From patchwork Thu Apr 30 10:51:58 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Weimer <fweimer@redhat.com>
X-Patchwork-Id: 134252
X-Patchwork-Delegate: carlos@redhat.com
Return-Path: <libc-alpha-bounces~patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from vm01.sourceware.org (localhost [127.0.0.1])
	by sourceware.org (Postfix) with ESMTP id 79D234BA23D4
	for <patchwork@sourceware.org>; Thu, 30 Apr 2026 10:52:38 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 79D234BA23D4
Authentication-Results: sourceware.org;
	dkim=pass (1024-bit key,
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=YCGFr+bW
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by sourceware.org (Postfix) with ESMTP id 9A5BD436F7FD
 for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:03 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 9A5BD436F7FD
Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none)
 header.from=redhat.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 9A5BD436F7FD
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=170.10.133.124
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1777546323; cv=none;
 b=Yef3LXf6Wnb7Vpt5KUDnHTvZA0eVF2brHx9MN5hehhidOH+EmOaqAAJt72L6vNFZT7ju5B/o7om1A/gI7uGtcQI9vqf8fYqKwWeTk/SlWLnwE+rZ49YPFe8duRWeXq6GrtquqZH+Lseru1VB7pM3GoN2et7i8X5rMD+bc/CfUZA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1777546323; c=relaxed/simple;
 bh=JjWvppBx6PSx15cVvyDa3r366/EpfWW1tWU8xc3bpKs=;
 h=DKIM-Signature:From:To:Subject:Message-ID:Date:MIME-Version;
 b=ACOFK86VEWBECbus/0PDN4118kbfgteQDMjcwM+l3jCNdKVpoYEOYalqaJKXiA+g4RDiKCMbIp7liZMU0DsmdDPVakSPH0JXGQ0N/rgW8loE8E5ckwLXwS94vvY8ZMBJ/G37fJKHX5BELx456HlQ2eDfwYIJR+fY7r6oI9oQO8s=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 9A5BD436F7FD
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1777546323;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=mN64txNhqZPugORMmqrnPjd2KPkU4pSpmLEDoAQJgDE=;
 b=YCGFr+bW2fPuk/+c4pwHYsk1NsYNSjTIb3yRaKwOlIKgRq7Bqb+BsVvHze/JH6MnARfHHW
 KmiJw8hhEMJj60g82QuWXMhEczMY0/KlMShfAbVN/pKKonx78T7l94BEnRqFnMiMchoyIC
 fR91fcXyBZocGVH0fbTqtTq1JOL6vLI=
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-488-xZpkl2fnPfixqCqJ1oQNJg-1; Thu,
 30 Apr 2026 06:52:02 -0400
X-MC-Unique: xZpkl2fnPfixqCqJ1oQNJg-1
X-Mimecast-MFC-AGG-ID: xZpkl2fnPfixqCqJ1oQNJg_1777546321
Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 325121800350
 for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:01 +0000 (UTC)
Received: from fweimer-oldenburg.csb.redhat.com (unknown [10.44.48.4])
 by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS
 id 7BAFA300019F
 for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:00 +0000 (UTC)
From: Florian Weimer <fweimer@redhat.com>
To: libc-alpha@sourceware.org
Subject: [PATCH 1/5] Update GLIBC-SA-2026-0012 to mention A6 records
In-Reply-To: <cover.1777546194.git.fweimer@redhat.com>
Message-ID: 
 <3a2b6ed629ccc8bf33644220d58fe3bfc94da09f.1777546194.git.fweimer@redhat.com>
References: <cover.1777546194.git.fweimer@redhat.com>
X-From-Line: 3a2b6ed629ccc8bf33644220d58fe3bfc94da09f Mon Sep 17 00:00:00 2001
Date: Thu, 30 Apr 2026 12:51:58 +0200
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: PTp5OC-p7altvGb8NUxIrBvQbfThJi0UDgr1X4ez5P4_1777546321
X-Mimecast-Originator: redhat.com
X-Spam-Status: No, score=-10.7 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL, SPF_HELO_PASS,
 SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org

It turns out there is a missing inner length check in it, too.

Also fix the vulnerable commit.  It predates the glibc 2.0 release
because the old stream-based formatting code in resolv/res_debug.c had
the same bug in its LOC handling.
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
---
 advisories/GLIBC-SA-2026-0012 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/advisories/GLIBC-SA-2026-0012 b/advisories/GLIBC-SA-2026-0012
index 6f8f00ddd7..926ca16102 100644
--- a/advisories/GLIBC-SA-2026-0012
+++ b/advisories/GLIBC-SA-2026-0012
@@ -2,7 +2,7 @@ Buffer overread in ns_printrrf with corrupted RDATA field
 
 The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the
 GNU C Library version 2.2 and newer fail to validate the RDATA content
-against the RDATA length in a DNS response when processing LOC, CERT,
+against the RDATA length in a DNS response when processing A6, CERT, LOC,
 TKEY or TSIG records, which may allow an attacker to craft a DNS
 response, causing a target application to crash or read uninitialized
 memory.
@@ -15,4 +15,4 @@ interfaces since they may be removed in future versions.
 
