Philip Hazel wrote:
> On Mon, 15 Dec 2003, Harald Schüler wrote:
>
>
>>LOG: MAIN PANIC DIE
>> internal error: store_reset(539560499) failed: pool=1 host.c 1246
>>
>>>>>>>>>>>>>>>>>>Exim pid=76672 terminating with rc=1 >>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>
>>Has anybody else seen this? I get several per hour on our incoming servers.
>>It seems to have something to do with IP addresses with a large number of
>>PTR records (probably more than fit into the UDP response). I'm not sure if
>>this is a bug in the resolver library (AIX 5.1ml3) or in Exim.
>
>
> It's certainly an Exim error in that it shouldn't ever encounter that,
> but it could be a bug in the resolver library that is provoking it.
>
> I tried "exim -bh 207.16.104.250" on a Linux box and it did not have a
> problem with the reverse lookup - it just found a large number of names
> for the IP address.
If you take a closer look I think you will find that the list is
incomplete, as the DNS answer was truncated, because it did not fit in
the provided buffer (1024 bytes). I noticed the same behaviour with Exim
4.20 on AIX. On 4.30/AIX this condition crashes Exim. I have a
workaround, which solves my immediate problem and makes Exim behave as
before:
===
diff -ur /tmp/orig/exim-4.30/src/host.c /tmp/exim-4.30/src/host.c
--- /tmp/orig/exim-4.30/src/host.c Mon Dec 1 11:15:41 2003
+++ /tmp/exim-4.30/src/host.c Wed Dec 17 21:14:29 2003
@@ -1241,8 +1241,12 @@
uschar *s = NULL;
if (rr->type != T_PTR) continue;
s = store_get(ssize);
- (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen,
- (uschar *)(rr->data), (DN_EXPAND_ARG4_TYPE)(s), ssize);
+ if (dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen,
+ (uschar *)(rr->data), (DN_EXPAND_ARG4_TYPE)(s), ssize) == -1)
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC, "alias list truncated");
+ break;
+ }
store_reset(s + Ustrlen(s) + 1);
if (s[0] == 0)
{
===
I have not been able to find complete documentation for res_search and
friends (only manpages), but I think what happens when the answer is
truncated is highly implementation specific. In any case it does not
seem safe to ignore the error code from dh_expand (although from looking
at the code I thought this case was already handled by dns_next_rr()).
Anyway, this does not solve the problem of the truncated response in
general. I think the buffer size should be increased, although I don't
know to what size, or how to find out the size. res_search on AIX
returns the buffer size (contrary to the comment in Exim's source), when
the buffer is too small. Maybe one could simply retry res_search with
the buffer size doubled, if answerlen >= buffersize? But even then one
would have to set an upper limit, to avoid DOS attacks.
--
Harald Schueler
