Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

malloc(0) being called by node.js c-ares wrapper #392

Closed
dhrumilrana opened this issue Jan 1, 2021 · 2 comments
Closed

malloc(0) being called by node.js c-ares wrapper #392

dhrumilrana opened this issue Jan 1, 2021 · 2 comments

Comments

@dhrumilrana
Copy link
Contributor

Here is an assert attached in the dependent code of c-ares for node.js. The assert is looking for a malloc(0) call, a wrapper function in c-ares wrapper file is responsible for the malloc(0) calls. I have provided the trace of the assert call for more information (what file and function is the culprit). Are there any suggestions for what could be done?

Assertion failed: size, file: ../deps/cares/src/ares_library_init.c, line: 54, function: default_malloc
 1: 0x28477D4C abort
 2: 0x278016E2 ares_parse_ptr_reply
 3: 0x277FD924 node::cares_wrap::(anonymous namespace)::ParseGeneralReply(node::Environment*, unsigned cha...)+0x116 [ZOSCAN2B:../src/cares_wrap.cc/:806]
 4: 0x2780BA3A node::cares_wrap::(anonymous namespace)::QueryAnyWrap::Parse(unsigned char*, int)+0xeb8 [ZOSCAN2B:../src/cares_wrap.cc/:1328]
 5: 0x2780B95E node::cares_wrap::(anonymous namespace)::QueryWrap::AfterResponse()+0x9e [ZOSCAN2B:../src/cares_wrap.cc/:635]
 6: 0x2786DF78 node::CallbackQueue<void, node::Environment*>::CallbackImpl<node::cares_wrap::(anonymous na...)+0x1a [ZOSCAN2B:../src/cares_wrap.cc/:698]
 7: 0x2786BA02 node::Environment::RunAndClearNativeImmediates(bool)::$_5::operator()(node::CallbackQueue<v...)+0x14c [ZOSCAN2B:../src/env.cc/:688]
 8: 0x2786AD00 node::Environment::RunAndClearNativeImmediates(bool)+0x226 [ZOSCAN2B:../src/env.cc/:701]
 9: 0x284C31C2 node::Environment::CheckImmediate(uv_check_s*)+0x194 [ZOSCAN2B:../src/env.cc/:841]
 10: 0x284965DE uv__run_check+0xd6 [ZOSCAN2B:../deps/uv/src/unix/loop-watcher.c/:67]
 11: 0x27A8DBDC uv_run+0x24a [ZOSCAN2B:../deps/uv/src/unix/core.c/:394]
 12: 0x278F0CF6 node::NodeMainInstance::Run()+0x2c0 [ZOSCAN2B:../src/node_main_instance.cc/:130]
 13: 0x2670CA0C node::Start(int, char**)+0x34a [ZOSCAN2B:../src/node.cc/:1284]
 14: 0x2673BAAC main+0xe0 [ZOSCAN2B:../src/node_main.cc/:153]
 15: 0x2673BECA CELQINIT+0x1a98 [CELQINIT:]
CEE5207E The signal SIGABRT was received.
@bradh352
Copy link
Member

bradh352 commented Jan 2, 2021

Ok, I see the issue:
https://github.com/nodejs/node/blob/873d21cdc1266273818a32ca1d6897db2f9f1e57/src/cares_wrap.cc#L802

Passes nullptr, 0 as the addr and addrlen, which then addrlen is used for a malloc() call here:

hostent->h_addr_list[0] = ares_malloc(addrlen);

@bradh352
Copy link
Member

bradh352 commented Jan 2, 2021

please try 0903dce

catalinh-bd added a commit to catalinh-bd/c-ares that referenced this issue Mar 5, 2021
The bug was generated because there was not check for the number
of items in the list and invalid memory was accesed when the list
was empty. There is a check for null after calling malloc but on
some systems it always returns a valid address for size equals 0.

For e.g., on macOS and Windows systems malloc returns a valid address:

https://man.openbsd.org/malloc.3
https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/malloc

However, on Linux malloc returns NULL if size equals 0:

https://man7.org/linux/man-pages/man3/malloc.3.html

Also, the openBSD manual says it more clearly:

If nmemb or size is equal to 0, a unique pointer to an access protected,
zero sized object is returned. Access via this pointer will generate a
SIGSEGV exception.

Relates To: c-ares#392, 0903dce
bradh352 pushed a commit that referenced this issue Mar 5, 2021
The bug was generated because there was no check for the number
of items in the list and invalid memory was accesed when the list
was empty. There is a check for null after calling malloc but on
some systems it always returns a valid address for size equals 0.
Relates To: #392, 0903dce

Fix By: @catalinh-bd
sergepetrenko pushed a commit to tarantool/c-ares that referenced this issue Jul 29, 2022
NodeJS passes NULL for addr and 0 for addrlen parameters to ares_parse_ptr_reply().  On systems where malloc(0) returned NULL, this would cause the function to return ARES_ENOMEM, but the cleanup wasn't handled properly and would crash.

This patche fixes that bug, and also hardens ares_free_hostent() to not leak memory during cleanup.

Fixes: c-ares#392
Fix By: Brad House (@bradh352)
sergepetrenko pushed a commit to tarantool/c-ares that referenced this issue Jul 29, 2022
The bug was generated because there was no check for the number
of items in the list and invalid memory was accesed when the list
was empty. There is a check for null after calling malloc but on
some systems it always returns a valid address for size equals 0.
Relates To: c-ares#392, 0903dce

Fix By: @catalinh-bd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants