similar named 8.3.3-REL crashes on two different machines....

Paul Vixie paul at vix.com
Fri Aug 16 06:39:42 UTC 2002


> Aug 15 08:40:54 corporate named[4070]: ns_main.c:831:
>    INSIST(evRead(lev, rfd, &iov, 1, stream_getlen, sp, &sp->evID_r) != -1):
>    Invalid argument failed.
> ...
> What really worries me is the comment above the line generating this
> error:
> 
> 	/* XXX FIXME: This should probably not cause a crash! */
> 	INSIST_ERR(evRead(lev, rfd, &iov, 1, stream_getlen, sp, &sp->evID_r)
> 	           != -1);

indeed, that is worrisome.  i don't see that comment in the master sources,
so perhaps it showed up in an internal netbsd audit.  your line numbers are
a little different from mine, too.  but: the comment seems accurate.

> This is of course in stream_accept().  It seems a well timed TCP connect
> and reset can totally D.o.S. named, at least on NetBSD (there are some
> buggaboos in the NetBSD TCP stack that might be allowing this to happen,
> though I thought they'd been fixed before 1.5W).

indeed, we never considered the possibility that the descriptor would be
invalid so soon after accept() had returned it to us.  that was naive on our
part and i apologize.

> What's it going to take to do as the comment says?  Is it a simple
> matter of propogating the error back up, or are there other things which
> need cleaning up to do it safely?

just sq_remove() as far as i'm concerned.  here's what i'm considering:

Index: ns_main.c
===================================================================
RCS file: /proj/cvs/isc/bind8/src/bin/named/ns_main.c,v
retrieving revision 8.160
diff -u -r8.160 ns_main.c
--- ns_main.c   24 Jun 2002 07:06:55 -0000      8.160
+++ ns_main.c   16 Aug 2002 06:34:23 -0000
@@ -825,8 +825,13 @@
        sp->s_ifp = ifp;
        INSIST(sizeof sp->s_temp >= INT16SZ);
        iov = evConsIovec(sp->s_temp, INT16SZ);
-       INSIST_ERR(evRead(lev, rfd, &iov, 1, stream_getlen, sp, &sp->evID_r)
-                  != -1);
+       if (evRead(lev, rfd, &iov, 1, stream_getlen, sp, &sp->evID_r) == -1) {
+               ns_info(ns_log_default,
+                       "stream_accept: evRead() failed: %s",
+                       strerror(errno));
+               sq_remove(sp);
+               return;
+       }
        sp->flags |= STREAM_READ_EV;
        ns_debug(ns_log_default, 1, "IP/TCP connection from %s (fd %d)",
                 sin_ntoa(sp->s_from), rfd);


More information about the bind-workers mailing list