res_search only incremented got_servfail for h_errno == TRY_AGAIN *AND*
hp->rcode == SERVFAIL. However, there are cases such as timeouts where
rcode is not always set to SERVFAIL. This leads to inconsistent nameserver
operation during multi-domain and truncated dot searches, especially during
booting when portions of the network are being brought up simultanious with
dns lookups.
This patch attempts to correct the problem by unconditionally terminating
the search if TRY_AGAIN is returned (after res_query has gone through all
retries and name servers) instead of trying other domain elements in the
domain seach path.
This patch should fix reported problems (which I can reproduce) with some
NFS mounts failing during boot. This occured because mount_nfs thought the
host name lookup returned a definitive failure using a non-dotted host name
when, in fact, it timed out on the first part (host.search.domain.name) and
got a definitive host-not-found response on the second part (host.).
Generally speaking, search path name server timeouts can exceed 60 seconds
per element and most machines which consistently timeout on earlier portions
of a search path are effectively non-operational due to the imposed delays.
It is more important for DNS lookups to return the proper error code then
to be able to recover a valid lookup in later portions of the search path
in these situations.
Obtained from: DragonFly
MFC after: 3 weeks
on temporary nameserver failure. This is necessary to get
getipnodebyname(3) to correctly return h_errno=TRY_AGAIN instead
of HOST_NOT_FOUND.
Reviewed by: green, thomas
MFC after: 1 week
case where an /etc/nsswitch.conf file was present, but could not
be opened (e.g. due to permissions). Previously, the open failure
condition was suppressed, and the built-in defaults were used. In
revision 1.11, however, propagated the open failure causing all
nsdispatch() invocations to return NS_UNAVAIL, and thus many APIs
including getpwnam and gethostbyname unconditionally failed.
This commit restores the previous behavior.
Pointy hat: nectar (+1 for obstinance; ache had to use clue bat)
Reported by: ache
library, it may pull in that thread library at run time. If the
process started out single-threaded, this could cause attempts to
release locks that do not exist. Guard against this possibility by
checking __isthreaded before invoking thread primitives.
A similar problem remains if the process is linked against one thread
library, but the NSS module is linked against another. This can only
be avoided by careful design of the NSS module.
Submitted by: Sean McNeil <sean@mcneil.com> (mostly; bugs are mine)
that this provokes. "Wherever possible" means "In the kernel OR NOT
C++" (implying C).
There are places where (void *) pointers are not valid, such as for
function pointers, but in the special case of (void *)0, agreement
settles on it being OK.
Most of the fixes were NULL where an integer zero was needed; many
of the fixes were NULL where ascii <nul> ('\0') was needed, and a
few were just "other".
Tested on: i386 sparc64
The getaddrinfo(3), getipnodebyname(3) and resolver(3) can coincide now
with what should be totally reentrant, and h_errno values will now
be preserved correctly, but this does not affect interfaces such as
gethostbyname(3) which are still mostly non-reentrant.
In all of these relevant functions, the thread-safety has been pushed
down as far as it seems possible right now. This means that operations
that are selected via nsdispatch(3) (i.e. files, yp, dns) are protected
still under global locks that getaddrinfo(3) defines, but where possible
the locking is greatly reduced. The most noticeable improvement is
that multiple DNS lookups can now be run at the same time, and this
shows major improvement in performance of DNS-lookup threaded programs,
and solves the "Mozilla tab serialization" problem.
No single-threaded applications need to be recompiled. Multi-threaded
applications that reference "_res" to change resolver(3) options will
need to be recompiled, and ones which reference "h_errno" will also
if they desire the correct h_errno values. If the applications already
understood that _res and h_errno were not thread-safe and had their own
locking, they will see no performance improvement but will not
actually break in any way.
Please note that when NSS modules are used, or when nsdispatch(3)
defaults to adding any lookups of its own to the individual libc
_nsdispatch() calls, those MUST be reentrant as well.
incorrectly when encountering `large' groups (many members and/or many
long member names). The reporter tracked this down to the glibc NSS
module compatibility code (nss_compat.c): it would prematurely record
that a NSS module was finished iterating through its database in some
cases.
Two aspects are corrected:
1. nss_compat.c recorded that a NSS module was finished iterating
whenever the module reported something other than SUCCESS. The
correct logic is to continue iteration when the module reports
either SUCCESS or RETURN. The __nss_compat_getgrent_r and
__nss_compat_getpwent_r routines are updated to reflect this.
2. An internal helper macro __nss_compat_result is used to map glibc
NSS status codes to BSD NSS status codes (e.g. NSS_STATUS_SUCCESS ->
NS_SUCCESS). It provided the obvious mapping.
When a NSS routine is called with a too-small buffer, the
convention in the BSD NSS code is to report RETURN. (This is used
to implement reentrant APIs such as getpwnam_r(3).) However, the
convention in glibc for this case is to set errno = ERANGE and
overload TRYAGAIN. __nss_compat_result is updated to handle this
case.
PR: bin/60287
Reported by: Lachlan O'Dea <odela01@ca.com>
in KAME implementation, even when no policy is installed
into kernel, getaddrinfo(3) sorts addresses. Since it
causes POLA violation, I modified to don't sort addresses
when no policy is installed into kernel,
Obtained from: KAME
(aka RFC2292bis). Though I believe this commit doesn't break
backward compatibility againt existing binaries, it breaks
backward compatibility of API.
Now, the applications which use Advanced Sockets API such as
telnet, ping6, mld6query and traceroute6 use RFC3542 API.
Obtained from: KAME
always widen the imputed netmask if it is narrower than the specified octets.
fixes a strange behaviour where inet_net_pton would always return 4 (bits)
for multicast addresses no matter how many octets were specified.
negotiated with Paul Vixie, original author of this function.
PR: standards/53151
Submitted by: Max Laier <max@love2party.net>
Optained from: OpenBSD
technique) so that we don't wind up calling into an application's
version if the application defines them.
Inspired by: qpopper's interfering and buggy version of strlcpy
may be built into libc (`static NSS modules') or dynamically loaded
via dlopen (`dynamic NSS modules'). Modules are loaded/initialized
at configuration time (i.e. when nsdispatch is called and nsswitch.conf
is read or re-read).
= Make the nsdispatch(3) core thread-safe.
= New status code for nsdispatch(3) `NS_RETURN', currently used to
signal ERANGE-type issues.
= syslog(3) problems, don't warn/err/abort.
= Try harder to avoid namespace pollution.
= Implement some shims to assist in porting NSS modules written for
the GNU C Library nsswitch interface.
Sponsored by: DARPA, Network Associates Laboratories
