musl/src/network, branch master musl - an implementation of the standard library for Linux-based systems dns: fix nameserver OOB read in IPv6-disabled fallback 2026-03-20T16:19:40+00:00 Liam Wachter liam@asymmetric.re 2026-03-20T16:19:40+00:00 6f6bd4a1896ba0be19168abc1346c8c7e3851709 In __res_msend_rc(), the IPv6-disabled fallback check uses conf->ns[nns] inside a loop controlled by i, so it tests a fixed slot instead of walking configured nameservers. This reads one past the array's size. Use conf->ns[i] so the loop correctly detects whether all configured nameservers are IPv6-only. 
In __res_msend_rc(), the IPv6-disabled fallback check uses conf->ns[nns]
inside a loop controlled by i, so it tests a fixed slot instead of
walking configured nameservers. This reads one past the array's size.

Use conf->ns[i] so the loop correctly detects whether all configured
nameservers are IPv6-only.
getifaddr: fix typo ssl to sll 2026-03-11T02:49:31+00:00 RocketDev marocketbd@gmail.com 2026-03-01T16:21:58+00:00 4268281ab48896ca2a2f6f0a3bbcd332eee55834 sll_addr is a member of sockaddr_ll, but it is misspelled as ssl_addr in comment. Please cc me back when reply. Signed-off-by: RocketDev <marocketbd@gmail.com> 
sll_addr is a member of sockaddr_ll, but it is misspelled as
ssl_addr in comment.

Please cc me back when reply.

Signed-off-by: RocketDev <marocketbd@gmail.com>
dns resolver: reorder sockaddr union to make initialization safe 2025-05-05T13:23:32+00:00 Rich Felker dalias@aerifal.cx 2025-05-05T13:23:32+00:00 6915b34860459a963fb1ba468a4d5389dd65c67b some recent compilers have adopted a dubious interpretation of the C specification for union initializers, that when the initialized member is smaller than the size of the union, the remaining padding does not have to be zero-initialized. in the interests of not depending on any particular interpretation, place the larger member first so it's initialized and ensures the whole object is zero-filled. 
some recent compilers have adopted a dubious interpretation of the C
specification for union initializers, that when the initialized member
is smaller than the size of the union, the remaining padding does not
have to be zero-initialized. in the interests of not depending on any
particular interpretation, place the larger member first so it's
initialized and ensures the whole object is zero-filled.
inet_ntop: fix the IPv6 leading zero sequence compression 2024-06-22T21:01:00+00:00 Jakub Stasiak jakub@stasiak.at 2024-06-13T22:59:41+00:00 947b4574fa7998f027d3906e1f53acb9a7553c61 Per RFC 5952, ties for longest sequence of zero fields must be broken by choosing the earliest, but the implementation put the leading sequence of zeros at a disadvantage. That's because for example when compressing "0:0:0:10:0:0:0:10" the strspn(buf+i, ":0") call returns 6 for the first sequence and 7 for the second one – the second sequence has the benefit of a leading colon. Changing the condition to require beating the leading sequence by not one but two characters resolves the issue. 
Per RFC 5952, ties for longest sequence of zero fields must be broken
by choosing the earliest, but the implementation put the leading
sequence of zeros at a disadvantage. That's because for example when
compressing "0:0:0:10:0:0:0:10" the strspn(buf+i, ":0") call returns 6
for the first sequence and 7 for the second one – the second sequence
has the benefit of a leading colon.

Changing the condition to require beating the leading sequence by not
one but two characters resolves the issue.
getnameinfo: fix calling __dns_parse with potentially too large rlen 2024-02-29T15:14:16+00:00 Alexey Izbyshev izbyshev@ispras.ru 2023-05-08T16:03:46+00:00 5c653ccaa1383db0c310abf66d5b6806e83ac18f __res_send returns the full answer length even if it didn't fit the buffer, but __dns_parse expects the length of the filled part of the buffer. This is analogous to commit 77327ed064bd57b0e1865cd0e0364057ff4a53b4, which fixed the only other __dns_parse call site. 
__res_send returns the full answer length even if it didn't fit the
buffer, but __dns_parse expects the length of the filled part of the
buffer.

This is analogous to commit 77327ed064bd57b0e1865cd0e0364057ff4a53b4,
which fixed the only other __dns_parse call site.
remove arbitrary limit from dns result parsing 2023-11-06T18:50:21+00:00 Quentin Rameau quinq@fifth.space 2023-10-04T19:29:43+00:00 8c086e767468cc11c6d58d6a92d8511c2bd12024 The name resolution would abort when getting more than 63 records per request, due to what seems to be a left-over from the original code. This check was non-breaking but spurious prior to TCP fallback support, since any 512-byte packet with more than 63 records was necessarily malformed. But now, it wrongly rejects valid results. Reported by Daniel Stefanik in Alpine Linux aports issue 15320. 
The name resolution would abort when getting more than 63 records per
request, due to what seems to be a left-over from the original code.
This check was non-breaking but spurious prior to TCP fallback
support, since any 512-byte packet with more than 63 records was
necessarily malformed. But now, it wrongly rejects valid results.

