When using libevent on the Windows platform in an IPv6 environment, I found that libevent could not read the DNS server address for IPv6 addresses during DNS initialization, resulting in constant DNS resolution failures. Then, on MSDN, I discovered that the GetNetworkParams interface does not support obtaining IPv6 addresses, and they provided another interface, GetAdaptersAddresses, to obtain both IPv4 and IPv6 addresses. Therefore, I replaced the GetNetworkParams interface with the GetAdaptersAddresses interface. Please review whether this modification can be merged into the master branch.
Reference MSDN documentation:
https://learn.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-getnetworkparamshttps://learn.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-getadaptersaddresses
Co-authored-by: alphacheng <alphacheng@tencent.com>
Co-authored-by: Azat Khuzhin <azat@libevent.org>
Co-authored-by: Azat Khuzhin <a3at.mail@gmail.com>
When calling the user callback after a DNS resolution on error, make
sure to send back the query type (A, AAAA, PTR).
Closes#1219
Signed-off-by: David Goulet <dgoulet@torproject.org>
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
Co-authored-by: Azat Khuzhin <azat@libevent.org>
No evdns will do caching by default (with respect to TTL), to disable this set EVDNS_BASE_NO_CACHE
There are also helpers for manually manage the cache:
- evdns_cache_write()
- evdns_cache_lookup()
Initial PR: #571Fixes: #1715
Co-authored-by: Greg Hazel <ghazel@gmail.com>
Co-authored-by: Keith Moore <kmoore@clostra.com>
I faced with strange problem: event loop doesn't exit after dns resolving with
`EVDNS_BASE_DISABLE_WHEN_INACTIVE`.
Stand:
- Ubuntu 22;
- libevent release-2.1.12-stable
- `resolve.conf` contains 2 nameservers;
- I use `evdns_base_new` with `EVDNS_BASE_DISABLE_WHEN_INACTIVE | EVDNS_BASE_INITIALIZE_NAMESERVERS` to avoid OS specific code.
After small investigation, look like events related with dns sockets added to
event_base before `evdns->disable_when_inactive` was initialized. `libevent`
did epoll_ctl(DEL) after resolving completed on the first socket, but the
second socket remained in the `epoll` interest list.
If resolv.conf has no nameservers, evdns_base_new can still succeed with
the default of using the name server from localhost matching the man
page documentation for resolv.conf.
the allocation of the struct deferred_reply_callback can fail. If that
happens a program waiting for a callback never gets a callback. The
program would asume that it either gets an error or a callback when e.g.
calling evdns_base_resolve_ipv6.
I did an analysis of the evdns.c code and concluded that struct
evdns_request would live until the callback is executed. Based on that
conclusion I removed the struct deferred_reply_callback and moved the
neccessary fields for data which should be copied from struct request
into struct evdns_request.
The fields evdns_callback_type user_callback and void *user_pointer are
moved into struct evdns_request as it is a more natural place for them
to live than struct request.
Previously evdns was using HOST_NAME_MAX, and define it to 255 *only* if
it not set, however it does set on linux:
$ egrep -r define.*HOST_NAME_MAX /usr/include/bits
/usr/include/bits/local_lim.h:#define HOST_NAME_MAX 64
/usr/include/bits/posix1_lim.h:#define _POSIX_HOST_NAME_MAX 255
/usr/include/bits/confname.h:#define _SC_HOST_NAME_MAX _SC_HOST_NAME_MAX
But 64 should be the limit of the host component, not for the whole
hostname, as also noted by @ploxiln
So use our own EVDNS_NAME_MAX const, which is set to 255.
Fixes: #1280
Add new flag (DNS_CNAME_CALLBACK) for
evdns_base_resolve_ipv4()/evdns_base_resolve_ipv6().
If set, you will get one more callback with type == DNS_CNAME and CNAME
in addrs argument.
I recently found that when the network status changed when calling
bufferevent_socket_connect_hostname (e.g. switching between several
WIFIs), all DNS servers would fail, and the timeout of probe would be
very long if there were many DNS requests. I want libevent to support
manual setting of MAX_PROBE_TIMEOUT and TIMEOUT_BACKOFF_FACTOR
So move hardcoded MAX_PROBE_TIMEOUT and TIMEOUT_BACKOFF_FACTOR into
struct, and allow changing them.
