keyword gethostbyname() <= 5.24.0-5.43.1 buffer overflow/heap corruption (update: docs bug)

[bulk88]

Description

Its very rare nowadays for the interp to show instant heap corruption or instant buffer overflows, from basic, simple, non-fuzzing PP production code, but I randomly ran into this 5 mins ago.

I will probably fix this myself in another PR in the near future since it is for sure something basic and the pp_*() that implements that OP_CODE probably needs its 10 year scheduled cleanup of its XS macros choices.

Also is this buffer overflow a WinPerl only bug or an AnyOS Perl bug?

Steps to Reproduce

Perl executable: C:\Strawberry\sp2464\perl\bin\perl.exe
Perl version   : 5.24.4 / MSWin32-x64-multi-thread

C:\Strawberry\sp2464>perl -e"print gethostbyname(undef);"
LVT42024└¿☺u└¿☺♫└¿8☺
C:\Strawberry\sp2464>

C:\p42rc0>perl -e"print gethostbyname(undef);"
LVT42024└¿☺u└¿☺♫└¿8☺
C:\p42rc0>perl -v

This is perl 5, version 42, subversion 0 (v5.42.0-RC1-3-g8b524d3ea2c*) built for
 MSWin32-x64-multi-thread
(with 1 registered patch, see perl -V for more detail)

Copyright 1987-2025, Larry Wall

Expected behavior
the "LVT420" is legit, the rest of the buffer is not.

LVT42024=C0=A8=01u=C0=A8=01=0E=C0=A88=01

4C 56 54 34 32 30 32 34 C0 A8 01 75 C0 A8 01 0E
 C0 A8 38 01

My quick and dirty attempt at a hex dump of that string. There might be a very different byte sequence sitting in VM addr space if someone BPs it and examines the SV* on a C level.

Perl configuration
see above for -v

[richardleach]

Heap corruption or arbitrary read?

At first glance, the behaviour is different on a stock Debian perl.

• print gethostbyname(undef) doesn't print anything
• gethostbyname(undef) or die $? outputs 3 at -e line 1.

[bulk88]

Note, I am feeding junk arguments in on purpose, I was expected the retval to be one of these undef, "", empty list, IV 0, IV -1, or &PL_sv_no. I was not expecting to see any kind of partial or fully correct or useful output such as my system's LAN name.

[richardleach]

https://learn.microsoft.com/en-us/windows/win32/api/winsock/nf-winsock-gethostbyname says: If the name parameter points to an empty string or name is NULL, the returned string is the same as the string returned by a successful function call (the standard host name for the local computer).

[bulk88]

Heap corruption or arbitrary read?

At first glance, the behaviour is different on a stock Debian perl.

• print gethostbyname(undef) doesn't print anything
• gethostbyname(undef) or die $? outputs 3 at -e line 1.

C:\p42rc0>perl -MDevel::Peek -e"Dump(gethostbyname(undef));"
SV = PV(0x46aeb8) at 0x46a670
  REFCNT = 1
  FLAGS = (TEMP,POK,pPOK)
  PV = 0x4c0b58 "\xC0\xA8\x01u"\0
  CUR = 4
  LEN = 16

C:\p42rc0>

C:\p42rc0>perl -MDevel::Peek -e"Dump([gethostbyname(undef)]);"
SV = IV(0x37b880) at 0x37b890
  REFCNT = 1
  FLAGS = (TEMP,ROK)
  RV = 0x37b590
  SV = PVAV(0x33cac8) at 0x37b590
    REFCNT = 1
    FLAGS = ()
    ARRAY = 0x386968
    FILL = 6
    MAX = 6
    FLAGS = (REAL)
    Elt No. 0
    SV = PV(0x33b378) at 0x37b5f0
      REFCNT = 1
      FLAGS = (POK,pPOK)
      PV = 0x38e1b8 "LVT420"\0
      CUR = 6
      LEN = 16
    Elt No. 1
    SV = PVNV(0x332fb8) at 0x37b650
      REFCNT = 1
      FLAGS = (IOK,NOK,POK,IsCOW,pIOK,pNOK,pPOK)
      IV = 0
      NV = 0
      PV = 0x7fe8c8aee72 "" [BOOL PL_No]
      CUR = 0
      LEN = 0
    Elt No. 2
    SV = IV(0x37b6a0) at 0x37b6b0
      REFCNT = 1
      FLAGS = (IOK,pIOK)
      IV = 2
    Elt No. 3
    SV = IV(0x37b700) at 0x37b710
      REFCNT = 1
      FLAGS = (IOK,pIOK)
      IV = 4

C:\p42rc0>

After seeing this, its not a 90 seconds typing, 9 minutes for test_porting style patch. But I predict its some 3-7 page long diff of a general refactor of 2-5 different interrelated functions. Im not able to open a C debugger at this moment.

[richardleach]

What does print join ",", gethostbyname(undef) give you? And is it the same as the result of print join ",", gethostbyname(localhost)?

For the latter here, I get: localhost,ip6-localhost ip6-loopback,2,4,,
If there isn't an alias for localhost on your machine, LVT420 plus the 24 seems reasonable.

The remaining output is then documented in https://perldoc.perl.org/functions/gethostbyname as being The @addrs value returned by a successful call is a list of raw addresses returned by the corresponding library call. - could that be what you're seeing?

[mauke]

Is there even a bug here (let alone heap corruption)? The expected behavior description ("the "LVT420" is legit, the rest of the buffer is not") makes no sense because gethostbyname does not return a string/buffer in list context; it returns a list of values, some of which are packed binary. So the "hex dump of that string" does not show a string at all, but a mix of strings, integers, and binary addresses.

For comparison:

$ perl -wE 'say s/[^[:print:]]/sprintf q(\\x%02X), ord $&/egr for gethostbyname q(localhost)'
localhost

2
4
\x7F\x00\x00\x01

(With cmd.exe, that would have to be something like perl -wE "say s/[^^[:print:]]/sprintf q(\\x%02X), ord $&/egr for gethostbyname q(localhost)", I believe.)

If you enable -w, you can see that perl coerces undef to "" in gethostbyname, so the only real surprise here is that Windows successfully resolves an empty string. (Which, as Richard points out, is documented behavior.)

[tonycoz]

C0 A8 01 75 C0 A8 01 0E C0 A8 38 01

192.168.1.117, 192.168.1.14, 192.168.56.1

These look like reasonable LAN addresses to me.

I don't see any evidence of a buffer overflow or heap corruption.

[bulk88]

C0 A8 01 75 C0 A8 01 0E C0 A8 38 01

192.168.1.117, 192.168.1.14, 192.168.56.1

These look like reasonable LAN addresses to me.

I don't see any evidence of a buffer overflow or heap corruption.

C0 A8 01 75 C0 A8 01 0E C0 A8 38 01

192.168.1.117, 192.168.1.14, 192.168.56.1

These look like reasonable LAN addresses to me.

I don't see any evidence of a buffer overflow or heap corruption.

I will write a longer response soon, but I believe this bug is strictly a P5P docs problem inside the POD at https://perldoc.perl.org/functions/gethostbyname

And there is no P5P-controlled C code that needs to be changed to fix this ticket, but the POD text at https://perldoc.perl.org/functions/gethostbyname needs some changes.

The entire POD section located at https://perldoc.perl.org/functions/gethostbyname is unreadable to me. Not just for gethostbyname but for all the PP tokens named dropped on that web page.

For the gethost() functions, if the h_errno variable is supported in C, it will be returned to you via $? if the function call fails.*

What kind of language is this?

Is AT&T System 3 Unix still a draft proposal getting bike-shedded to death?

Why does P5P have a legal disclaimer in 2025 that Perl only has experimental support for AT&T SVR2/SVR3/SVR4 Unix?

All Perl releases and ports, have had a "working" (😉) errno C grammar token for decades.

I have "No Comment" on who authored and and what code base is responsible for maintaining that errno token inside the P5P interp repo.

I and everyone else only needs to know the errno token works just like you would expect, and won't pop up a runloop blocking GUI box where the end user must click on radio buttons with the labels of "VMS", "Windows", "OS/2" and "Z/OS".

Nothing on the page https://perldoc.perl.org/functions/gethostbyname says that

gethostbyname(undef)/gethostbyname()/gethostbyname("")/my $scalar = gethostbyname;

means "use default value of XYZ" or "use $_ as the input string", so I filed this bug.

My initial impression was that it looks like a non-null terminated char buffer[] got strlen()-ed by perl's Perl_pp_gethostbyname() after FooOS's/AnyOS's gethostbyname() returned -1 or NULL back to function Perl_pp_gethostbyname(), and Perl_pp_gethostbyname() screwed up somehow, with a 75% chance the bug is only inside the Win32 variant of Perl_pp_gethostbyname().

