RFC6761 6.3 states:
The domain "localhost." and any names falling within ".localhost."
We were only honoring "localhost".
Fixes: #477
Fix By: Brad House (@bradh352)
As per #487, documentation states the port should be in network byte
order, but we can see from the test cases using MockServers on
different ports that this is not the case, it is definitely in host
byte order.
Fix By: Brad House (@bradh352)
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
the input str and initialize a sortlist configuration.
However, ares_set_sortlist has not any checks about the validity of the input str.
It is very easy to create an arbitrary length stack overflow with the unchecked
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
statements in the config_sortlist call, which could potentially cause severe
security impact in practical programs.
This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
potential stack overflows.
fixes#496
Fix By: @hopper-vul
Recent ASAN versions picked up that acountry was passing stack
variables to ares_gethostbyname() then leaving the stack context.
We will now allocate a buffer for this.
Fix By: Brad House (@bradh352)
To make them render "nicer" in both terminals and on the website.
- Removes the bold
- Removes .PP lines
- Indents them more like proper code style
Fix By: Daniel Stenberg (@bagder)
* add ares_strsplit unit test
The test reveals a bug in the implementation of ares_strsplit when the
make_set parameter is set to 1, as distinct domains are confused for
equal:
out = ares_strsplit("example.com, example.co", ", ", 1, &n);
evaluates to n = 1 with out = { "example.com" }.
* bugfix and cleanup of ares_strsplit
The purpose of ares_strsplit in c-ares is to split a comma-delimited
string of unique (up to letter case) domains. However, because the
terminating NUL byte was not checked in the substrings when comparing
for uniqueness, the function would sometimes drop domains it should
not. For example,
ares_strsplit("example.com, example.co", ",")
would only result in a single domain "example.com".
Aside from this bugfix, the following cleanup is performed:
1. The tokenization now happens with the help of strcspn instead of the
custom function is_delim.
2. The function list_contains has been inlined.
3. The interface of ares_strsplit has been simplified by removing the
parameter make_set since in practice it was always 1.
4. There are fewer passes over the input string.
5. We resize the table using realloc() down to its minimum size.
6. The docstring of ares_strsplit is updated and also a couple typos
are fixed.
There occurs a single use of ares_strsplit and since the make_set
parameter has been removed, the call in ares_init.c is modified
accordingly. The unit test for ares_strsplit is also updated.
Fix By: Nikolaos Chatzikonstantinou (@createyourpersonalaccount)
Options `-we ###` and `-wd ###` should not include a whitespace. They are also deprecated and `-diag-error` and `-diag-disable` are their replacements.
Intel compiler 2021.6 is not able to be used in configure without the proposed patch.
Fix By: Stephen Sachs (@stephenmsachs)
On Apple platforms, libresolv reports the total timeout in retrans, not the per-query time. This patch undoes that math to get the per-query time, which is what c-ares expects. This is not perfect because libresolv is inconsistent on whether the timeout is multiplied by retry or retry+1, but I don't see any way to distinguish these cases.
Fix By: Marc Aldorasi (@marc-groundctl)
The static library should not contain version info, since it would be linked into an executable or dll with its own version info.
Fix By: @marc-groundctl
The conversion of numeric IPv4 addresses in fake_addrinfo() is broken when
the family is AF_UNSPEC. The initial call to ares_inet_pton with AF_INET
will succeed, but the subsequent call using AF_INET6 will fail. This results
in the fake_addrinfo() fast path failing, and ares_getaddrinfo() making a
query when none should be required.
Resolve this by only attempting the call to ares_inet_pton with AF_INET6
if the initial call with AF_INET was unsuccessful.
Fix By: Ridge Kennedy (@ridgek)
User projects may call 'find_package(c-ares)' multiple times (e.g.
via dependencies), but targets must be created only once.
Shared and static target must be treated independently.
Fix By: Kai Pastor (@dg0yt)
When using ares_getaddrinfo() with PF_UNSPEC, if a DNS server returned
good data on an A record, followed by bad data on an AAAA record, the
good record would be thrown away and an error returned.
If we got a good response from one of the two queries, regardless of
the order returned, we should honor that.
Fix By: Dmitry Karpov (dkarpov@roku.com)
Signed Off By: Brad House (@bradh352)
There is no autoconf macro called STDC_HEADERS. AC_HEADER_STDC however does
exist and it defines the STDC_HEADERS macro for use.
Not clear that STDC_HEADERS from its use in the repo is needed but
would rather not meddle with it for now.
Fixes an annoying warning on `./configure`:
```
/var/tmp/portage/net-dns/c-ares-1.18.1/work/c-ares-1.18.1/configure: 24546: STDC_HEADERS: not found
```
Signed-off-by: Sam James <sam@gentoo.org>
Since localhost is special-cased, any errors should be ignored when
reading /etc/hosts as otherwise we could return an error if there
were for instance an invalidly formatted /etc/hosts or if /etc/hosts
had a permissions error while reading.
This exact behavior appears to have been seen on OS/400 PASE
environments which allows AIX binares to run.
Fix By: Brad House (@bradh352)
There was a lot of windows initialization code specific to the era that predates Windows Vista such as reading DNS configuration from the registry, and dynamically loading libraries to get access to functions that didn't exist in XP or earlier releases.
Vista was released in January 2007, and was EOL'd in 2017, and support for Vista is still maintained with this patch set.
XP was EOL'd in Apr 8 2014.
I believe the last OS based on something earlier than Vista was POSReady 2009, as it was XP based for some reason, and that was EOL'd in January 2019. Considering any POS system falls under the PCI-DSS rules, they aren't allow to run POSReady 2009 any more so there is no reason to try to continue supporting such systems.
We have also targeted with our build system Vista support for the last few years, and while developers could change the target, we haven't had any reports that they have.
When an /etc/hosts lookup is performed, but fails with ENOTFOUND, and
a valid RFC6761 Section 6.3 fallback is performed, it could overwrite
variables that were already set and therefore leave the pointers
dangling, never to be cleaned up.
Clean up explicitly on ENOTFOUND when returning from the file parser.
Fixes: #439
Fix By: Brad House (@bradh352)
When determining value for CPACK_PACKAGE_ARCHITECTURE, prefer to use
value from CMAKE_SYSTEM_PROCESSOR before falling back to uname output.
Additionally, if building from a Windows host, emit a fatal error
instead of attempting to call uname.
Fix By: Bobby Reynolds (@reynoldsbd)
bradh352
hopper-vul
Daniel Stenberg
Nikolaos Chatzikonstantinou
Stephen Sachs
Jonathan Ringer
Thomas Dreibholz
bsergean
Brad Spencer
lifenjoiner
Frank
marc-groundctl
Ridge Kennedy
Manish Mehra
Kai Pastor
Sam James
Bobby Reynolds