named-checkzone assertion failures
Summary
Running AFL against named-checkzone generated a number of crashes, all but one in the compare_in_<rrtype>
functions.
BIND version used
The version used was the latest master (commit ID 792692f8)
Steps to reproduce
Issue the command:
named-checkzone example.com <filename>
What is the current bug behavior?
The attached files cause the following crashes:
checkzone-crash-1.txt
./rdata/in_1/eid_31.c:94: REQUIRE(rdata1->length != 0) failed, back trace
checkzone-crash-2.txt
./rdata/in_1/nimloc_32.c:94: REQUIRE(rdata1->length != 0) failed, back trace
checkzone-crash-13.txt
./rdata/in_1/dhcid_49.c:110: REQUIRE(rdata1->length != 0) failed, back trace
checkzone-crash-14.txt
rcode.c:242: INSIST(buffer[source->length] == '\0') failed, back trace
The last crash (for file checkzone-crash-14.txt) is odd as it only occurred when running named-checkzone on a Mac (macOS 10.14.2 clang-1000.11.45.5). The crash did not occur on Debian (Debian 9.6, gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)). The output on macOS was:
Mac:crashes:553% ./named-checkzone example.com checkzone-crash-14.txt
dns_master_load: checkzone-crash-14.txt:1: unknown $ directive '$M??'
dns_master_load: checkzone-crash-14.txt:1: syntax error
checkzone-crash-14.txt:1: record with inherited owner (\$M\232\241.example.com) immediately after $ORIGIN (example.com)
checkzone-crash-14.txt:1: unknown RR type 'A10.53'
dns_master_load: checkzone-crash-14.txt:1: syntax error
dns_master_load: checkzone-crash-14.txt:1: syntax error
dns_master_load: checkzone-crash-14.txt:1: syntax error
dns_master_load: checkzone-crash-14.txt:1: syntax error
dns_master_load: checkzone-crash-14.txt:1: syntax error
rcode.c:242: INSIST(buffer[source->length] == '\0') failed, back trace
#0 0x102b505e0 in ??
#1 0x102b5056a in ??
#2 0x102a85d67 in ??
#3 0x102a991d7 in ??
#4 0x102a3ee7f in ??
#5 0x102a3a896 in ??
#6 0x102b081e9 in ??
#7 0x102a02bd6 in ??
#8 0x102a021c8 in ??
#9 0x7fff69ecbed9 in ??
#10 0x3 in ??
Abort trap: 6
... whereas on Debian 9 it was:
Debian:crashes:2091% ./named-checkzone example.com checkzone-crash-14.txt
dns_master_load: checkzone-crash-14.txt:1: unknown $ directive '$M��'
dns_master_load: checkzone-crash-14.txt:1: syntax error
checkzone-crash-14.txt:1: record with inherited owner (\$M\232\241.example.com) immediately after $ORIGIN (example.com)
checkzone-crash-14.txt:1: unknown RR type 'A10.53'
dns_master_load: checkzone-crash-14.txt:1: syntax error
dns_master_load: checkzone-crash-14.txt:1: syntax error
dns_master_load: checkzone-crash-14.txt:1: syntax error
dns_master_load: checkzone-crash-14.txt:1: syntax error
dns_master_load: checkzone-crash-14.txt:1: syntax error
dns_rdata_fromtext: checkzone-crash-14.txt:2: near '3M\': unknown class/type
dns_rdata_fromtext: checkzone-crash-14.txt:3: near '�3M00': unknown class/type
zone example.com/IN: loading from master file checkzone-crash-14.txt failed: syntax error
zone example.com/IN: not loaded due to errors.
What is the expected correct behavior?
named-checkzone should report the errors and exit normally.
Notes
As can be inferred from the filenames, AFL came up with a number of files that caused an assertion failure. Many caused the same failure, so only a single file from each set has been attached.