 CVE-Id: CVE-2026-6238
 Public-Date: 2026-04-11
-Vulnerable-Commit: b43b13ac2544b11f35be301d1589b51a8473e32b (2.2)
+Vulnerable-Commit: ee188d555b8c32ad9704a7440cab400af967292f (1.90)

From patchwork Thu Apr 30 10:52:02 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Weimer <fweimer@redhat.com>
X-Patchwork-Id: 134254
X-Patchwork-Delegate: carlos@redhat.com
Return-Path: <libc-alpha-bounces~patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from vm01.sourceware.org (localhost [127.0.0.1])
	by sourceware.org (Postfix) with ESMTP id 20C824BA79A6
	for <patchwork@sourceware.org>; Thu, 30 Apr 2026 10:54:19 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 20C824BA79A6
Authentication-Results: sourceware.org;
	dkim=pass (1024-bit key,
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=N0RUtAAg
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by sourceware.org (Postfix) with ESMTP id 917C5436F7EF
 for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:08 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 917C5436F7EF
Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none)
 header.from=redhat.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 917C5436F7EF
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=170.10.129.124
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1777546328; cv=none;
 b=FdHwhjQ5mz/bcyIZWNosBMw+H6/8XBTXbYKD6lcwzz9aiWbHAkbJxj2L11KglnjgdbTvfHzwhRnXHliwULIRz3OoUJGMqS0V5LwVr3h9XifrIX26pfEJ0q0b6ROlsA2/+dAzowozUMAvtqVUxijbVwE1iUtdNnoKTD9nX1diH4s=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1777546328; c=relaxed/simple;
 bh=wjk/nEc4TJWroMTOR/qaFDwloBD8v8vuuiN7aCviLNU=;
 h=DKIM-Signature:From:To:Subject:Message-ID:Date:MIME-Version;
 b=i/KOJB07fHbcg7Bu+Y6B5s3ws3/auotPKgjahKv19v2TM/pG82BAleRP6IcY7cv5nkHkAs8/80lxIqPJepjVqkRcctaff6w1FVdymRhI0xEvlRawlPWxb4eY5gN6LBlbMvV39krsacin7v22Mwn3SvyWlq9MV0+NaqlLQRaP280=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 917C5436F7EF
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1777546328;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=lHWtMpvWjCDIPI01DojkTCNfZY7uGetdZ17gjLoRjfw=;
 b=N0RUtAAgZHUlO5J5tL9HeN4Wj/0GEsis8VaLz6vHwQBb7cE3luOqnakcTmCiwvXzG/NhGV
 bXQnrY3PfnqrlMMp5OS5RIEyFeqZVKBhCRKm2UIZWg8WGRTo7oSN9xLbAIFn1PRQ1x5WhO
 +a5jCWKGeHSqgEB8dDq9Z7QPksk4Jg4=
Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-91-MlLrzIKQOIqbRP4adC5I-Q-1; Thu,
 30 Apr 2026 06:52:07 -0400
X-MC-Unique: MlLrzIKQOIqbRP4adC5I-Q-1
X-Mimecast-MFC-AGG-ID: MlLrzIKQOIqbRP4adC5I-Q_1777546326
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 35BBB195609E
 for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:06 +0000 (UTC)
Received: from fweimer-oldenburg.csb.redhat.com (unknown [10.44.48.4])
 by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS
 id 8019D19560AB
 for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:04 +0000 (UTC)
From: Florian Weimer <fweimer@redhat.com>
To: libc-alpha@sourceware.org
Subject: [PATCH 2/5] resolv: Check for inet_ntop failure in ns_sprintrrf
In-Reply-To: <cover.1777546194.git.fweimer@redhat.com>
Message-ID: 
 <fd53342fd0764dc033664d47f1e0e391cebfbbe5.1777546194.git.fweimer@redhat.com>
References: <cover.1777546194.git.fweimer@redhat.com>
X-From-Line: fd53342fd0764dc033664d47f1e0e391cebfbbe5 Mon Sep 17 00:00:00 2001
Date: Thu, 30 Apr 2026 12:52:02 +0200
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: U0DuafxFxyjkhnuCXtq9anngMPakwpvfSq8zmSwItbY_1777546326
X-Mimecast-Originator: redhat.com
X-Spam-Status: No, score=-9.2 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, RCVD_IN_SBL_CSS,
 SPF_HELO_PASS, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org

This makes the output more consistent (either failure or complete
output) and helps with systematic testing with varying buffer
sizes.
---
 resolv/ns_print.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/resolv/ns_print.c b/resolv/ns_print.c
index cef2212fd2..5701e3d0c5 100644
--- a/resolv/ns_print.c
+++ b/resolv/ns_print.c
@@ -141,7 +141,8 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
 	case ns_t_a:
 	  if (rdlen != (size_t)NS_INADDRSZ)
 			goto formerr;
-		(void) inet_ntop(AF_INET, rdata, buf, buflen);
+		if (inet_ntop (AF_INET, rdata, buf, buflen) == NULL)
+		  return -1;
 		addlen(strlen(buf), &buf, &buflen);
 		break;
 
@@ -308,10 +309,11 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
 
 	case ns_t_aaaa:
 	  if (rdlen != (size_t)NS_IN6ADDRSZ)
-			goto formerr;
-		(void) inet_ntop(AF_INET6, rdata, buf, buflen);
-		addlen(strlen(buf), &buf, &buflen);
-		break;
+	    goto formerr;
+	  if (inet_ntop (AF_INET6, rdata, buf, buflen) == NULL)
+	    return -1;
+	  addlen(strlen(buf), &buf, &buflen);
+	  break;
 
 	case ns_t_loc: {
 		char t[255];
@@ -400,7 +402,8 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
 			goto formerr;
 
 		/* Address. */
-		(void) inet_ntop(AF_INET, rdata, buf, buflen);
+		if (inet_ntop (AF_INET, rdata, buf, buflen) == NULL)
+		  return -1;
 		addlen(strlen(buf), &buf, &buflen);
 		rdata += NS_INADDRSZ;
 
@@ -542,7 +545,8 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
 			if (rdata + pbyte >= edata) goto formerr;
 			memset(&a, 0, sizeof(a));
 			memcpy(&a.s6_addr[pbyte], rdata, sizeof(a) - pbyte);
-			(void) inet_ntop(AF_INET6, &a, buf, buflen);
+			if (inet_ntop (AF_INET6, &a, buf, buflen) == NULL)
+			  return -1;
 			addlen(strlen(buf), &buf, &buflen);
 			rdata += sizeof(a) - pbyte;
 		}

