[dns-operations] bind-9.9.4-P1 crash

Damian Menscher damian at google.com
Wed Dec 18 03:59:16 UTC 2013 

I'm interested in more details.  In particular, it would help to know:
  - is the trigger a well-formed DNS query or a crafted packet?
  - does this affect authoritative servers or recursives?
  - or is the problem actually in the response (through a recursive) from
some evil authoritative server?

Even if you don't want to share the specifics, knowing the answers to these
questions would help people judge the risks.

Damian


On Tue, Dec 17, 2013 at 6:00 PM, Jared Mauch <jared at puck.nether.net> wrote:

> Anyone seen this crash:?
>
> I’m hitting it fairly often right now and trying to poke at the code for
> triage:
>
> 17-Dec-2013 20:56:03.138 general: name.c:1727: INSIST(offset <= length)
> failed, back trace
> 17-Dec-2013 20:56:03.138 general: #0 0x43140d in ??
> 17-Dec-2013 20:56:03.138 general: #1 0x7ffff622517a in ??
> 17-Dec-2013 20:56:03.138 general: #2 0x7ffff7873536 in ??
> 17-Dec-2013 20:56:03.139 general: #3 0x7ffff7877b8d in ??
> 17-Dec-2013 20:56:03.139 general: #4 0x432590 in ??
> 17-Dec-2013 20:56:03.139 general: #5 0x4367a6 in ??
> 17-Dec-2013 20:56:03.139 general: #6 0x440c1f in ??
> 17-Dec-2013 20:56:03.139 general: #7 0x445c19 in ??
> 17-Dec-2013 20:56:03.139 general: #8 0x426bef in ??
> 17-Dec-2013 20:56:03.139 general: #9 0x7ffff6247836 in ??
> 17-Dec-2013 20:56:03.139 general: #10 0x7ffff5dfcf33 in ??
> 17-Dec-2013 20:56:03.139 general: #11 0x7ffff5b2aead in ??
> 17-Dec-2013 20:56:03.139 general: exiting (due to assertion failure)
>
>
> Seems to perhaps be with a specific QNAME
>
> (gdb) bt
> #0  0x00007ffff5a6bc59 in raise () from /usr/lib64/libc.so.6
> #1  0x00007ffff5a6d368 in abort () from /usr/lib64/libc.so.6
> #2  0x00000000004315d6 in assertion_failed (file=<optimized out>,
> line=<optimized out>, type=<optimized out>, cond=<optimized out>) at
> ./main.c:218
> #3  0x00007ffff622517a in isc_assertion_failed () from
> /usr/lib64/libisc.so.95
> #4  0x00007ffff7873536 in set_offsets () from /usr/lib64/libdns.so.100
> #5  0x00007ffff7877b8d in dns_name_copy () from /usr/lib64/libdns.so.100
> #6  0x0000000000432590 in query_findclosestnsec3 (qname=qname at entry=0x7ffff26b6810,
> db=db at entry=0x7fffe73d82b0, version=version at entry=0x0,
>     client=client at entry=0x7fffe8132e10, rdataset=0x7fffed088b00,
> sigrdataset=0x7fffed0880f0, fname=0x7fffed0850b0, exact=exact at entry
> =isc_boolean_true,
>     found=found at entry=0x7ffff26b6810) at query.c:5337
> #7  0x00000000004367a6 in query_addwildcardproof (client=<optimized out>,
> db=0x7fffe73d82b0, version=0x7fffe73d0590, name=<optimized out>,
>     ispositive=ispositive at entry=isc_boolean_false, nodata=nodata at entry=isc_boolean_false)
> at query.c:3482
> #8  0x0000000000440c1f in query_find (client=0x7fffe8132e10,
> event=event at entry=0x0, qtype=<optimized out>, qtype at entry=12) at
> query.c:6686
> #9  0x0000000000445c19 in ns_query_start (client=client at entry=0x7fffe8132e10)
> at query.c:7794
> #10 0x0000000000426bef in client_request (task=<optimized out>,
> event=<optimized out>) at client.c:1939
> #11 0x00007ffff6247836 in run () from /usr/lib64/libisc.so.95
> #12 0x00007ffff5dfcf33 in start_thread () from /usr/lib64/libpthread.so.0
> #13 0x00007ffff5b2aead in clone () from /usr/lib64/libc.so.6
>
> QNAME available in private for those that I trust.
>
> - Jared
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131217/35bd8534/attachment.html>

More information about the dns-operations mailing list