A co-worker asked borrowed my laptop the other day to work on an issue with a private biz repo branch, so I didn't have access to a C step debugger to diagnose it any further after I discovered the bizarre retval/retlist contents of gethostbyname().

[bulk88]

For C level stuff below, I am single stepping test script perl -e"system 'pause'; print gethostbyname(undef);" in VS IDE.

Opcode Perl_pp_ghostent() really needs a routine 10 year scheduled cleanup of its XS code. It is creating at run loop time a new mortal SV* head + XPV body + 0x10 long Newx() buffer for no good reason.

https://man7.org/linux/man-pages/man3/gethostbyname.3.html

       [[deprecated]] struct hostent *gethostbyname(const char *name);

Input char* is decl const and therefore is a read-only input. No reason to de-cow or SvPV_force() the SV* addr obtained from $_[0].

sv.c  3301:         SV *sv2 = sv_newmortal();
000007FEA88A0176 48 8B CE             mov         rcx,rsi  
000007FEA88A0179 E8 82 84 00 00       call        Perl_sv_newmortal (07FEA88A8600h)  
sv.c  3302:         sv_copypv_nomg(sv2,sv);

 	[Inline Frame] perl542.dll!Perl_SvPV_helper(interpreter * flags, sv * const) Line 961	C
	perl542.dll!Perl_sv_copypv_flags(interpreter * my_perl, sv * const dsv, sv * const ssv, const long flags) Line 3263	C
 	perl542.dll!Perl_sv_2pvbyte_flags(interpreter * my_perl, sv * sv, unsigned __int64 * const lp, const unsigned long flags) Line 3303	C
 	[Inline Frame] perl542.dll!Perl_SvPV_helper(interpreter *) Line 961	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5265	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

	perl542.dll!Perl_sv_upgrade(interpreter * my_perl, sv * const sv, svtype new_type) Line 968	C
 	perl542.dll!Perl_sv_setpvn(interpreter * my_perl, sv * const sv, const char * const ptr, const unsigned __int64 len) Line 5082	C
 	perl542.dll!Perl_sv_copypv_flags(interpreter * my_perl, sv * const dsv, sv * const ssv, const long flags) Line 3265	C
 	perl542.dll!Perl_sv_2pvbyte_flags(interpreter * my_perl, sv * sv, unsigned __int64 * const lp, const unsigned long flags) Line 3303	C
 	[Inline Frame] perl542.dll!Perl_SvPV_helper(interpreter *) Line 961	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5265	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

	ntdll.dll!RtlAllocateHeap�()	Unknown
 	ucrtbase.dll!_malloc_base()	Unknown
 	perl542.dll!VMemNL::Malloc(unsigned __int64 size) Line 253	C++
 	perl542.dll!Perl_safesysmalloc(unsigned __int64 size) Line 176	C
 	perl542.dll!Perl_sv_grow(interpreter * my_perl, sv * const sv, unsigned __int64 newlen) Line 1429	C
 	perl542.dll!Perl_sv_setpvn(interpreter * my_perl, sv * const sv, const char * const ptr, const unsigned __int64 len) Line 5082	C
 	perl542.dll!Perl_sv_copypv_flags(interpreter * my_perl, sv * const dsv, sv * const ssv, const long flags) Line 3265	C
 	perl542.dll!Perl_sv_2pvbyte_flags(interpreter * my_perl, sv * sv, unsigned __int64 * const lp, const unsigned long flags) Line 3303	C
 	[Inline Frame] perl542.dll!Perl_SvPV_helper(interpreter *) Line 961	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5265	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

Now WinPerl's Delay Loader works as designed. Yay!

000007FEA8978D17 48 8D 05 22 3F 1C 00 lea         rax,[__imp_gethostbyname (07FEA8B3CC40h)]  
000007FEA8978D1E E9 07 FE FF FF       jmp         __tailMerge_ws2_32_dll (07FEA8978B2Ah)  

>	perl542.dll!__imp_load_gethostbyname�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

	perl542.dll!__delayLoadHelper2(const ImgDelayDescr * pidd, __int64(*)() * ppfnIATEntry) Line 202	C++
 	perl542.dll!__tailMerge_ws2_32_dll�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

>	ntdll.dll!LdrGetProcedureAddressEx�()	Unknown
 	ntdll.dll!LdrGetProcedureAddress�()	Unknown
 	KernelBase.dll!GetProcAddress()	Unknown
 	perl542.dll!__delayLoadHelper2(const ImgDelayDescr * pidd, __int64(*)() * ppfnIATEntry) Line 352	C++
 	perl542.dll!__tailMerge_ws2_32_dll�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

Now after the symbol is resolved (permanently!!!), winsock dll is entered as designed. And Winsock immediately fetches its TLS metadata, or fetches its "private TID class C++ object" from TLS.