From patchwork Thu Apr 30 10:52:07 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Weimer <fweimer@redhat.com>
X-Patchwork-Id: 134255
X-Patchwork-Delegate: carlos@redhat.com
Return-Path: <libc-alpha-bounces~patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from vm01.sourceware.org (localhost [127.0.0.1])
	by sourceware.org (Postfix) with ESMTP id 3BD98436F7C9
	for <patchwork@sourceware.org>; Thu, 30 Apr 2026 10:54:27 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 3BD98436F7C9
Authentication-Results: sourceware.org;
	dkim=pass (1024-bit key,
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=IXcBoymu
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by sourceware.org (Postfix) with ESMTP id 17165436A040
 for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:14 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 17165436A040
Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none)
 header.from=redhat.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 17165436A040
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=170.10.133.124
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1777546334; cv=none;
 b=jzHXsHXIu1ANwHBuM+m3fbScOixsV62TRKgluaXtANy//OqZIMhcLgCc2mo63SOWa7ep8wnXtf2zv0s1eayLgdu6HTpB1q+Azu8VgTiDargFc3LZc7TWYycxRpoUrWFqTFTxoyZ6O3wZ8CWw2sM3hcIDqDa5oardmz8TVPmboys=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1777546334; c=relaxed/simple;
 bh=MfD0YgrsiTgiCMaFVr5ALQsOVneqEWomA6Od+P6OrmY=;
 h=DKIM-Signature:From:To:Subject:Message-ID:Date:MIME-Version;
 b=tYbGXh+1ET1nxv9cabnP5fBhAKnisaIw+7xibrYdQtAKvivnnx1P89lHYUrDf4LY7pKzYxj4x+ybj5GpWzNMRp/bR/BAyOwPDCgeN90YoHtDquLp9cy3MZAlX3Ak1qAU4Sg9uiH6wf4IhtvShk5gfwKhYo997MF11IPNZyYp8w4=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 17165436A040
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1777546333;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=osqW8S54gu9Ps0zn+VcjzrzAXHKL6AsNTsvpdMo6e0w=;
 b=IXcBoymueszBOux7QTKeWBgCnHyvnJEE958AyRCkS/HSp5s6aVjfr7WqUh+jdAXROHtwP4
 19QAcsdxpPe4+rzOWYDheJ+jILHwpCH4whFBhFMscRHAmJ5dgL0MunB9br+f2MzdaTXYqo
 g35a1mbbmxB5J1BLecbpS6YvL4qUsTE=
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-680-0aeMmJ_2NR-QWAQbI5r7CQ-1; Thu,
 30 Apr 2026 06:52:12 -0400
X-MC-Unique: 0aeMmJ_2NR-QWAQbI5r7CQ-1
X-Mimecast-MFC-AGG-ID: 0aeMmJ_2NR-QWAQbI5r7CQ_1777546331
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 7D4C71800347
 for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:11 +0000 (UTC)
Received: from fweimer-oldenburg.csb.redhat.com (unknown [10.44.48.4])
 by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS
 id C633519560A6
 for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:10 +0000 (UTC)
From: Florian Weimer <fweimer@redhat.com>
To: libc-alpha@sourceware.org
Subject: [PATCH 3/5] resolv: Remove incorrect parts of TSIG handling from
 ns_sprintrrf (CVE-2026-5435)
In-Reply-To: <cover.1777546194.git.fweimer@redhat.com>
Message-ID: 
 <1bc94ca3ff4a1aafd1b6c4877d894e9bb1960808.1777546194.git.fweimer@redhat.com>
References: <cover.1777546194.git.fweimer@redhat.com>
X-From-Line: 1bc94ca3ff4a1aafd1b6c4877d894e9bb1960808 Mon Sep 17 00:00:00 2001
Date: Thu, 30 Apr 2026 12:52:07 +0200
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: oe47CQ1UbhJ06U6cjEfUOMhC2X3C1o_lK9ZIJJnHjRM_1777546331
X-Mimecast-Originator: redhat.com
X-Spam-Status: No, score=-10.7 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL, SPF_HELO_PASS,
 SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org

TSIG handling was incomplete before.  Given that this is an obsolete
interface, it does not seem worthwhile to complete the implementation.

This fixes bug 34033.
---
 resolv/ns_print.c | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/resolv/ns_print.c b/resolv/ns_print.c
index 5701e3d0c5..9c9e810781 100644
--- a/resolv/ns_print.c
+++ b/resolv/ns_print.c
@@ -513,17 +513,7 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
 
 	case ns_t_tsig: {
 		/* BEW - need to complete this */
-		int n;
-
 		T(len = addname(msg, msglen, &rdata, origin, &buf, &buflen));
-		T(addstr(" ", 1, &buf, &buflen));
-		rdata += 8; /*%< time */
-		n = ns_get16(rdata); rdata += INT16SZ;
-		rdata += n; /*%< sig */
-		n = ns_get16(rdata); rdata += INT16SZ; /*%< original id */
-		sprintf(buf, "%d", ns_get16(rdata));
-		rdata += INT16SZ;
-		addlen(strlen(buf), &buf, &buflen);
 		break;
 	    }
 