In case of OPT pseudo-RR `class` field is treated as a requestor's UDP
payload size, and class will have 512 (DNS_MAX_UDP_SIZE), and data is
NULL:
(gdb) p *item
$4 = {
next = 0x0,
name = 0x602000000130 "",
type = 41,
class = 512,
ttl = 0,
is_name = 0 '\000',
datalen = 0,
data = 0x0
}
And UBSAN will reports:
../evdns.c:2493:5: runtime error: null pointer passed as argument 2, which is declared to never be null
#0 0x7ffff70b65bb in evdns_server_request_format_response ../evdns.c:2493
#1 0x7ffff70b706b in evdns_server_request_respond ../evdns.c:2529
#2 0x5555557975ab in regress_dns_server_cb ../test/regress_testutils.c:263
#3 0x7ffff70a8489 in request_parse ../evdns.c:1576
#4 0x7ffff70aa445 in server_udp_port_read ../evdns.c:1726
#5 0x7ffff70ac5cc in server_port_ready_callback ../evdns.c:1849
#6 0x7ffff6d3054c in event_persist_closure ../event.c:1645
#7 0x7ffff6d311cd in event_process_active_single_queue ../event.c:1704
#8 0x7ffff6d33258 in event_process_active ../event.c:1805
#9 0x7ffff6d361b5 in event_base_loop ../event.c:2047
#10 0x7ffff6d334ac in event_base_dispatch ../event.c:1839
#11 0x555555739df2 in test_edns ../test/regress_dns.c:2639
#12 0x5555557b9e96 in testcase_run_bare_ ../test/tinytest.c:173
#13 0x5555557ba8f0 in testcase_run_one ../test/tinytest.c:333
#14 0x5555557bc9a0 in tinytest_main ../test/tinytest.c:527
#15 0x555555787faa in main ../test/regress_main.c:528
#16 0x7ffff606c001 in __libc_start_main (/usr/lib/libc.so.6+0x27001)
#17 0x55555569436d in _start (/src/le/libevent/.cmake-debug/bin/regress+0x14036d)
Added new option `edns-udp-size` for evdns_base which allows
to control maximum allowed size of UDP DNS messages. This
maximum size is passed to the DNS server via edns mechanism.
Fix undefined behaviour and application crash that might take
place in some rare cases after calling evdns_base_free when
there are requests in the waiting queue.
Current cleanup procedure in evdns_base_free_and_unlock
function includes 2 steps:
1. Finish all inflight requests.
2. Finish all waiting requests.
During the first step we iterate over each list in req_heads
structure and finish all requests in these lists. With current
logic finishing an inflight request (function request_finished)
removes it from the inflight requests container and forces
a wating connection to be sent (by calling
evdns_requests_pump_waiting_queue). When these new requests are
sent it is possible that they will be inserted to the list in
req_heads that we've already cleaned.
So in some cases container of the inflight requests is not empty
after this procedure and some requests are not finished and
deleted. When timeouts for these requests expire
evdns_request_timeout_callback is called but corresponding
evdns_base has been already deleted which causes undefined
behaviour and possible applicaton crash.
It is interesting to note that in old versions of libevent such
situation was not possible. This bug was introduced by the commit
14f84bbdc77d90b1d936076661443cdbf516c593. Before this commit
nameservers were deleted before finishing the requests. Therefore
it was not possible that requests from the waiting queue be sent
while we finish the inflight requests.
This will allow to customize SO_RCVBUF/SO_SNDBUF for nameservers in this
evdns_base, you may want to adjust them if the kernel starts dropping
udp packages.
Reported by µchex:
"In evdns.c, pointer server_req is null checked on line 1289 after it
is dereferenced above. Since server_req was already null checked above
on line 1243, there is no risk of crashing and the only bug is the
redundant null check (and indentation) on line 1289.
