Skip to content

DLZ build_querystring broken

Summary

Evolution of build_querystring() since ~9.13.2 is broken. At ~src/bind-9.13.5/contrib/dlz/drivers/sdlz_helper.c:162 isc_string_separate() was replaced with an improper implementation of strtok_r().

BIND version used

9.13.5

Steps to reproduce

Normal startup using a BIND DLZ

What is the current bug behavior?

strtok_r() is executed as strtok_r(right_str, "$", &last) right_str is a copy of the query_str. It should be set to NULL for the second and further calls to strtok_r() and it remains untouched, therefore, strtok_r() returns the first segment of query_str split by "$" forever.

Additionally, (char **)last is set to NULL immediately prior to the strtok_r() call which destroys the state pointer set by strtok_r().

Additionally, due to the logic involved, a nulled tseg is created before the lack of further segments is detected which causes a segmentation fault later due to a null pointer dereference on tseg->sql = 0x0 near line 306 for sdlzh_build_querystring(). The flawed code attempts to find strlen(*tseg->sql).

Due to the flawed implementation, infinite repeated allocations in this while loop exhaust all memory.

What is the expected correct behavior?

The second and further calls to strtok_r() should be in the form of strtok_r(NULL, "$", &saveptr) and saveptr should be untouched.

No nulled tseg should exist.

Relevant configuration files

    dlz "postgres zone" {
      database "postgres 10
        {host=127.0.0.1 dbname=dns_data user=bind password=***********************************}
        {SELECT 'TRUE' FROM canonical WHERE content ilike '$zone$' limit 1}
        {SELECT ttl, type, priority, data FROM record, canonical WHERE content ilike '$zone$' AND host ilike '$record$' AND zone = domain}
        {}
        {SELECT ttl, type, host, priority, data FROM record, canonical WHERE zone = domain AND content ilike '$zone$'}
        {SELECT 'TRUE' FROM xfr, canonical WHERE zone = domain AND content ilike '$zone$' AND client = inet '$client$'}";
    };

Relevant logs and/or screenshots

n/a

Possible fixes

Blue Labs LLC has developed a patch for this and it is provided with the MPL2 license. This patch applies cleanly to 9.13.5 released source and the current git head source. sdlz_helper-fix-querystring-parsing.patch

The attached patch fixes the implementation of strtok_r() and the trailing nulled tseg.

Edited by Mark Andrews
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information