From patchwork Thu Apr 30 10:52:13 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Weimer <fweimer@redhat.com>
X-Patchwork-Id: 134253
X-Patchwork-Delegate: carlos@redhat.com
Return-Path: <libc-alpha-bounces~patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from vm01.sourceware.org (localhost [127.0.0.1])
	by sourceware.org (Postfix) with ESMTP id 45977436F7D8
	for <patchwork@sourceware.org>; Thu, 30 Apr 2026 10:53:19 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 45977436F7D8
Authentication-Results: sourceware.org;
	dkim=pass (1024-bit key,
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=ZYp0ZhiL
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by sourceware.org (Postfix) with ESMTP id A70A7436A048
 for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:18 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A70A7436A048
Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none)
 header.from=redhat.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org A70A7436A048
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=170.10.129.124
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1777546338; cv=none;
 b=oDA9ESR2zS1+eXuwfF5tKHCyaGrv1+O95EIV9f/3bEEKzQyQEKmaBEhTgGRtUkj8SXT3McABVmZBHHvclmr1GLpU6vOYs9g6E9u+FVHiKcjNzA6zkqy0PJCtss9R3bd8l9kFfG7b86+iUAFFvuwhP577bSD4bZwykIdzXUkgBvs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1777546338; c=relaxed/simple;
 bh=9NdODDF22sz+9cmlqPVuSR4Av6bh2QLNwtOmGMjoAe8=;
 h=DKIM-Signature:From:To:Subject:Message-ID:Date:MIME-Version;
 b=BBGEySXhYTXPkmtoq1HucLJ8MoHCTOxqKcI4R/UjJUybeLQcMy27xRvNJ93DWXN+ImnFSskHEqXh6Q9Rs0I0w3D4bmIY0GPoGExCtKA91fz9ZuddSSqyYjeKrF/MQ1pze8f0FTm3EaNHyOTxmvzgpTYsHCHkj71ApRUXkK5iNLA=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A70A7436A048
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1777546338;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=/0YrkT9nb8dwLsOX6XkuWkYM1iU/sZgGAh/5w4ESNzM=;
 b=ZYp0ZhiLBLba68DBAnVBjOJTv0aqTyoAp1XZDkg2sYRhSaiGcRkpH2SAQ3JcC/ea8iZnSC
 /g5+QPuB5H0Do2HyzTwpNLGiLh4gMwlf8Hi6UQ7Cse877WfafBFxxOSjvCNtUORRnVIZCY
 DNPgp9nimiQk68BDJxQrmmpj8k5Ljp4=
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-593-SRdrVIxfO6OwOfvKZUOlJg-1; Thu,
 30 Apr 2026 06:52:17 -0400
X-MC-Unique: SRdrVIxfO6OwOfvKZUOlJg-1
X-Mimecast-MFC-AGG-ID: SRdrVIxfO6OwOfvKZUOlJg_1777546336
Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 4873D18005A8
 for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:16 +0000 (UTC)
Received: from fweimer-oldenburg.csb.redhat.com (unknown [10.44.48.4])
 by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS
 id 94F0B1800480
 for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:15 +0000 (UTC)
From: Florian Weimer <fweimer@redhat.com>
To: libc-alpha@sourceware.org
Subject: [PATCH 4/5] resolv: Fix buffer overreads in ns_sprintrrf
 (CVE-2026-6238)
In-Reply-To: <cover.1777546194.git.fweimer@redhat.com>
Message-ID: 
 <3d1a89cf9c5d17c89dec7fb753392d198ae12ac4.1777546194.git.fweimer@redhat.com>
References: <cover.1777546194.git.fweimer@redhat.com>
X-From-Line: 3d1a89cf9c5d17c89dec7fb753392d198ae12ac4 Mon Sep 17 00:00:00 2001
Date: Thu, 30 Apr 2026 12:52:13 +0200
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: ceAZlUGSE9GqQt-jAyMNWMiZwum-vsL0mAGD6iOjHzI_1777546336
X-Mimecast-Originator: redhat.com
X-Spam-Status: No, score=-10.7 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_PASS,
 SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org

Check that the RDATA payload does not require more than RDATALEN
bytes while processing it.  The fixes cover A6, CERT, LOC, TKEY,
TSIG records.

The vulnerable LOC record handling was first introduced before
glibc 2.0, in commit ee188d555b8c32ad9704a7440cab400af967292f.

CERT, TSIG, TKEY handling came with commit
b43b13ac2544b11f35be301d1589b51a8473e32b, released with glibc 2.2.

A6 record handling was introduced in commit
91633816430e7ec5a19fe3ff510a7c4822a9557e ("* resolv/ns_print.c
(ns_sprintrrf): Handle ns_t_a6 and ns_t_opt."), which went into glibc
2.7.

This fixes bug 34069.
---
 resolv/ns_print.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/resolv/ns_print.c b/resolv/ns_print.c
index 9c9e810781..4953f47160 100644
--- a/resolv/ns_print.c
+++ b/resolv/ns_print.c
@@ -318,7 +318,8 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
 	case ns_t_loc: {
 		char t[255];
 
-		/* XXX protocol format checking? */
+		if (rdlen != 16)
+		  goto formerr;
 		(void) loc_ntoa(rdata, t);
 		T(addstr(t, strlen(t), &buf, &buflen));
 		break;
@@ -444,6 +445,8 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
 		char base64_cert[8192], tmp[40];
 		const char *leader;
 
+		if (rdlen < 2 * NS_INT16SZ + 1)
+			goto formerr;
 		c_type  = ns_get16(rdata); rdata += NS_INT16SZ;
 		key_tag = ns_get16(rdata); rdata += NS_INT16SZ;
 		alg = (u_int) *rdata++;
@@ -490,23 +493,31 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
 		T(addstr(" ", 1, &buf, &buflen));
 
 		/* Inception. */
+		if (edata - rdata < NS_INT32SZ)
+			goto formerr;
 		t = ns_get32(rdata);  rdata += NS_INT32SZ;
 		len = SPRINTF((tmp, "%lu ", t));
 		T(addstr(tmp, len, &buf, &buflen));
 
 		/* Expiration. */
+		if (edata - rdata < NS_INT32SZ)
+			goto formerr;
 		t = ns_get32(rdata);  rdata += NS_INT32SZ;
 		len = SPRINTF((tmp, "%lu ", t));
 		T(addstr(tmp, len, &buf, &buflen));
 
 		/* Mode , Error, Key Size. */
 		/* Priority, Weight, Port. */
+		if (edata - rdata < 3 * NS_INT16SZ)
+			goto formerr;
 		mode = ns_get16(rdata);  rdata += NS_INT16SZ;
 		err  = ns_get16(rdata);  rdata += NS_INT16SZ;
 		keysize  = ns_get16(rdata);  rdata += NS_INT16SZ;
 		len = SPRINTF((tmp, "%u %u %u ", mode, err, keysize));
 		T(addstr(tmp, len, &buf, &buflen));
 