"
- DNS_OPTION_NAMESERVERS_NO_DEFAULT
Do not "default" nameserver (i.e. "127.0.0.1:53") if there is no nameservers
in resolv.conf, (iff DNS_OPTION_NAMESERVERS is set)
- EVDNS_BASE_NAMESERVERS_NO_DEFAULT
If EVDNS_BASE_INITIALIZE_NAMESERVERS isset, do not add default
nameserver if there are no nameservers in resolv.conf (just set
DNS_OPTION_NAMESERVERS_NO_DEFAULT internally)
Fixes: #569
Currently, we do a lot of data munging with manual hex. This is ugly
and can lead to bugs. I defined the following:
_QR_MASK 0x8000U
_OP_MASK 0x7800U
_AA_MASK 0x0400U
_TC_MASK 0x0200U
_RD_MASK 0x0100U
_RA_MASK 0x0080U
_Z_MASK 0x0040U
_AD_MASK 0x0020U
_CD_MASK 0x0010U
_RCODE_MASK 0x000fU
So that we can more easily twiddle flags.
v2: make evdns flag masks unsigned literal
Closes: #756 (cherry-picked)
Otherwise we will try to open NULL filename and got EFAULT and anyway
will got the same return code from evdns_base_resolv_conf_parse_impl()
Closes: #680 (cherry-picked)
evdns_getaddrinfo() starts two parallel requests for A and AAAA record.
But if request is created from thread different from dns_base's, request of A record is
started immediately and may result in calling free_getaddrinfo_request() from
evdns_getaddrinfo_gotresolve() because `other_req' doesn't exist yet.
After that, request of AAAA record starts and finishes, and evdns_getaddrinfo_gotresolve()
is called again for structure that is already freed.
This commits adds locking into evdns_getaddrinfo() function.
From #332:
Here follows a bug report by **Guido Vranken** via the _Tor bug bounty program_. Please credit Guido accordingly.
## Bug report
The DNS code of Libevent contains this rather obvious OOB read:
```c
static char *
search_make_new(const struct search_state *const state, int n, const char *const base_name) {
const size_t base_len = strlen(base_name);
const char need_to_append_dot = base_name[base_len - 1] == '.' ? 0 : 1;
```
If the length of ```base_name``` is 0, then line 3125 reads 1 byte before the buffer. This will trigger a crash on ASAN-protected builds.
To reproduce:
Build libevent with ASAN:
```
$ CFLAGS='-fomit-frame-pointer -fsanitize=address' ./configure && make -j4
```
Put the attached ```resolv.conf``` and ```poc.c``` in the source directory and then do:
```
$ gcc -fsanitize=address -fomit-frame-pointer poc.c .libs/libevent.a
$ ./a.out
=================================================================
==22201== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60060000efdf at pc 0x4429da bp 0x7ffe1ed47300 sp 0x7ffe1ed472f8
READ of size 1 at 0x60060000efdf thread T0
```
P.S. we can add a check earlier, but since this is very uncommon, I didn't add it.
Fixes: #332
http/cancel_by_host_no_ns:
OK ../test/regress_http.c:1384: assert(regress_dnsserver(data->base, &portnum, search_table))
OK ../test/regress_http.c:1387: assert(dns_base)
OK ../test/regress_http.c:1423: assert(evcon)
OK ../test/regress_http.c:1444: assert(evhttp_make_request(evcon, req, EVHTTP_REQ_GET, "/delay") != -1): 0 vs -1
OK ../test/regress_http.c:1455: assert(test_ok == 2): 2 vs 2
OK ../test/regress_http.c:1480: assert(evhttp_make_request(evcon, req, EVHTTP_REQ_GET, "/test") != -1): 0 vs -1[msg] Nameserver 127.0.0.1:55948 has failed: request timed out.
[msg] All nameservers have failed
OK ../test/regress_http.c:1274: assert(!req)
OK ../test/regress_http.c:1505: assert(evhttp_make_request(evcon, req, EVHTTP_REQ_GET, "/test") != -1): 0 vs -1
OK ../test/regress_http.c:1274: assert(!req)==19199== Invalid read of size 8
==19199== at 0x4CC285: evdns_cancel_request (evdns.c:2849)
==19199== by 0x4CEDB2: evdns_nameserver_free (evdns.c:4018)
==19199== by 0x4CEF5B: evdns_base_free_and_unlock (evdns.c:4052)
==19199== by 0x4CF13B: evdns_base_free (evdns.c:4088)
==19199== by 0x4617A3: http_cancel_test (regress_http.c:1518)
==19199== by 0x490A78: testcase_run_bare_ (tinytest.c:105)
==19199== by 0x490D5A: testcase_run_one (tinytest.c:252)
==19199== by 0x491699: tinytest_main (tinytest.c:434)
==19199== by 0x47E0E0: main (regress_main.c:461)
==19199== Address 0x61e56d0 is 0 bytes inside a block of size 48 free'd
==19199== at 0x4C2AE6B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==19199== by 0x4AAFFF: event_mm_free_ (event.c:3516)
==19199== by 0x4C5ADD: request_finished (evdns.c:693)
==19199== by 0x4CEE95: evdns_base_free_and_unlock (evdns.c:4040)
==19199== by 0x4CF13B: evdns_base_free (evdns.c:4088)
==19199== by 0x4617A3: http_cancel_test (regress_http.c:1518)
==19199== by 0x490A78: testcase_run_bare_ (tinytest.c:105)
==19199== by 0x490D5A: testcase_run_one (tinytest.c:252)
==19199== by 0x491699: tinytest_main (tinytest.c:434)
==19199== by 0x47E0E0: main (regress_main.c:461)
==19199== Block was alloc'd at
==19199== at 0x4C2BBD5: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==19199== by 0x4AAEB2: event_mm_calloc_ (event.c:3459)
==19199== by 0x4CAAA2: nameserver_send_probe (evdns.c:2327)
==19199== by 0x4C50FF: nameserver_prod_callback (evdns.c:494)
==19199== by 0x4A564C: event_process_active_single_queue (event.c:1646)
==19199== by 0x4A5B95: event_process_active (event.c:1738)
==19199== by 0x4A6296: event_base_loop (event.c:1961)
==19199== by 0x4A5C1D: event_base_dispatch (event.c:1772)
==19199== by 0x46172C: http_cancel_test (regress_http.c:1507)
==19199== by 0x490A78: testcase_run_bare_ (tinytest.c:105)
==19199== by 0x490D5A: testcase_run_one (tinytest.c:252)
==19199== by 0x491699: tinytest_main (tinytest.c:434)
==19199==
@asn-the-goblin-slayer:
"the name_parse() function in libevent's DNS code is vulnerable to a buffer overread.
971 if (cp != name_out) {
972 if (cp + 1 >= end) return -1;
973 *cp++ = '.';
974 }
975 if (cp + label_len >= end) return -1;
976 memcpy(cp, packet + j, label_len);
977 cp += label_len;
978 j += label_len;
No check is made against length before the memcpy occurs.
This was found through the Tor bug bounty program and the discovery should be credited to 'Guido Vranken'."
Reproducer for gdb (https://gist.github.com/azat/e4fcf540e9b89ab86d02):
set $PROT_NONE=0x0
set $PROT_READ=0x1
set $PROT_WRITE=0x2
set $MAP_ANONYMOUS=0x20
set $MAP_SHARED=0x01
set $MAP_FIXED=0x10
set $MAP_32BIT=0x40
start
set $length=202
# overread
set $length=2
# allocate with mmap to have a seg fault on page boundary
set $l=(1<<20)*2
p mmap(0, $l, $PROT_READ|$PROT_WRITE, $MAP_ANONYMOUS|$MAP_SHARED|$MAP_32BIT, -1, 0)
set $packet=(char *)$1+$l-$length
# hack the packet
set $packet[0]=63
set $packet[1]='/'
p malloc(sizeof(int))
set $idx=(int *)$2
set $idx[0]=0
set $name_out_len=202
p malloc($name_out_len)
set $name_out=$3
# have WRITE only mapping to fail on read
set $end=$1+$l
p (void *)mmap($end, 1<<12, $PROT_NONE, $MAP_ANONYMOUS|$MAP_SHARED|$MAP_FIXED|$MAP_32BIT, -1, 0)
set $m=$4
p name_parse($packet, $length, $idx, $name_out, $name_out_len)
x/2s (char *)$name_out
Before this patch:
$ gdb -ex 'source gdb' dns-example
$1 = 1073741824
$2 = (void *) 0x633010
$3 = (void *) 0x633030
$4 = (void *) 0x40200000
Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned () at memcpy-sse2-unaligned.S:33
After this patch:
$ gdb -ex 'source gdb' dns-example
$1 = 1073741824
$2 = (void *) 0x633010
$3 = (void *) 0x633030
$4 = (void *) 0x40200000
$5 = -1
0x633030: "/"
0x633032: ""
(gdb) p $m
$6 = (void *) 0x40200000
(gdb) p $1
$7 = 1073741824
(gdb) p/x $1
$8 = 0x40000000
(gdb) quit
P.S. plus drop one condition duplicate.