Reported by Daniel Stefanik in Alpine Linux aports issue 15320.
fix rejection of dns responses with pointers past 512 byte offset 2023-07-17T22:03:38+00:00 Rich Felker dalias@aerifal.cx 2023-07-17T22:03:38+00:00 83b858f83b658bd34eca5d8ad4d145f673ae7e5e the __dns_parse code used by the stub resolver traditionally included code to reject label pointers to offsets past a 512 byte limit, despite never processing the label contents, only stepping over them. when commit 51d4669fb97782f6a66606da852b5afd49a08001 added support for tcp fallback, this limit was overlooked, and as a result, it was at least theoretically possible for some valid large answers to be rejected on account of these offsets. since the limit was never serving any useful purpose, just remove it. 
the __dns_parse code used by the stub resolver traditionally included
code to reject label pointers to offsets past a 512 byte limit,
despite never processing the label contents, only stepping over them.
when commit 51d4669fb97782f6a66606da852b5afd49a08001 added support for
tcp fallback, this limit was overlooked, and as a result, it was at
least theoretically possible for some valid large answers to be
rejected on account of these offsets.

since the limit was never serving any useful purpose, just remove it.
dns stub resolver: increase buffer size to handle chained CNAMEs 2023-07-05T03:36:05+00:00 Rich Felker dalias@aerifal.cx 2023-07-05T03:11:17+00:00 a4ecaf89a9b88df76e8bf9f28e1cc6cb89e4bfa8 in the event of chained CNAMEs, the answer to a query will contain the entire CNAME chain, not just one CNAME record. previously, the answer buffer size had been chosen to admit a maximal-length CNAME, but only one. a moderate-length chain could fill the available 768 bytes leaving no room for an actual address answering the query. while the DNS RFCs do not specify any limit on the length of a CNAME chain, or any reasonable behavior is the chain exceeds the entire 64k possible message size, actual recursive servers have to impose a limit, and a such, for all practical purposes, chains longer than this limit are not usable. it turns out BIND has a hard-coded limit of 16, and Unbound has a default limit of 11. assuming the recursive server makes use of "compression" (pointers), each maximal-length CNAME record takes at most 268 bytes, and thus any chain up to length 16 fits in at most 4288 bytes. this patch increases the answer buffer size to preserve the original intent of having 512 bytes available for address answers, plus space needed for a maximal CNAME chain, for a total of 4800 bytes. the resulting size of 9600 bytes for two queries (A+AAAA) is still well within what is reasonable to place in automatic storage. 
in the event of chained CNAMEs, the answer to a query will contain the
entire CNAME chain, not just one CNAME record. previously, the answer
buffer size had been chosen to admit a maximal-length CNAME, but only
one. a moderate-length chain could fill the available 768 bytes
leaving no room for an actual address answering the query.

while the DNS RFCs do not specify any limit on the length of a CNAME
chain, or any reasonable behavior is the chain exceeds the entire 64k
possible message size, actual recursive servers have to impose a
limit, and a such, for all practical purposes, chains longer than this
limit are not usable. it turns out BIND has a hard-coded limit of 16,
and Unbound has a default limit of 11.

assuming the recursive server makes use of "compression" (pointers),
each maximal-length CNAME record takes at most 268 bytes, and thus any
chain up to length 16 fits in at most 4288 bytes.

this patch increases the answer buffer size to preserve the original
intent of having 512 bytes available for address answers, plus space
needed for a maximal CNAME chain, for a total of 4800 bytes. the
resulting size of 9600 bytes for two queries (A+AAAA) is still well
within what is reasonable to place in automatic storage.
dns: check length field in tcp response message 2023-04-08T00:44:20+00:00 Alexey Kodanev aleksei.kodanev@bell-sw.com 2023-03-22T14:48:40+00:00 77327ed064bd57b0e1865cd0e0364057ff4a53b4 The received length field in the message may be greater than the size of the 'answer' buffer in which the message resides. Currently, ABUF_SIZE is 768. And if we get a larger 'alens[i]', it will result in an out-of-bounds reading in __dns_parse(). To fix this, limit the length to the size of the received buffer. 
The received length field in the message may be greater than the
size of the 'answer' buffer in which the message resides. Currently,
ABUF_SIZE is 768. And if we get a larger 'alens[i]', it will result
in an out-of-bounds reading in __dns_parse().

To fix this, limit the length to the size of the received buffer.
getservbyport_r: fix wrong result if getnameinfo fails with EAI_OVERFLOW 2023-02-28T17:01:34+00:00 Alexey Izbyshev izbyshev@ispras.ru 2023-02-27T20:33:08+00:00 b1dfb734a45d4f74c7a24c5f07d37f7e74451802 EAI_OVERFLOW should be propagated as ERANGE to inform the caller about the need to expand the buffer. 
EAI_OVERFLOW should be propagated as ERANGE to inform the caller about
the need to expand the buffer.