+		if (edata - rdata < keysize)
+			goto formerr;
 		/* XXX need to dump key, print otherdata length & other data */
 		break;
 	    }
@@ -532,9 +543,10 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
 
 		/* address suffix: provided only when prefix len != 128 */
 		if (pbit < 128) {
-			if (rdata + pbyte >= edata) goto formerr;
+			unsigned int bytelen = sizeof(a) - pbyte;
+			if (edata - rdata < bytelen) goto formerr;
 			memset(&a, 0, sizeof(a));
-			memcpy(&a.s6_addr[pbyte], rdata, sizeof(a) - pbyte);
+			memcpy(&a.s6_addr[pbyte], rdata, bytelen);
 			if (inet_ntop (AF_INET6, &a, buf, buflen) == NULL)
 			  return -1;
 			addlen(strlen(buf), &buf, &buflen);

From patchwork Thu Apr 30 10:52:18 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Weimer <fweimer@redhat.com>
X-Patchwork-Id: 134256
X-Patchwork-Delegate: carlos@redhat.com
Return-Path: <libc-alpha-bounces~patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from vm01.sourceware.org (localhost [127.0.0.1])
	by sourceware.org (Postfix) with ESMTP id 2EE304BA79A6
	for <patchwork@sourceware.org>; Thu, 30 Apr 2026 10:55:26 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2EE304BA79A6
Authentication-Results: sourceware.org;
	dkim=pass (1024-bit key,
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=Z6Nw4NkH
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by sourceware.org (Postfix) with ESMTP id EAF9F436F7C9
 for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:23 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org EAF9F436F7C9
Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none)
 header.from=redhat.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org EAF9F436F7C9
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=170.10.133.124
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1777546344; cv=none;
 b=EoVzgf4nD6qe0T4BuZCmya+YhqkljBVf5J0IYtOKac6Kciq2nNgqzhi1uapB99WGkjGEJt3ZWR16kkAZoescz5yur/FElThPa+W0HnldRjITRLr48HREbzBUiZwjaLMDyjfMDdFdWEpt1ylr4mcnWmTiD8bzIplh+WIGVwDKrk8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1777546344; c=relaxed/simple;
 bh=LT01Xs+hrYpVCpZoJ83f25VMS37v9yHYJPkw+FQ/cNI=;
 h=DKIM-Signature:From:To:Subject:Message-ID:Date:MIME-Version;
 b=Fc18ffETT7jK70l+uvlF5da945c4cc2Ccn4z+arfUxBR8q/WGkrMuGBHBD2qMrTHSdQh00T7iZmT6eHmGXT+/h+VSyW5sWtp9sKRd6gVIfGQ0shKB5sgMAY3OAqZgUSorPN3jkDdWdCBCUZCEByvje/TtJpWJ9ojHXtw6udCsIw=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org EAF9F436F7C9
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1777546343;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=ofCM+f/Qq/9LQXz+JCIpgh5E+DBdKM8tX9UyXCGRU68=;
 b=Z6Nw4NkHZ4vuWqICgZZMcGCFd57qlj+kVZ/rnIglj8ynZxoJmpmeNoXYR7xk19hDO1MSK0
 X4iFcn4wzssNR+bNERB1aXI4ZS4b3FrXVQIbCqYXoFD9EmDas8IO17oeGdmDC3vDdR9S3v
 C4vFpLs5waimLQB8XYoAmcPyHcVTK2c=
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-190-3Emgo2j1MgOMenideZp9Ag-1; Thu,
 30 Apr 2026 06:52:22 -0400
X-MC-Unique: 3Emgo2j1MgOMenideZp9Ag-1
X-Mimecast-MFC-AGG-ID: 3Emgo2j1MgOMenideZp9Ag_1777546341
Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 31AC51800282
 for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:21 +0000 (UTC)
Received: from fweimer-oldenburg.csb.redhat.com (unknown [10.44.48.4])
 by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS
 id 7B8CC30001A1
 for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:20 +0000 (UTC)
From: Florian Weimer <fweimer@redhat.com>
To: libc-alpha@sourceware.org
Subject: [PATCH 5/5] resolv: Add test case tst-ns_sprintrr (bug 34033, bug
 34069)
In-Reply-To: <cover.1777546194.git.fweimer@redhat.com>
Message-ID: 
 <c0191a0afbfd6837bc7bc1b2695eaacf3e41b0fe.1777546194.git.fweimer@redhat.com>
References: <cover.1777546194.git.fweimer@redhat.com>
X-From-Line: c0191a0afbfd6837bc7bc1b2695eaacf3e41b0fe Mon Sep 17 00:00:00 2001
Date: Thu, 30 Apr 2026 12:52:18 +0200
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: oASdVMfasjB88yEtpGejlYTJDJPy0bdQW_4Mg-vqnGY_1777546341
X-Mimecast-Originator: redhat.com
X-Spam-Status: No, score=-9.7 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0,
 HK_OBFDOM,
 KAM_MXURI, KAM_SHORT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H5,
 RCVD_IN_MSPIKE_WL,
 SPF_HELO_PASS, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org

This test case covers both input buffer overreads and output buffer
overflows.  It should systematically cover these issues.

I used code auto-generation for updating the test expectations for
truncated RDATA in TXT, ISDN, CERT records, after writing the rest
of the test by hand.