Fixes: #317
If you call evdns_base_free() with @fail_requests == 1, then it will defer
callback with DNS_ERR_SHUTDOWN, but that callback (internal) uses
data->evdns_base, but we already freed that evdns base, so we can't do
this, fix this by checking @result to DNS_ERR_SHUTDOWN.
Fixes: regress dns/client_fail_requests_getaddrinfo
Fixes: #269
Otherwise we will trigger next UAF:
$ valgrind --vgdb-error=1 regress --no-fork +dns/client_fail_requests
==24733== Memcheck, a memory error detector
==24733== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==24733== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==24733== Command: regress --no-fork +dns/client_fail_requests
==24733==
==24733==
==24733== TO DEBUG THIS PROCESS USING GDB: start GDB like this
==24733== /path/to/gdb regress
==24733== and then give GDB the following command
==24733== target remote | /usr/lib/valgrind/../../bin/vgdb --pid=24733
==24733== --pid is optional if only one valgrind process is running
==24733==
dns/client_fail_requests: ==24733== Invalid read of size 4
==24733== at 0x4C3352: request_finished (evdns.c:662)
==24733== by 0x4CC8B7: evdns_base_free_and_unlock (evdns.c:4048)
==24733== by 0x4CCAFD: evdns_base_free (evdns.c:4088)
==24733== by 0x458E95: dns_client_fail_requests_test (regress_dns.c:2039)
==24733== by 0x48EA5D: testcase_run_bare_ (tinytest.c:105)
==24733== by 0x48ED3F: testcase_run_one (tinytest.c:252)
==24733== by 0x48F67E: tinytest_main (tinytest.c:434)
==24733== by 0x47C0DA: main (regress_main.c:461)
==24733== Address 0x61e6f70 is 448 bytes inside a block of size 456 free'd
==24733== at 0x4C29EAB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24733== by 0x4A8F4D: event_mm_free_ (event.c:3512)
==24733== by 0x4CC7A1: evdns_nameserver_free (evdns.c:4021)
==24733== by 0x4CC7DC: evdns_base_free_and_unlock (evdns.c:4037)
==24733== by 0x4CCAFD: evdns_base_free (evdns.c:4088)
==24733== by 0x458E95: dns_client_fail_requests_test (regress_dns.c:2039)
==24733== by 0x48EA5D: testcase_run_bare_ (tinytest.c:105)
==24733== by 0x48ED3F: testcase_run_one (tinytest.c:252)
==24733== by 0x48F67E: tinytest_main (tinytest.c:434)
==24733== by 0x47C0DA: main (regress_main.c:461)
==24733== Block was alloc'd at
==24733== at 0x4C28C4F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24733== by 0x4A8D5A: event_mm_malloc_ (event.c:3437)
==24733== by 0x4C8B96: evdns_nameserver_add_impl_ (evdns.c:2505)
==24733== by 0x4C916D: evdns_base_nameserver_ip_add (evdns.c:2629)
==24733== by 0x458DA3: dns_client_fail_requests_test (regress_dns.c:2031)
==24733== by 0x48EA5D: testcase_run_bare_ (tinytest.c:105)
==24733== by 0x48ED3F: testcase_run_one (tinytest.c:252)
==24733== by 0x48F67E: tinytest_main (tinytest.c:434)
==24733== by 0x47C0DA: main (regress_main.c:461)
==24733==
==24733== (action on error) vgdb me ...
Fixes: regress dns/client_fail_requests
Fixes: #269
