New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net: Unix dnsclient test for CVE-2021-33195 assumes that 1.2.3.4 does not resolve #46504
Comments
Possible candidates from iana special purpose registry
|
Change https://golang.org/cl/324190 mentions this issue: |
@gopherbot please backport to 1.16 |
Backport issue(s) opened: #46530 (for 1.16). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases. |
@gopherbot please backport to 1.15 |
Change https://golang.org/cl/324332 mentions this issue: |
Change https://golang.org/cl/324333 mentions this issue: |
@gopherbot please backport to Go 1.15. |
Backport issue(s) opened: #46531 (for 1.15). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases. |
…133195 Also don't unnecessarily deref the error return. Updates #46504 Fixes #46531 Change-Id: I22d14ac76776f8988fa0774bdcb5fcd801ce0185 Reviewed-on: https://go-review.googlesource.com/c/go/+/324190 Trust: David Chase <drchase@google.com> Trust: Damien Neil <dneil@google.com> Run-TryBot: David Chase <drchase@google.com> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit dd7ba3b) Reviewed-on: https://go-review.googlesource.com/c/go/+/324333 Reviewed-by: Ian Lance Taylor <iant@golang.org>
…133195 Also don't unnecessarily deref the error return. Updates #46504 Fixes #46530 Change-Id: I22d14ac76776f8988fa0774bdcb5fcd801ce0185 Reviewed-on: https://go-review.googlesource.com/c/go/+/324190 Trust: David Chase <drchase@google.com> Trust: Damien Neil <dneil@google.com> Run-TryBot: David Chase <drchase@google.com> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit dd7ba3b) Reviewed-on: https://go-review.googlesource.com/c/go/+/324332 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Ian Lance Taylor <iant@golang.org>
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
No, but it will once Go 1.16.5 is released because of df6a737
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
On a Unix system with /etc/hosts lookups enabled, add an entry for 1.2.3.4 to /etc/hosts (or have an already present one for whatever reason), then run
./all.bash
in the current git tip or in 1.16's branch git tip. The net tests will fail with a runtime error for a nil pointer dereference.The issue is in
net/dnsclient_unix_test.go
inTestCVE202133195()
. The two calls to verions ofLookupAddr()
for "1.2.3.4" check forerr == nil
as one of the conditions for test failure, but they then go on to invokeerr.Error()
in thet.Errorf()
calls, which faults iferr
is nil. In general, assuming that 1.2.3.4 will never resolve seems potentially dangerous, since it's in allocated IP address space (although it's currently assigned to APNIC's Debogon Project and they may be unlikely to give it a PTR record).A short term fix for the test would be to make the failure conditions be
err != nil && err.Error() != expected
. A long-term fix might be to find an IP address that's guaranteed to not be resolvable, although I don't know if any such IPs exist. If 1.2.3.4 actually is supposed to never be resolvable, I think that the test should have a comment to that effect so that people reading it later know that this has been considered. (It also might be useful to make it, say, 1.2.3.5, just so that people who are using 1.2.3.4 for some reason don't trip over this.)What did you expect to see?
Successful tests.
What did you see instead?
The text was updated successfully, but these errors were encountered: