Ticket History #3172: AIX 4.x ns_ninit corrupts memory due to incompatibility with resolv.h

From krb5-bugs-incoming-bounces@PCH.mit.edu Tue Aug 30 15:32:39 2005
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id PAA27787; Tue, 30 Aug 2005 15:32:39 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j7UJVrWn012614
for <krb5-send-pr@krbdev.mit.edu>; Tue, 30 Aug 2005 15:31:53 -0400
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j7TJWZWn001127
for <krb5-bugs-incoming@PCH.mit.edu>; Mon, 29 Aug 2005 15:32:35 -0400
Received: from melville.u.washington.edu (melville.u.washington.edu
[140.142.10.44])j7TJWmfr015780
for <krb5-bugs@mit.edu>; Mon, 29 Aug 2005 15:32:48 -0400 (EDT)
Received: (from donn@localhost)j7TJWldc032928;
Mon, 29 Aug 2005 12:32:47 -0700
Date: Mon, 29 Aug 2005 12:32:47 -0700
Message-Id: <200508291932.j7TJWldc032928@melville.u.washington.edu>
To: krb5-bugs@mit.edu
From: donn@u.washington.edu
X-send-pr-version: 3.99
X-Spam-Score: -2.592
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Tue, 30 Aug 2005 15:31:26 -0400
Subject: AIX 4.3 ns_ninit corrupts memory
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1
Precedence: list
Reply-To: donn@u.washington.edu
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu


Computing & Communications
University of Washington
AIX 4.3, 5.1, 5.2
System: AIX melville 3 4 00600210C000


AIX state/__res_state declaration is incompatible with res_ninit().
The declared and hence allocated struct is 720 bytes, but empirically
the expected size appears to be at least 1490 bytes. This is the same
on AIX 4.3, 5.1 and 5.2.
kinit will immediately crash on any AIX platform.
The fix is already there (in configure), for AIX 5, and simply needs to
be applied to AIX 4 as well.

On Aug 31, 2005, at 3:12 PM, Tom Yu via RT wrote:


Nope, neither 4.3 nor 5.2 declare res_ndestroy, in resolv.h
or anything included by it.

I don't suppose this would actually be convenient for your
purposes, but since this is a very specific exception to your
general wish to use res_ninit() ... here's the minimum direct
test for the specific condition.

Donn Cave, donn@u.washington.edu
------------------------------------
#include <string.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <resolv.h>
#include <netdb.h>

int
main(int argc, char **argv)
{
struct __res_state statbuf[3];
unsigned int *ph;

ph = (unsigned int *) statbuf;
ph[(sizeof(struct __res_state) + sizeof(*ph) - 1)/sizeof(*ph)]
= 0x41322314;
if (res_ninit(statbuf) < 0) {
perror("res_ninit");
return 0;
}
return ph[(sizeof(struct __res_state) + sizeof(*ph) - 1)/
sizeof(*ph)]
!= 0x41322314;
}

* dnsglue.c (USE_RES_NINIT): Fix braino: define to 1, not empty
string.

Commit By: tlyu



Revision: 17382
Changed Files:
U trunk/src/lib/krb5/os/ChangeLog
U trunk/src/lib/krb5/os/dnsglue.c

pullup r17377 and r17382 from trunk.

Commit By: tlyu



Revision: 17389
Changed Files:
U branches/krb5-1-4/src/ChangeLog
U branches/krb5-1-4/src/aclocal.m4
U branches/krb5-1-4/src/lib/krb5/os/ChangeLog
U branches/krb5-1-4/src/lib/krb5/os/dnsglue.c