* [musl] [PATCH] dns: fix nameserver OOB read in IPv6-disabled fallback
@ 2026-02-26 7:51 Liam Wachter
2026-02-26 13:35 ` Szabolcs Nagy
0 siblings, 1 reply; 2+ messages in thread
From: Liam Wachter @ 2026-02-26 7:51 UTC (permalink / raw)
To: musl
[-- Attachment #1: Type: text/plain, Size: 1059 bytes --]
In __res_msend_rc(), the IPv6-disabled fallback check uses conf->ns[nns]
inside a loop controlled by i, so it tests a fixed slot instead of
walking configured nameservers. This reads one past the array's size.
Use conf->ns[i] so the loop correctly detects whether all configured
nameservers are IPv6-only.
---
src/network/res_msend.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/network/res_msend.c b/src/network/res_msend.c
index fcb52513..51d42ecb 100644
--- a/src/network/res_msend.c
+++ b/src/network/res_msend.c
@@ -124,7 +124,7 @@ int __res_msend_rc(int nqueries, const unsigned char
*const *queries,
/* Handle case where system lacks IPv6 support */
if (fd < 0 && family == AF_INET6 && errno == EAFNOSUPPORT) {
- for (i=0; i<nns && conf->ns[nns].family == AF_INET6; i++);
+ for (i=0; i<nns && conf->ns[i].family == AF_INET6; i++);
if (i==nns) {
pthread_setcancelstate(cs, 0);
return -1;
[-- Attachment #2: Type: text/html, Size: 1280 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [musl] [PATCH] dns: fix nameserver OOB read in IPv6-disabled fallback
2026-02-26 7:51 [musl] [PATCH] dns: fix nameserver OOB read in IPv6-disabled fallback Liam Wachter
@ 2026-02-26 13:35 ` Szabolcs Nagy
0 siblings, 0 replies; 2+ messages in thread
From: Szabolcs Nagy @ 2026-02-26 13:35 UTC (permalink / raw)
To: Liam Wachter; +Cc: musl
* Liam Wachter <liam@asymmetric.re> [2026-02-26 08:51:09 +0100]:
> In __res_msend_rc(), the IPv6-disabled fallback check uses conf->ns[nns]
> inside a loop controlled by i, so it tests a fixed slot instead of
> walking configured nameservers. This reads one past the array's size.
>
> Use conf->ns[i] so the loop correctly detects whether all configured
> nameservers are IPv6-only.
>
the patch looks good.
OOB access reads value != AF_INET6 under the assumption
that the compiler does not consider separate TUs together,
so the behaviour is mostly i!=nns i.e. the check was
ineffective. i==nns only happens if uninitialized read
from conf->ns[] happens to be AF_INET6 (should be rare).
so does not look exploitable.
> ---
> src/network/res_msend.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/network/res_msend.c b/src/network/res_msend.c
> index fcb52513..51d42ecb 100644
> --- a/src/network/res_msend.c
> +++ b/src/network/res_msend.c
> @@ -124,7 +124,7 @@ int __res_msend_rc(int nqueries, const unsigned char
> *const *queries,
>
> /* Handle case where system lacks IPv6 support */
> if (fd < 0 && family == AF_INET6 && errno == EAFNOSUPPORT) {
> - for (i=0; i<nns && conf->ns[nns].family == AF_INET6; i++);
> + for (i=0; i<nns && conf->ns[i].family == AF_INET6; i++);
> if (i==nns) {
> pthread_setcancelstate(cs, 0);
> return -1;
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-02-26 13:35 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-26 7:51 [musl] [PATCH] dns: fix nameserver OOB read in IPv6-disabled fallback Liam Wachter
2026-02-26 13:35 ` Szabolcs Nagy
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).