[CONC-473] mysql_real_connect_start() blows the stack when using an ipv6 mdns hostname Created: 2020-06-08  Updated: 2020-06-08

Status: Open
Project: MariaDB Connector/C
Component/s: None
Affects Version/s: 3.1.7
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Andrew Hutchings (Inactive) Assignee: Georg Richter
Resolution: Unresolved Votes: 1
Labels: None
Environment:

Fedora 32

Attachments: File conc-test.c    

 Description   

Attaching the test file shortly. Compile this with:

gcc -g conc-test.c -lmysqlclient -I /usr/include/mysql

For me linuxjedi-mac.local is an mdns hostname of another machine that is expected to return an IPv6 address. In Fedora 32 using connector-c 3.1.7 RPMs attempting to do this crashes. I cannot reproduce using a hosts file entry (I've not tried regular AAAA DNS).

I cannot reproduce this on macOS using the connector c in 10.4.13 and I haven't tried another platform yet.

This is the stack:

Program received signal SIGSEGV, Segmentation fault.
 
0x00007ffff7e0ba9f in unlink_chunk (p=p@entry=0x427d90, av=<optimized out>) at malloc.c:1453
 
1453      if (chunksize (p) != prev_size (next_chunk (p)))
 
(gdb) bt
 
#0  0x00007ffff7e0ba9f in unlink_chunk (p=p@entry=0x427d90, av=<optimized out>)
 
    at malloc.c:1453
 
#1  0x00007ffff7e0e41a in _int_malloc (av=av@entry=0x7ffff7f469e0 <main_arena>, 
    bytes=bytes@entry=28) at malloc.c:4038
 
#2  0x00007ffff7e0f534 in __GI___libc_malloc (bytes=28) at malloc.c:3058
 
#3  0x00007ffff79805ec in __res_context_send (ctx=ctx@entry=0x428480, 
    buf=buf@entry=0x427e40 "\237r\001", buflen=buflen@entry=23, buf2=buf2@entry=0x0, 
    buflen2=buflen2@entry=0, ans=<optimized out>, ans@entry=0x4282c0 "\222\065", 
    anssiz=<optimized out>, ansp=0x0, ansp2=0x0, nansp2=0x0, resplen2=0x0, 
    ansp2_malloced=0x0) at res_send.c:472
 
#4  0x00007ffff797d1d3 in __GI___res_context_query (ctx=ctx@entry=0x428480, 
    name=name@entry=0x7ffff799302c "local", class=class@entry=1, type=type@entry=6, 
    answer=answer@entry=0x4282c0 "\222\065", anslen=anslen@entry=65535, 
    answerp=<optimized out>, answerp2=<optimized out>, nanswerp2=<optimized out>, 
    resplen2=<optimized out>, answerp2_malloced=<optimized out>) at res_query.c:208
 
#5  0x00007ffff797d933 in context_query_common (anslen=65535, answer=0x4282c0 "\222\065", 
    type=6, class=1, name=0x7ffff799302c "local", ctx=0x428480) at res_query.c:292
 
#6  __res_nquery (statp=statp@entry=0x428080, name=name@entry=0x7ffff799302c "local", 
    class=class@entry=1, type=type@entry=6, answer=answer@entry=0x4282c0 "\222\065", 
    anslen=anslen@entry=65535) at res_query.c:305
 
#7  0x00007ffff7991636 in local_soa () at src/util.c:125
 
#8  0x00007ffff7991885 in verify_name_allowed_with_soa (
 
    name=name@entry=0x402016 "linuxjedi-mac.local", 
    mdns_allow_file=mdns_allow_file@entry=0x0) at src/util.c:65
 
#9  0x00007ffff799247a in gethostbyname_impl (h_errnop=0x7ffff79b7724, 
    errnop=0x7ffff79b76c0, u=0x438320, af=<optimized out>, 
    name=0x402016 "linuxjedi-mac.local") at src/nss.c:166
 
#10 _nss_mdns4_minimal_gethostbyname4_r (name=name@entry=0x402016 "linuxjedi-mac.local", 
    pat=pat@entry=0x4385d8, buffer=0x4388e0 "#\351j>", <incomplete sequence \335>, 
    buflen=1024, errnop=errnop@entry=0x7ffff79b76c0, 
    h_errnop=h_errnop@entry=0x7ffff79b7724, ttlp=0x0) at src/nss.c:207
 
#11 0x00007ffff7e6d867 in gaih_inet (name=<optimized out>, 
    name@entry=0x402016 "linuxjedi-mac.local", service=service@entry=0x4387f0, 
    req=req@entry=0x438d70, pai=pai@entry=0x4387d8, naddrs=naddrs@entry=0x4387d4, 
    tmpbuf=tmpbuf@entry=0x4388d0) at ../sysdeps/posix/getaddrinfo.c:765
 
#12 0x00007ffff7e6e739 in __GI_getaddrinfo (name=<optimized out>, service=<optimized out>, 
    service@entry=0x438e10 "3306", hints=hints@entry=0x438d70, pai=pai@entry=0x438d68)
 
    at ../sysdeps/posix/getaddrinfo.c:2256
 
#13 0x00007ffff7f67629 in pvio_socket_connect (cinfo=0x438ec0, pvio=0x429f60)
 
    at /usr/src/debug/mariadb-connector-c-3.1.7-2.20200316gitfbf1db6.fc32.x86_64/plugins/pvio/pvio_socket.c:874
 
#14 pvio_socket_connect (pvio=0x429f60, cinfo=0x438ec0)
 
    at /usr/src/debug/mariadb-connector-c-3.1.7-2.20200316gitfbf1db6.fc32.x86_64/plugins/pvio/pvio_socket.c:747
 
--Type <RET> for more, q to quit, c to continue without paging--
 
#15 0x00007ffff7f702d9 in mthd_my_real_connect (mysql=0x7fffffffd620, host=<optimized out>, 
    user=0x402011 "test", passwd=0x402010 "", db=0x0, port=3306, 
    unix_socket=<optimized out>, client_flag=2147483648)
 
    at /usr/src/debug/mariadb-connector-c-3.1.7-2.20200316gitfbf1db6.fc32.x86_64/libmariadb/mariadb_lib.c:1455
 
#16 0x00007ffff7f88e45 in mysql_real_connect_start_internal (d=<optimized out>)
 
    at /usr/src/debug/mariadb-connector-c-3.1.7-2.20200316gitfbf1db6.fc32.x86_64/libmariadb/mariadb_async.c:332
 
#17 0x00007ffff7f8c9d5 in my_context_spawn (c=0x427940, f=0xd1c70004, 
    d=0x7ffff7f46b30 <main_arena+336>)
 
    at /usr/src/debug/mariadb-connector-c-3.1.7-2.20200316gitfbf1db6.fc32.x86_64/libmariadb/ma_context.c:201
 
#18 0x0000000000000000 in ?? ()



 Comments   
Comment by Andrew Hutchings (Inactive) [ 2020-06-08 ]

Not even sure why the codebase gets to there in ma_context.c, the platform has ucontext.h.

Comment by Andrew Hutchings (Inactive) [ 2020-06-08 ]

Reproduced on Ubuntu 20.04 too.

Generated at Thu Feb 08 03:05:34 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.