Maintained by: NLnet Labs

[Unbound-users] questions about mesh_make_new_space() function

W.C.A. Wijngaards
Mon Oct 24 16:05:20 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Matthew,

Thank you for the analysis of the code.  There is a fix in svn r2523, it
makes a backup of the query before the delete in make_new_space().

Best regards, Wouter

On 10/20/2011 09:50 AM, Matthew Lee wrote:
> Hi,
> 
> I don't know if it's appropriate to discuss specific code here, but
> mesh_make_new_space() maybe is at risk under particular conditions.
> 
> when the mesh_state queue is full and new query comes in, one mesh_state
> will be kicked out which is happened in mesh_make_new_space() function,
> and call mesh_state_delete() function. mesh_state_delete() function will
> eventually call iter_clear(), iter_clear() will delete the outnet query
> of this mesh_state which is in function serviced_delete(). 
> 
> serviced_delete() call outnet_send_wait_udp() which will re-send some
> queries failed to send out last time, in these code
> outnet_send_wait_udp(struct outside_network* outnet)
> {
> ...
> if(!randomize_and_send_udp(outnet, pend, outnet->udp_buff, 
> pend->timeout)) {
> /* callback error on pending */
> fptr_ok(fptr_whitelist_pending_udp(pend->cb));
> (void)(*pend->cb)(outnet->unused_fds->cp, pend->cb_arg, 
> NETEVENT_CLOSED, NULL);
> pending_delete(outnet, pend);
> }
> }
> 
> if randomize_and_send_udp() fail again, then pend->cb() will be called
> and will eventually go to mesh_run() function, and in iterator module it
> probably return SERVFAIL immediately while it still take control of the
> thread, maybe like these code in processQueryTargets().
> if(!target) {
> if(iq->num_target_queries==0 && iq->num_current_queries==0) {
> if(delegpt_count_missing_targets(iq->dp) > 0) {
> int qs = 0;
> verbose(VERB_ALGO, "querying for next "
> "missing target");
> if(!query_for_targets(qstate, iq, ie, id, 
> 1, &qs)) {
> return error_response(qstate, id,
> LDNS_RCODE_SERVFAIL);
> 
> or these in  processQueryTargets()
>                  if(iq->num_target_queries == 0) {
> return processLastResort(qstate, iq, ie, id);
> }
> 
> then error_response() use c->buffer to send packet, and the buffer is
> used by new query at the same time. after mesh_state_delete(), new
> query's qname will point to wrong packet, but qname_len is right.
> 
> I'd say it's not that easy to happen in online environment, but still
> possible in small probability.
> 
> 
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOpXCgAAoJEJ9vHC1+BF+NVt0P/R2fipGHi+fQ2GM3/cWGf5Op
ZGs1BX8dOfY+AHgNLps5jzgDd3hCaU5LX1aalXFpUngvwNF8iz01puMbQbIEdmWr
Z9xp7irndjzbtX45HFqAIdKuLYBYb2JWH1g2jmZplFgLwjIfi1mKeC0CEB7n1fli
vYL2zlBuF3Kx1/A2OpAz9adR7mrEAQnNywSbKuFNRLfwSLQmbrZ57HNJ0cnZa+CD
BYiSeJgTWPqEZZ48f+GkWvO7UfDK4E173lWdV92mwNH32yfz/hIWCboQbNvcojhQ
JSh5xnopHc2boe6gXLH5CVmPP/kwkV2th5exiFDgYfw2x6F9wFntW/rJZwO3J0lm
DrrNkdBNo7kgFVrBoxFUydTjhoxUdvSbmi38xGnAtKqR0cjpGXL10VO4KnVDAXBD
066/wSaid/0ZnkfGDtinYf62FDzkMLOxodLA9Eak0N95tiOYUJlJxRhECmYX9hLG
b5qL3t/APJIXQFQXHuHjnd7UA5jzmFu41HJ+awMhSoiM64dfmEOKODfLyKp4eaLD
wSARkJ2q/sqECkX0csokhI95al8kEQ3+ET+C7RHnVW8dHuO8I7TO3/XbMtOtBACs
c0f9tlOuBdCcCeSjo20S5TZumPgKPpP5Nd8T6BYby4XxQvBH7+fzfqDV14gvQaBv
/xxxAZtIklm4v2R13sWN
=AKYx
-----END PGP SIGNATURE-----