Assisted-by: LLM
---
 resolv/Makefile          |   2 +
 resolv/tst-ns_sprintrr.c | 322 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 324 insertions(+)
 create mode 100644 resolv/tst-ns_sprintrr.c

diff --git a/resolv/Makefile b/resolv/Makefile
index 971608eff5..4b61d2ce98 100644
--- a/resolv/Makefile
+++ b/resolv/Makefile
@@ -108,6 +108,7 @@ tests += \
   tst-ns_name \
   tst-ns_name_compress \
   tst-ns_name_pton \
+  tst-ns_sprintrr \
   tst-res_hconf_reorder \
   tst-res_hnok \
   tst-resolv-aliases \
@@ -338,5 +339,6 @@ $(objpfx)tst-ns_name: $(objpfx)libresolv.so
 $(objpfx)tst-ns_name.out: tst-ns_name.data
 $(objpfx)tst-ns_name_compress: $(objpfx)libresolv.so
 $(objpfx)tst-ns_name_pton: $(objpfx)libresolv.so
+$(objpfx)tst-ns_sprintrr: $(objpfx)libresolv.so
 $(objpfx)tst-res_hnok: $(objpfx)libresolv.so
 $(objpfx)tst-p_secstodate: $(objpfx)libresolv.so
diff --git a/resolv/tst-ns_sprintrr.c b/resolv/tst-ns_sprintrr.c
new file mode 100644
index 0000000000..522d835fe6
--- /dev/null
+++ b/resolv/tst-ns_sprintrr.c
@@ -0,0 +1,322 @@
+/* Tests for the ns_sprintrr function.
+   Copyright (C) 2026 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <arpa/nameser.h>
+
+#include <alloc_buffer.h>
+#include <arpa/inet.h>
+#include <libc-diag.h>
+#include <stdbool.h>
+#include <string.h>
+#include <support/check.h>
+#include <support/next_to_fault.h>
+
+/* Regions that test_one_record uses for input and output.  */
+static struct support_next_to_fault ntf_in;
+static struct support_next_to_fault ntf_out;
+
+/* This is used by test_one_record to construct the packet.   */
+static const char packet_prefix[] =
+  /* DNS response with one question, one answer record.  */
+  "AA\x81\x80\0\1\0\1\0\0\0\0"
+  /* Question: www.example.org/IN/ANY.  */
+  "\3www\7example\3org\0\0\xff\0\1"
+  /* Response: compression reference.  */
+  "\xc0\x0c";
+
+/* Use ns_sprintrr to format a DNS record (starting with
+   packet_prefix) of type RTYPE, with a record payload of RDATALEN
+   bytes starting at RDATA.  Check successful formatting against
+   EXPECTED.  Try various truncated input and output buffers to catch
+   overreads and buffer overflows, using ntf_in and ntf_out above.  */
+static void
+test_one_record (uint16_t rtype, const char *rdata, size_t rdatalen,
+                 const char *expected)
+{
+  struct rr_header
+  {
+    uint16_t typ;
+    uint16_t cls;
+    uint32_t ttl;
+    uint16_t rdatalen;
+    uint16_t pad;
+  } hdr =
+    {
+      .typ = htons (rtype),
+      .cls = htons (ns_c_in),
+      .ttl = htonl (86400),     /* One day.  */
+      .rdatalen = htons (rdatalen),
+    };
+  size_t hdrlen = offsetof (struct rr_header, pad);
+  TEST_COMPARE (hdrlen, 10);
+
+  /* Construct the packet from packet_prefix, hdr, and rdata.  */
+  char packet[512];
+  size_t packetlen;
+  {
+    struct alloc_buffer buf = alloc_buffer_create (packet, sizeof (packet));
+    alloc_buffer_copy_bytes (&buf, packet_prefix, sizeof (packet_prefix) - 1);
+    alloc_buffer_copy_bytes (&buf, &hdr, hdrlen);
+    alloc_buffer_copy_bytes (&buf, rdata, rdatalen);
+    packetlen = sizeof (packet) - alloc_buffer_size (&buf);
+  }
+
+  /* Parse the record.   */
+  ns_msg msg;
+  TEST_COMPARE (ns_initparse ((unsigned char *) packet, packetlen, &msg), 0);
+  ns_rr rr;
+  TEST_COMPARE (ns_parserr (&msg, ns_s_an, 0, &rr), 0);
+
+  /* Try sizes up to this limit.  Go a bit beyond the expected size to
+     check for errors.  */
+  size_t max_result_size = strlen (expected) + 16;
+
+  bool success = false;
+  for (size_t result_size = 1; result_size <= max_result_size; ++result_size)
+    {
+      char *result_start = ntf_out.buffer + ntf_out.length - result_size;
+      memset (result_start, 'X', result_size);
+
+      /* ns_sprintrr was deprecated in 2.34.  */
+      DIAG_PUSH_NEEDS_COMMENT;
+      DIAG_IGNORE_NEEDS_COMMENT (4.9, "-Wdeprecated-declarations");
+      int ret = ns_sprintrr (&msg, &rr, NULL, NULL, result_start, result_size);
+      DIAG_POP_NEEDS_COMMENT;
+
+      if (ret > 0)
+        {
+          TEST_COMPARE_STRING (result_start, expected);
+          TEST_COMPARE (ret, strlen (expected));
+          success = true;
+        }
+      else
+        {
+          TEST_VERIFY (!success);
+          TEST_COMPARE (ret, -1);
+        }
+    }
+  TEST_VERIFY (success);
+
+  /* Test with truncated RDATA.   */
+  for (size_t rdata_size = 0; rdata_size <= rdatalen; ++rdata_size)
+    {
+      size_t truncated_packet_size = packetlen - rdatalen + rdata_size;
