Bug 1154 - segmentation fault with duplicate zones
segmentation fault with duplicate zones
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
unspecified
x86_64 Linux
: P5 normal
Assigned To: unbound team
: 1167 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-04 01:34 CET by akocmaruk
Modified: 2016-11-30 09:34 CET (History)
3 users (show)

See Also:


Attachments
patch that fixes the problem (724 bytes, text/plain)
2016-11-04 01:34 CET, akocmaruk
Details

Note You need to log in before you can comment on or make changes to this bug.
Description akocmaruk 2016-11-04 01:34:15 CET
Created attachment 363 [details]
patch that fixes the problem

Segmentation fault happens (and the server exits) on encountering duplicate static local zone configuration.

The root cause is the code around line 190 in localzone.c, where the local_zone_delete(z) also deallocates the nm string, which is subsequently used to find the existing zone with the same name (this all happens upon detecting a duplicate). I think that this kind of sequence may sometimes work and sometimes not.

unbound-checkconf also sagfaults at the same location, for such a configuration.

I'm attaching a potential patch for your review.

This problem was observed on the most recent trunk code.

Here's a minimized configuration that can be used to reproduce this problem.

----8<-------------------------
server:
        interface: 0.0.0.0
        interface: ::0
        access-control: 0.0.0.0/0 allow
        define-tag: "spam"
        access-control-tag: 10.11.12.13/32  "spam"
        local-zone: "mostlyham.com" static
        local-zone: "mostlyham.com" static
        local-zone-tag: "mostlyham.com" "spam"
        access-control-tag-action: 10.11.12.13/32 spam refuse
        logfile: ""
        username: ""
---->8-------------------------
Comment 1 Wouter Wijngaards 2016-11-04 09:17:30 CET
Hi Akocmaruk,

Thank you for the report and a good bugfix!

I have a slightly different bugfix below, for portability, but it's the same thing.  I have applied the fix to the code repository.

Best regards, Wouter

Index: services/localzone.c
===================================================================
--- services/localzone.c	(revision 3919)
+++ services/localzone.c	(working copy)
@@ -186,13 +186,17 @@
 	lock_rw_wrlock(&zones->lock);
 	lock_rw_wrlock(&z->lock);
 	if(!rbtree_insert(&zones->ztree, &z->node)) {
+		local_zone* oldz;
 		log_warn("duplicate local-zone");
 		lock_rw_unlock(&z->lock);
-		local_zone_delete(z);
+		/* save zone name locally before deallocation,
+		 * otherwise, nm is gone if we zone_delete now. */
+		oldz = z;
 		/* find the correct zone, so not an error for duplicate */
 		z = local_zones_find(zones, nm, len, labs, c);
 		lock_rw_wrlock(&z->lock);
 		lock_rw_unlock(&zones->lock);
+		local_zone_delete(oldz);
 		return z;
 	}
 	lock_rw_unlock(&zones->lock);
Comment 2 Wouter Wijngaards 2016-11-30 09:34:54 CET
*** Bug 1167 has been marked as a duplicate of this bug. ***