bind9 crashed in dns_acl_match

Hiroshi OHNO hiroshi at bigfield.com
Tue Jul 22 02:53:06 UTC 2008 

Sometime bind9 crashed(Segmentation fault) in dns_acl_match(acl.c:226). 

I built bind-9.5.0-33.P1.fc9.src.rpm on FC5.

When crashing, the value of node->data[0] is 0. 
I made this patch though I did not understand correct. 
Because I do not understand why this value becomes 0. 
Is it a my stacksize problem?

Please check this.

--- bind-9.5.0-P1/lib/dns/acl.c.orig 2008-04-29 10:04:14.000000000 +0900
+++ bind-9.5.0-P1/lib/dns/acl.c 2008-07-22 10:25:24.000000000 +0900
@@ -223,7 +223,8 @@
   if (node->bit == 0)
    family = AF_INET;
   match_num = node->node_num[ISC_IS6(family)];
-  if (*(isc_boolean_t *) node->data[ISC_IS6(family)] == ISC_TRUE)
+  if (node->data[ISC_IS6(family)] != NULL &&
+      *(isc_boolean_t *) node->data[ISC_IS6(family)] == ISC_TRUE)
    *match = match_num;
   else
    *match = -match_num;
---
Debugging information is as follows. 

# gdb /usr/sbin/named core.26467
GNU gdb Red Hat Linux (6.3.0.0-1.134.fc5rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1".

Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0xc11000
Core was generated by `/usr/sbin/named -u named -t /var/named/chroot'.
Program terminated with signal 11, Segmentation fault.

--8<--8<--8<--8<-- snip --8<--8<--8<--8<--

#0  0x008b6c77 in dns_acl_match (reqaddr=0xb7ee1314, reqsigner=0x0, acl=0xb7ee6db8,
    env=0xb7eed0a8, match=0xb7ee0918, matchelt=0x0) at acl.c:226
226                     if (*(isc_boolean_t *) node->data[ISC_IS6(family)] == ISC_TRUE)
(gdb) list
221             /* Found a match. */
222             if (result == ISC_R_SUCCESS && node != NULL) {
223                     if (node->bit == 0)
224                             family = AF_INET;
225                     match_num = node->node_num[ISC_IS6(family)];
226                     if (*(isc_boolean_t *) node->data[ISC_IS6(family)] == ISC_TRUE)
227                             *match = match_num;
228                     else
229                             *match = -match_num;
230             }
(gdb) print result
Variable "result" is not available.
(gdb) print *node
$1 = {bit = 8, prefix = 0xb5f94988, l = 0xb5988b20, r = 0xb598b058, parent = 0xb598b0d0,
  data = {0x0, 0x0}, node_num = {9888, -1}}
(gdb) print match_num
$2 = 9888
(gdb) print family
Variable "family" is not available.
(gdb) print *(isc_boolean_t *)node->data[0]
Cannot access memory at address 0x0
(gdb)

----------
Hiroshi OHNO

More information about the bind-users mailing list