NetBSD Problem Report #57786
From www@netbsd.org Tue Dec 19 04:37:01 2023
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 6E4AA1A9238
for <gnats-bugs@gnats.NetBSD.org>; Tue, 19 Dec 2023 04:37:01 +0000 (UTC)
Message-Id: <20231219043700.200931A923C@mollari.NetBSD.org>
Date: Tue, 19 Dec 2023 04:37:00 +0000 (UTC)
From: gadams@avernus.com
Reply-To: gadams@avernus.com
To: gnats-bugs@NetBSD.org
Subject: tcp_wrappers cause core dump when encountering certain remote system misconfiguration
X-Send-Pr-Version: www-1.0
>Number: 57786
>Category: pkg
>Synopsis: tcp_wrappers cause core dump when encountering certain remote system misconfiguration
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Dec 19 04:40:00 +0000 2023
>Originator: Geoff Adams
>Release: trunk
>Organization:
>Environment:
SunOS catbus.kempt.net 5.11 joyent_20221103T001803Z i86pc i386 i86pc illumos
>Description:
Binaries that link libwrap are susceptible to crashing with SIGSEGV when a remote host initiates a connection. Specifically, if tcp_wrappers detects that the remote host name does not map to its initial address, then it will attempt to log a message ("host name/address mismatch: %s != %.*s") and crash doing it. This makes binaries vulnerable to denial of service due to remote host (DNS) (mis)configuration.
This may only happen when HAVE_IPV6 is enabled. It's caused by a missing #include of <arpa/inet.h>, causing the compiler to guess inet_ntop's return type is int, rather than char *, resulting in invalid pointer handling and a subsequent SIGSEGV.
Here is an imapd stack trace from a core dump after such a crash:
fffffc7feefb5ab0 strlen () + 30
fffffc7fef00cfd9 vsnprintf (fffffc7fffdfb67f, 4c1, fffffc7fffdfb230, fffffc7fffdfc000) + 79
fffffc7feefef9ba vsyslog (3, fffffc7fffdfbba0, fffffc7fffdfc000) + 2ca
fffffc7fcdbc9cba tcpd_diag.constprop.0 () + 6a
fffffc7fcdbc9db6 tcpd_warn (fffffc7fcdbca248) + b6
fffffc7fcdbc890a sock_hostname (fffffc7fffdfd180) + 22a
fffffc7fcdbc7ee6 eval_hostname (fffffc7fffdfd180) + 46
fffffc7fcdbc65e0 host_match (fffffc7fffdfc6e5, fffffc7fffdfd180) + 280
fffffc7fcdbc606b list_match (fffffc7fffdfc6e4, fffffc7fffdfd070, fffffc7fcdbc6850) + 4b
fffffc7fcdbc6252 table_match (fffffc7fcdbcab21, fffffc7fffdfd070) + 142
fffffc7fcdbc69d0 hosts_access (fffffc7fffdfd070) + 60
000000000044db6d main () + 9cd
0000000000418e97 _start_crt () + 87
0000000000418df8 _start () + 18
And here are the relevant lines in socket.c starting at line 220:
/*
* The host name does not map to the initial address. Perhaps
* someone has messed up. Perhaps someone compromised a name
* server.
*/
tcpd_warn("host name/address mismatch: %s != %.*s",
#ifdef HAVE_IPV6
inet_ntop(SGFAM(sin), SGADDRP(sin), buf, sizeof(buf)),
#else
inet_ntoa(sin->sg_sin.sin_addr),
#endif
STRING_LENGTH, hp->h_name);
Adding `#include <arpa.inet.h>` to socket.c cures the problem. I have attached a change that adds a new patch file for the package that fixes the problem. I have been running with this patch for about a day, now, and the problem is completely solved. Indeed, the relevant message has been logged many times, such as:
2023-12-18T19:47:04-05:00 catbus imap[90607]: [ID 895039 local6.error] warning: /etc/hosts.allow, line 1: host name/address mismatch: 27.78.5.41 != localhost
In my patch, I have not wrapped the inclusion of <arpa/inet.h> in #ifdef HAVE_IPv6, because the header should be included for IPv4 functions such as inet_ntoa, as well. I believe the header should always be included.
Notice that the same problem has also been noticed in RedHat Linux: https://bugzilla.redhat.com/show_bug.cgi?id=977995
>How-To-Repeat:
Link a binary with libwrap and IPv6 support, and deploy it on the internet, with /etc/hosts.allow and /etc/hosts.deny set up. Sooner or later, depending on the nature of external traffic connecting to the service, the binary will crash with SIGSEGV. I have not boiled it down to a simpler test case, because it depends on the connecting host's DNS setup being incorrect.
>Fix:
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/security/tcp_wrappers/distinfo,v
retrieving revision 1.20
diff -u -u -r1.20 distinfo
--- distinfo 26 Oct 2021 11:18:04 -0000 1.20
+++ distinfo 19 Dec 2023 04:28:44 -0000
@@ -12,3 +12,4 @@
SHA1 (patch-ai) = f5a675f8fd1cc7e4e735dc8a9804f1dcf8d276bc
SHA1 (patch-aj) = 6332edd3e464d0f68bfa10dc6724346d0bc05f1f
SHA1 (patch-fix_options.c) = ce49ff5b4b1e26eb7634e61fa33ad4697917fbcb
+SHA1 (patch-socket.c) = 717a600edae944779dba98ec72d9bbc7ccfa3644
Index: patches/patch-socket.c
===================================================================
RCS file: patches/patch-socket.c
diff -N patches/patch-socket.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-socket.c 19 Dec 2023 04:28:44 -0000
@@ -0,0 +1,12 @@
+$NetBSD$
+
+--- socket.c.orig 2023-12-18 10:59:36.172842244 +0000
++++ socket.c
+@@ -29,6 +29,7 @@ static char sccsid[] = "@(#) socket.c 1.
+ #include <stdio.h>
+ #include <syslog.h>
+ #include <string.h>
++#include <arpa/inet.h>
+
+ extern char *inet_ntoa();
+
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2023
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home