>	kernel32.dll!TlsGetValue�()	Unknown
 	ws2_32.dll!gethostbyname�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

So now we know all of WinSock's public API is thread-safe/reentrant-safe/can't-create-a-thread-race-condition.

PS, as of Win 11 build 22000, your-code-will-SEGV-EVERY-TIME!!! thread-unsafe unix signals have been added to the public API of Windows OS, (https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-queueuserapc2)[QueueUserAPC2]. But this new Win11 function isn't a problem for Perl. It is a bug, for any line of C code, in the entire Windows OS ecosystem, to ever call QueueUserAPC2().

The handle must have THREAD_SET_CONTEXT access permission.

Cool magic trick, but why on earth are you using a ring-0 syscall that requires the C Debugger Single Step Break Point ACL permission bit?

Answer: So that 20 different AV/Malware/C developer tools don't mark my binary as "malware-like behavior" in their log files, because if I call (https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-suspendthread) [SuspendThread()] and (https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadcontext) [SetThreadContext()] symbols in production, my app is now (https://en.wikipedia.org/wiki/Mary_Mallon) [Typhoid Mary].

Back to the PP keyword's control flow.

>	ntdll.dll!RtlAllocateHeap�()	Unknown
 	ws2_32.dll!DTHREAD::CreateDThreadForCurrentThread(class DPROCESS *,class DTHREAD * *)	Unknown
 	ws2_32.dll!SlowPrologOvlp(class DTHREAD * *)	Unknown
 	ws2_32.dll!__chkstk�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

WinSock needs to Ctor a new TID C++ object b/c this is the 1st function call ever to WinSock DLL in this process.

>	kernel32.dll!DuplicateHandleImplementation�()	Unknown
 	ws2_32.dll!WahOpenCurrentThread�()	Unknown
 	ws2_32.dll!DTHREAD::CreateDThreadForCurrentThread(class DPROCESS *,class DTHREAD * *)	Unknown
 	ws2_32.dll!SlowPrologOvlp(class DTHREAD * *)	Unknown
 	ws2_32.dll!__chkstk�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

Very very good code!!! WinSock keeps track of Live and Dead TIDs so that the private TID C++ objects WinSock keeps inside TLS don't turn into a memory leak. There is absolutely nothing wrong with end user code doing 1 CreateThread() call for each recv() call it does.

The following callstack shows some UB that no one should code against. I didn't know about this env var _CLUSTER_NETWORK_NAME_ until this moment. IDC what it does b/c its probably 100% undocumented by MS. Shame on MS for calling GetEnvironmentVariableA() instead of GetEnvironmentVariableW(). Eat your DogFood() MS!

>	KernelBase.dll!GetEnvironmentVariableA()	Unknown
 	ws2_32.dll!gethostname�()	Unknown
 	ws2_32.dll!__chkstk�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

The next breakpoint of mine that VS IDE hit, shows exactly why I am trying to restore WinPerl's Delay Load ws2_32.dll feature in 5.43, and why I created the OP post in this ticket.

>	ntdll.dll!LdrGetProcedureAddressEx�()	Unknown
 	ntdll.dll!LdrpSnapThunk�()	Unknown
 	ntdll.dll!LdrpSnapIAT�()	Unknown
 	ntdll.dll!LdrpHandleOneOldFormatImportDescriptor�()	Unknown
 	ntdll.dll!LdrpProcessStaticImports�()	Unknown
 	ntdll.dll!LdrpLoadDll�()	Unknown
 	ntdll.dll!LdrLoadDll�()	Unknown
 	KernelBase.dll!LoadLibraryExW�()	Unknown
 	ws2_32.dll!NSPROVIDER::Initialize(unsigned short *,struct _GUID *,unsigned long)	Unknown
 	ws2_32.dll!NSCATALOG::LoadProvider(class NSCATALOGENTRY *)	Unknown
 	ws2_32.dll!LookupBeginEnumerationProc(void *,class NSCATALOGENTRY *)	Unknown
 	ws2_32.dll!NSQUERY::LookupServiceBegin(struct _WSAQuerySetW *,unsigned long,class NSCATALOG *)	Unknown
 	ws2_32.dll!WSALookupServiceBeginW�()	Unknown
 	ws2_32.dll!WSALookupServiceBeginA�()	Unknown
 	ws2_32.dll!getxyDataEnt(char * *,unsigned long,char *,struct _GUID *,char * *)	Unknown
 	ws2_32.dll!gethostname�()	Unknown
 	ws2_32.dll!__chkstk�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