+      char *packet_start
+        = ntf_in.buffer + ntf_in.length - truncated_packet_size;
+      memcpy (packet_start, packet, truncated_packet_size);
+      /* Patch in the updated RDATA length field.  */
+      uint16_t new_rdatalen = htons (rdata_size);
+      memcpy (packet_start + truncated_packet_size - rdata_size - 2,
+              &new_rdatalen, 2);
+
+      ns_msg msg;
+      TEST_COMPARE (ns_initparse ((unsigned char *) packet_start,
+                                  truncated_packet_size, &msg), 0);
+      ns_rr rr;
+      TEST_COMPARE (ns_parserr (&msg, ns_s_an, 0, &rr), 0);
+
+      size_t result_size = strlen (expected) + 1;
+      char *result_start = ntf_out.buffer + ntf_out.length - result_size;
+      memset (result_start, 'X', result_size);
+
+      /* ns_sprintrr was deprecated in 2.34.  */
+      DIAG_PUSH_NEEDS_COMMENT;
+      DIAG_IGNORE_NEEDS_COMMENT (4.9, "-Wdeprecated-declarations");
+      int ret = ns_sprintrr (&msg, &rr, NULL, NULL, result_start, result_size);
+      DIAG_POP_NEEDS_COMMENT;
+
+      /* This flag indicates whether the output is syntactically
+         correct.  In some cases, truncation may still yield a valid
+         payload.  */
+      bool broken = rdata_size < rdatalen;
+      switch (rtype)
+        {
+        case ns_t_wks:
+          /* WKS records use all trailing bytes for the port bitmap.  */
+          broken = rdata_size < 5;
+          break;
+        case ns_t_nsap:
+          /* Uses all bytes that are available.  */
+          broken = false;
+          break;
+        case ns_t_txt:
+          /* Truncation produces a valid payload if it occurs right
+             after a complete string in the TXT payload.  */
+          broken = false;
+          for (size_t pos = 0; pos < rdata_size; )
+            {
+              unsigned int slen = rdata[pos] & 0xff;
+              if (pos + 1 + slen > rdata_size)
+                {
+                  broken = true;
+                  break;
+                }
+              pos += 1 + slen;
+            }
+          break;
+        case ns_t_isdn:
+          /* The second field is optional.  If it is present, it must
+             not be truncated.  */
+          broken = rdata_size < 6 || (rdata_size > 6 && rdata_size < rdatalen);
+          break;
+        case ns_t_cert:
+          /* The 5-byte header is sufficient. Any available trailing
+             data is base64-encoded.  */
+          broken = rdata_size < 5;
+          break;
+        case ns_t_a6:
+          /* The first A6 subtest contains a trailing domain name,
+             which is ignored and not formatted.  */
+          if (rdata_size > 0 && rdata[0] == 0)
+            broken = rdata_size < 17;
+          break;
+        }
+
+      if (broken)
+        {
+          if (strstr (result_start, "RR format error") != NULL)
+            /* No further checks if an error indicator has been added
+               to the output.  */
+            ;
+          /* TKEY and TSIG implementations are incomplete.  */
+          else if (rtype != ns_t_tkey && rtype != ns_t_tsig)
+            TEST_COMPARE (ret, -1);
+        }
+      else
+        TEST_VERIFY (ret > 0);
+    }
+}
+
+static int
+do_test (void)
+{
+  ntf_in = support_next_to_fault_allocate (512);
+  ntf_out = support_next_to_fault_allocate (256);
+
+#define T(rtype, rdata, expected) \
+  test_one_record (rtype, rdata, sizeof (rdata) - 1, expected)
+  T (ns_t_a, "\xc0\0\2\1", "www.example.org.\t1D IN A\t\t192.0.2.1");
+  T (ns_t_cname, "\4www1\4prod\xc0\x10",
+     "www.example.org.\t1D IN CNAME\twww1.prod.example.org.");
+  T (ns_t_hinfo, "\5first\6second",
+     "www.example.org.\t1D IN HINFO\t\"first\" \"second\"");
+  T (ns_t_isdn, "\5first\6second",
+     "www.example.org.\t1D IN ISDN\t\"first\" \"second\"");
+  /* Bug: Extra space at the end in the text representation of ISDN RRs.  */
+  T (ns_t_isdn, "\5first", "www.example.org.\t1D IN ISDN\t\"first\" ");
+  T (ns_t_soa,
+     "\2ns\xc0\x10\12hostmaster\xc0\x10"
+     "\0\0\0\1\0\0\0\2\0\0\0\3\0\0\0\4\0\0\0\5",
+     "www.example.org.\t1D IN SOA\tns.example.org. hostmaster.example.org. (\n"
+     "\t\t\t\t\t1\t\t; serial\n"
+     "\t\t\t\t\t2S\t\t; refresh\n"
+     "\t\t\t\t\t3S\t\t; retry\n"
+     "\t\t\t\t\t4S\t\t; expiry\n"
+     "\t\t\t\t\t5S )\t\t; minimum\n");
+  T (ns_t_mx, "\0\xa\2mx\xc0\x10",
+     "www.example.org.\t1D IN MX\t10 mx.example.org.");
+  T (ns_t_px, "\0\xa\3px1\xc0\x10\3px2\xc0\x10",
+     "www.example.org.\t1D IN PX\t10 px1.example.org. px2.example.org.");
