The real case how I stumbled over it: * my PHP application calls geoip_record_by_name with NULL as argument (although it expects a string) * the PHP GeoIP module converts NULL into an allocated empty string * libGeoIP is called with "" as hostname. Sometimes, the byte directly preceding the empty string is the dot (.). Must be related to how PHP allocates memory. * libGeoIP calls the gethostbyname_r function or similar which in turn calls above broken function. * strncpy overwrites my call stack, making debugging complicated, and then segfaults :-(
I can't think of any common real world example where it might trigger, and my situation is my own fault :-) It's probably not too easy to trigger it in other situations. One way would be a program which stores the hostname on the stack and e.g. the port number directly before. Or maybe a Big Endian machine using malloc. I think the bytes before the then-empty string are not zeros as on my amd64. In such a situation, $ program "" 11822 might result in a segfault. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1062167 Title: Segfault in __libc_res_nquerydomain To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1062167/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
