sure, some TCP flows cause the issue.
What is the current bug behavior?
BIND crashes.
What is the expected correct behavior?
Not crash.
Relevant configuration files
(Paste any relevant configuration files - please use code blocks (```)
to format console output. If submitting the contents of your
configuration file in a non-confidential Issue, it is advisable to
obscure key secrets: this can be done automatically by using
named-checkconf -px.)
Relevant logs and/or screenshots
Core was generated by `/usr/sbin/named -u named -t /var/named/chroot'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000000000655f9d in isc__nm_tcpdns_send ()
Missing separate debuginfos, use: debuginfo-install bind911-9.16.3-20200604153203.alios6.x86_64
(gdb) bt
#0 0x0000000000655f9d in isc__nm_tcpdns_send ()
#1 0x00000000004788be in client_sendpkg ()
#2 0x000000000047a26d in ns_client_send ()
#3 0x000000000047a5cf in ns_client_error ()
#4 0x000000000048a0b1 in query_error ()
#5 0x000000000049286f in ns_query_done ()
#6 0x000000000049082b in query_gotanswer ()
#7 0x000000000049783d in fetch_callback ()
#8 0x0000000000662f81 in run ()
#9 0x00007f115cad4aa1 in start_thread () from /lib64/libpthread.so.0
#10 0x00007f115c40493d in clone () from /lib64/libc.so.6Possible fixes
t->region = (isc_region_t){ .base = isc_mem_get(t->mctx,
region->length + 2),
.length = region->length + 2 };
*(uint16_t *)t->region.base = htons(region->length);
memmove(t->region.base + 2, region->base, region->length);I guess t->region needs overflow check?