Report information
The Basics
Id:
45611
Status:
resolved
Priority:
Medium/Medium
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
Ray Bellis <ray@isc.org>
Cc:
AdminCc:
BugTracker
Version Fixed:
9.10.7, 9.10.7(sub), 9.11.3, 9.12.0
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
P2 Normal
Severity:
S2 Normal
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
BIND Utilities
Area:
bug
Dates
Created:Tue, 25 Jul 2017 08:05:47 -0400
Updated:Mon, 13 Nov 2017 00:42:20 -0500
Closed:Mon, 13 Nov 2017 00:42:20 -0500

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Tue, 25 Jul 2017 08:05:47 -0400 Ray Bellis <ray@isc.org> - Ticket created
Subject: dig's handling of OPT RRs
From: "Ray Bellis" <ray@isc.org>
Date: Tue, 25 Jul 2017 13:04:17 +0100
To: bind9-bugs@isc.org

If you supply +ednsopt=nn[:xx] dighost.c accumulates the supplied options in a global array, but doesn't dispose of old ones, eventually triggering a fatal() error when the number reaches EDNSOPT_OPTIONS (100). In batch mode this terminates the program. In dig for iOS the fatal() call doesn't happen, but the array fills up and a crash would occur. The array of options is ultimately disposed of in destroy_libs(), but it's unclear why the entries aren't cleaned up and the array reinitialised for each query.
  Tue, 25 Jul 2017 08:29:13 -0400 Ray Bellis <ray@isc.org> - Correspondence added
To: bind9-confidential@isc.org
Subject: Re: [ISC-Bugs #45611] dig's handling of OPT RRs
From: "Ray Bellis" <ray@isc.org>
Date: Tue, 25 Jul 2017 13:29:05 +0100

Furthermore, it seems that if an OPT RR is put on the command line, and then another within the batch file, any _subsequent_ OPT RRs on later batch file lines are ignored, and only the previous ones used. If no OPT RR is put on the command line then individual OPT RRs within the batch file are processed as expected (until the aforementioned limit of 100 accumulated RRs is reached).
Tue, 25 Jul 2017 08:29:14 -0400 The RT System itself - Status changed from 'new' to 'open'
  Tue, 25 Jul 2017 09:11:45 -0400 Mark Andrews <marka@isc.org> - Correspondence added
To: bind9-confidential@isc.org
Subject: Re: [ISC-Bugs #45611] dig's handling of OPT RRs
From: "Mark Andrews" <marka@isc.org>
Date: Tue, 25 Jul 2017 23:11:37 +1000

In message <rt-4.4.1-65696-1500984347-1984.45611-3-0@isc.org>, "Ray Bellis via RT" writes: > If you supply +ednsopt=nn[:xx] dighost.c accumulates the supplied > options in a global array, but doesn't dispose of old ones, eventually > triggering a fatal() error when the number reaches EDNSOPT_OPTIONS (100). +noednsopt will reset the index pointer. We do have a memory leak if there was a value and the index is reused. diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index 320ed1a953..5e65b1d61d 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -1582,6 +1582,9 @@ save_opt(dig_lookup_t *lookup, char *code, char *value) { fatal("bad edns code point: %s", code); } + if (ednsopts[ednsoptscnt].value != NULL) + isc_mem_free(mctx, ednsopts[ednsoptscnt].value); + ednsopts[ednsoptscnt].code = num; ednsopts[ednsoptscnt].length = 0; ednsopts[ednsoptscnt].value = NULL; > In batch mode this terminates the program. In dig for iOS the fatal() > call doesn't happen, but the array fills up and a crash would occur. > > The array of options is ultimately disposed of in destroy_libs(), but > it's unclear why the entries aren't cleaned up and the array > reinitialised for each query. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
  Tue, 25 Jul 2017 21:12:55 -0400 Mark Andrews <marka@isc.org> - Correspondence added

* We need to be able to define a default set of EDNS options defined. * We need to reset to the end of that set on each new query. * We need to be able to "clear" that set while preserving it for the next query. This can also "clear" any per query options currently defined. We should be able to do this by adding a few more index values into the array to define a active set of options. e.g. a start index, current index, saved-current index. new query -> start index=0, current index=saved-current index +noednsopt -> start index=saved-current index, current index=saved-current index saved-current index is set once all the default are defined. a new option is added at current index freeing any existing option already there.
Wed, 26 Jul 2017 00:57:33 -0400 Mark Andrews <marka@isc.org> - Queue changed from #6 to bind9-public
Wed, 26 Jul 2017 00:57:33 -0400 Mark Andrews <marka@isc.org> - Severity S2 Normal added
Wed, 26 Jul 2017 00:57:33 -0400 Mark Andrews <marka@isc.org> - Component BIND Utilities added
Wed, 26 Jul 2017 00:57:33 -0400 Mark Andrews <marka@isc.org> - Priority P2 Normal added
  Sun, 05 Nov 2017 01:30:10 -0400 Mark Andrews <marka@isc.org> - Correspondence added

ready for review
Sun, 05 Nov 2017 01:30:14 -0400 Mark Andrews <marka@isc.org> - Status changed from 'open' to 'review'
  Fri, 10 Nov 2017 17:54:49 -0500 Mukund Sivaraman <muks@isc.org> - Correspondence added
To: "Mark Andrews via RT" <bind9-public@isc.org>
Subject: Re: [ISC-Bugs #45611] dig's handling of OPT RRs
From: "Mukund Sivaraman" <muks@isc.org>
Date: Sat, 11 Nov 2017 06:52:02 +0800

I've pushed a couple of commits to the branch. This looks OK to me. I tried dig manually for leaks, but didn't run system tests. If system tests pass, please go ahead and merge. Mukund
Fri, 10 Nov 2017 17:54:56 -0500 Mukund Sivaraman <muks@isc.org> - Given to Mark Andrews <marka@isc.org>
Mon, 13 Nov 2017 00:42:19 -0500 Mark Andrews <marka@isc.org> - Version Fixed 9.10.7, 9.10.7(sub), 9.11.3, 9.12.0 added
Mon, 13 Nov 2017 00:42:20 -0500 Mark Andrews <marka@isc.org> - Status changed from 'review' to 'resolved'
Mon, 13 Nov 2017 00:42:20 -0500 Mark Andrews <marka@isc.org> - Untaken