crash while receiving 64 kiB message over TCP
Summary
Weird 64-k DNS message over TCP causes BIND 9.19 to crash.
BIND version used
Not affected:
- v9.18: 3ac53b39
- v9.16: 4f4f144c
- v9.11 (EoL): 6c875d4b9c07b035e620310108c1704d7a3e4bf2
Steps to reproduce
- Compile dnsperf: https://github.com/DNS-OARC/dnsperf/pull/250 commit d51a453d77f532e4abb6b6d5477081450b4dd72f
- Get test query in binary: tcp2
- Start
named - Replay the test query:
dnsperf -m tcp -l10 -s ::1 -B -S1 -d /tmp/tcp2 -q1 -Q1 -t1 - Repeat couple times if needed
What is the current bug behavior?
BIND crashes:
Core was generated by `../main/sbin/named -g -c named.conf'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
Downloading source file /usr/src/debug/glibc/glibc/nptl/pthread_kill.c
44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
[Current thread is 1 (Thread 0x7f5c2cdfe680 (LWP 486589))]
(gdb) bt
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1 0x00007f5c3388e8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2 0x00007f5c3383e668 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3 0x00007f5c338264b8 in __GI_abort () at abort.c:79
#4 0x00005564490c1aa6 in assertion_failed (file=0x7f5c34d73de8 "./include/isc/dnsstream.h", line=495, type=isc_assertiontype_insist,
cond=0x7f5c34d73f00 "buf == ((void *)0)") at main.c:225
#5 0x00007f5c34d2833a in isc_assertion_failed (file=0x7f5c34d73de8 "./include/isc/dnsstream.h", line=495, type=isc_assertiontype_insist,
cond=0x7f5c34d73f00 "buf == ((void *)0)") at assertions.c:48
#6 0x00007f5c34d17483 in isc_dnsstream_assembler_incoming (dnsasm=0x7f5c2aa58280, userarg=0x7f5c2aa6ee00, buf=0x7f5c2fc41000, buf_size=0) at ./include/isc/dnsstream.h:495
#7 0x00007f5c34d17acd in streamdns_handle_incoming_data (sock=0x7f5c2aa5da00, transphandle=0x7f5c2aa6ee00, data=0x7f5c2fc41000, len=0) at netmgr/streamdns.c:242
#8 0x00007f5c34d18b99 in streamdns_readcb (handle=0x7f5c2aa6ee00, result=ISC_R_SUCCESS, region=0x7f5c2cdf8e40, cbarg=0x7f5c2aa5da00) at netmgr/streamdns.c:526
#9 0x00007f5c34d13521 in isc___nm_readcb (arg=0x7f5c2aa67e00) at netmgr/netmgr.c:1777
#10 0x00007f5c34d13662 in isc__nm_readcb (sock=0x7f5c2aa5d000, uvreq=0x7f5c2aa67e00, eresult=ISC_R_SUCCESS, async=false) at netmgr/netmgr.c:1792
#11 0x00007f5c34d1da48 in isc__nm_tcp_read_cb (stream=0x7f5c2aa5d5c8, nread=0, buf=0x7f5c2cdf8f60) at netmgr/tcp.c:772
#12 0x00007f5c346d9422 in uv__read (stream=stream@entry=0x7f5c2aa5d5c8) at src/unix/stream.c:1087
#13 0x00007f5c346d95c0 in uv__stream_io (loop=<optimized out>, w=0x7f5c2aa5d650, events=1) at src/unix/stream.c:1203
#14 0x00007f5c346decdb in uv__io_poll (loop=0x7f5c30ce7aa0, timeout=<optimized out>) at src/unix/linux.c:1476
#15 0x00007f5c346c6f9f in uv_run (loop=0x7f5c30ce7aa0, mode=UV_RUN_DEFAULT) at src/unix/core.c:447
#16 0x00007f5c34d4440b in loop_thread (arg=0x7f5c30ce7a80) at loop.c:282
#17 0x00007f5c34d5b993 in thread_body (wrap=0x7f5c30cebbe0) at thread.c:85
#18 0x00007f5c34d5b9d7 in thread_run (wrap=0x7f5c30cebbe0) at thread.c:100
#19 0x00007f5c3388c9eb in start_thread (arg=<optimized out>) at pthread_create.c:444
#20 0x00007f5c33910dfc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78Relevant configuration files
None.
Relevant logs and/or screenshots
This seems to happen when the humonguous message is not sent in one go but split between two sendto() syscalls on the client side.
Strace log: log