+  T (ns_t_x25, "\4X.25",
+     "www.example.org.\t1D IN X25\t\"X.25\"");
+  T (ns_t_txt, "\1A\2BC\3DEF",
+     "www.example.org.\t1D IN TXT\t\"A\" \"BC\" \"DEF\"");
+  T (ns_t_nsap, "",
+     "www.example.org.\t1D IN NSAP\t");
+  T (ns_t_nsap, "\1",
+     "www.example.org.\t1D IN NSAP\t01");
+  T (ns_t_nsap, "\1\2",
+     "www.example.org.\t1D IN NSAP\t01.02");
+  T (ns_t_nsap, "\1\2\3",
+     "www.example.org.\t1D IN NSAP\t01.0203");
+  T (ns_t_nsap, "\1\2\3\4",
+     "www.example.org.\t1D IN NSAP\t01.0203.04");
+  T (ns_t_nsap,
+     "\1\2\3\4\5\6\7\10\11\12\13\14\15\16\17\20\21\22\23\24\25\26\27\30\31\32"
+     "\33\34\35\36\37\40\41\42\43\44\45\46\47\50\51\52\53\54\55\56\57\60\61"
+     "\62\63\64\65\66\67\70\71\72\73\74\75\76\77\100\101\102\103\104\105\106"
+     "\107\110\111\112\113\114\115\116\117\120\121\122\123\124\125\126\127"
+     "\130\131\132\133\134\135\136\137\140\141\142\143\144\145\146\147\150"
+     "\151\152\153\154\155\156\157\160\161\162\163\164\165\166\167\170\171"
+     "\172\173\174\175\176\177\200\201\202\203\204\205\206\207\210\211\212"
+     "\213\214\215\216\217\220\221\222\223\224\225\226\227\230\231\232\233"
+     "\234\235\236\237\240\241\242\243\244\245\246\247\250\251\252\253\254"
+     "\255\256\257\260\261\262\263\264\265\266\267\270\271\272\273\274\275"
+     "\276\277\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316"
+     "\317\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337"
+     "\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357\360"
+     "\361\362\363\364\365\366\367\370\371\372\373\374\375\376\377",
+     "www.example.org.\t1D IN NSAP\t"
+     "01.0203.0405.0607.0809.0A0B.0C0D.0E0F.1011.1213.1415.1617.1819.1A1B"
+     ".1C1D.1E1F.2021.2223.2425.2627.2829.2A2B.2C2D.2E2F.3031.3233.3435.3637"
+     ".3839.3A3B.3C3D.3E3F.4041.4243.4445.4647.4849.4A4B.4C4D.4E4F.5051.5253"
+     ".5455.5657.5859.5A5B.5C5D.5E5F.6061.6263.6465.6667.6869.6A6B.6C6D.6E6F"
+     ".7071.7273.7475.7677.7879.7A7B.7C7D.7E7F.8081.8283.8485.8687.8889.8A8B"
+     ".8C8D.8E8F.9091.9293.9495.9697.9899.9A9B.9C9D.9E9F.A0A1.A2A3.A4A5.A6A7"
+     ".A8A9.AAAB.ACAD.AEAF.B0B1.B2B3.B4B5.B6B7.B8B9.BABB.BCBD.BEBF.C0C1.C2C3"
+     ".C4C5.C6C7.C8C9.CACB.CCCD.CECF.D0D1.D2D3.D4D5.D6D7.D8D9.DADB.DCDD.DEDF"
+     ".E0E1.E2E3.E4E5.E6E7.E8E9.EAEB.ECED.EEEF.F0F1.F2F3.F4F5.F6F7.F8F9.FAFB"
+     ".FCFD.FEFF");
+  T (ns_t_aaaa, "\x20\x01\x0d\xb8\0\0\0\0\0\0\0\0\0\0\x12\x34",
+     "www.example.org.\t1D IN AAAA\t2001:db8::1234");
+  /* Example from RFC 1876.  The loc_ntoa format is different from the
+     official text representation.  */
+  T (ns_t_loc,
+     "\000\063\026\023\211\027\055\320\160\276\025\360\000\230\215\040",
+     "www.example.org.\t1D IN LOC"
+     "\t42 21 54.000 N 71 06 18.000 W -24.00m 30.00m 10000.00m 10.00m");
+  T (ns_t_naptr,
+     "\0\1\0\2\5flags\7service\2.*\5naptr\xc0\x10",
+     "www.example.org.\t1D IN NAPTR\t1 2 \"flags\" \"service\" \".*\""
+     " naptr.example.org.");
+  T (ns_t_srv,
+     "\0\1\0\2\0\x50\4www1\xc0\x10",
+     "www.example.org.\t1D IN SRV\t1 2 80 www1.example.org.");
+  T (ns_t_rp, "\3rp1\xc0\x10\3rp2\xc0\x10",
+     "www.example.org.\t1D IN RP\trp1.example.org. rp2.example.org.");
+  T (ns_t_wks, "\xc0\0\2\1\6\0\0\0\0\0\0\0\0\0\0\200",
+     "www.example.org.\t1D IN WKS\t192.0.2.1 6 ( \n\t\t\t\t80 )");
+  T (ns_t_cert, "\0\1\x04\xd2\0blob",
+     "www.example.org.\t1D IN CERT\t1 1234 0  YmxvYg==");
+  /* Bug: TKEY output is incomplete.  */
+  T (ns_t_tkey, "\4algo\0\0\0\0\1\0\0\0\2\0\3\0\4"
+     "\0\5\xa1\xa2\xa3\xa4\xa5\0\3\xb1\xb2\xb3",
+     "www.example.org.\t1D IN 249\talgo. 1 2 3 4 5 ");
+  /* Bug: Not implemented properly.  */
+  T (ns_t_tsig, "\4algo\0"
+     "\0\20\xdd\xcd\x64\x10\xe9\x21\x34\x1a\x8e\xe0\xa1\x9a\x30\xfc\x3b\xd1"
+     "\0\2\0\3\0\5other",
+     "www.example.org.\t1D IN TSIG\talgo.");
+  T (ns_t_a6,
+     "\0\x20\x01\x0d\xb8\0\0\0\0\0\0\0\0\0\0\x12\x34\6prefix\xc0\x10",
+     "www.example.org.\t1D IN 38\t0 2001:db8::1234");
+  T (ns_t_a6,
+     "\0\x20\x01\x0d\xb8\0\0\0\0\0\0\0\0\0\0\x12\x34",
+     "www.example.org.\t1D IN 38\t0 2001:db8::1234");
+  T (ns_t_a6, "\200\6prefix\xc0\x10",
+     "www.example.org.\t1D IN 38\t128  prefix.example.org.");
+  T (ns_t_a6, "\x20\0\0\0\0\0\0\0\0\0\0\x12\x34\6prefix\xc0\x10",
+     "www.example.org.\t1D IN 38\t32 ::1234 prefix.example.org.");
+#undef T
+
+  support_next_to_fault_free (&ntf_in);
+  support_next_to_fault_free (&ntf_out);
+  return 0;
+}
+
+#include <support/test-driver.c>