The dns_send_req function fails on Solaris 10 x86 when response packet has to switch to TCP. Issue is that res_search function does not return an answer length other than the buffer size passed in. Thus logic in function fails to cope with truncated packets since it never gets a larger buffer length. Possible fixes include test for truncation though ns_msg_getflag (only available in libresolv.a on Linux) or automtically increasing buffer size when resp_len == buf_len. There does not appear to be easy way to get required buffer size for truncated packet on Solaris (unlike equivalent on Linux). Test can occur just prior to while loop check. Truncated packet data causes failure to resolve SRV records for domain if large number of domain controllers and thus failure to get logon servers (net ads testjoin fails).
Untested patch: --- libads/dns.c (revision 293) +++ libads/dns.c (working copy) @@ -303,6 +303,18 @@ } return NT_STATUS_UNSUCCESSFUL; } + /* Possible buffer overflow */ + if ( resp_len == buf_len ) { + if (resp_len * 2 < MAX_DNS_PACKET_SIZE - 1) + resp_len *= 2; + else if (resp_len < MAX_DNS_PACKET_SIZE - 1) + resp_len = MAX_DNS_PACKET_SIZE - 1; + else { + DEBUG(3,("ads_dns_lookup_srv: response too big resolving %s\n", name)); + TALLOC_FREE( buffer ); + return NT_STATUS_UNSUCCESSFUL; + } + } } while ( buf_len < resp_len && resp_len < MAX_DNS_PACKET_SIZE ); *buf = buffer;
Confirmed issue on AIX as well. Fix in in all 3.x branches