ws2_32.dll and the rest of the user mode WinSock API, is one of the most complicated, most multiple-layered, multi-hookable at multiple levels, APIs ever invented.

Unless the perl.exe process WANTS to go on the World Wide Web, there is absolutly no reason for ws2_32.dll to be in the address space of perl.exe's process. C grammer token/linker symbol extern "C' unsigned int __stdcall htonl(unsigned int); is not a valid reason for ws2_32.dll to be in the address space of perl.exe's process but that is another Pull Request.

Below WinSock wants symbol NSPStartup from the nlaapi.dll it just loaded into addr space.

>	ntdll.dll!LdrGetProcedureAddressEx�()	Unknown
 	ntdll.dll!LdrGetProcedureAddress�()	Unknown
 	KernelBase.dll!GetProcAddress()	Unknown
 	ws2_32.dll!NSPROVIDER::Initialize(unsigned short *,struct _GUID *,unsigned long)	Unknown
 	ws2_32.dll!NSCATALOG::LoadProvider(class NSCATALOGENTRY *)	Unknown
 	ws2_32.dll!LookupBeginEnumerationProc(void *,class NSCATALOGENTRY *)	Unknown
 	ws2_32.dll!NSQUERY::LookupServiceBegin(struct _WSAQuerySetW *,unsigned long,class NSCATALOG *)	Unknown
 	ws2_32.dll!WSALookupServiceBeginW�()	Unknown
 	ws2_32.dll!WSALookupServiceBeginA�()	Unknown
 	ws2_32.dll!getxyDataEnt(char * *,unsigned long,char *,struct _GUID *,char * *)	Unknown
 	ws2_32.dll!gethostname�()	Unknown
 	ws2_32.dll!__chkstk�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

>	nlaapi.dll!NSPStartup�()	Unknown
 	ws2_32.dll!NSPROVIDER::Initialize(unsigned short *,struct _GUID *,unsigned long)	Unknown
 	ws2_32.dll!NSCATALOG::LoadProvider(class NSCATALOGENTRY *)	Unknown
 	ws2_32.dll!LookupBeginEnumerationProc(void *,class NSCATALOGENTRY *)	Unknown
 	ws2_32.dll!NSQUERY::LookupServiceBegin(struct _WSAQuerySetW *,unsigned long,class NSCATALOG *)	Unknown
 	ws2_32.dll!WSALookupServiceBeginW�()	Unknown
 	ws2_32.dll!WSALookupServiceBeginA�()	Unknown
 	ws2_32.dll!getxyDataEnt(char * *,unsigned long,char *,struct _GUID *,char * *)	Unknown
 	ws2_32.dll!gethostname�()	Unknown
 	ws2_32.dll!__chkstk�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

Cool, now nlaapi.dll is being a good citizen and making its own private malloc() pool so that it (nlaapi.dll) can be 100% leak free when its dynamically unloaded from addr space.

>	KernelBase.dll!HeapCreate()	Unknown
 	nlaapi.dll!NSPStartup�()	Unknown
 	ws2_32.dll!NSPROVIDER::Initialize(unsigned short *,struct _GUID *,unsigned long)	Unknown
 	ws2_32.dll!NSCATALOG::LoadProvider(class NSCATALOGENTRY *)	Unknown
 	ws2_32.dll!LookupBeginEnumerationProc(void *,class NSCATALOGENTRY *)	Unknown
 	ws2_32.dll!NSQUERY::LookupServiceBegin(struct _WSAQuerySetW *,unsigned long,class NSCATALOG *)	Unknown
 	ws2_32.dll!WSALookupServiceBeginW�()	Unknown
 	ws2_32.dll!WSALookupServiceBeginA�()	Unknown
 	ws2_32.dll!getxyDataEnt(char * *,unsigned long,char *,struct _GUID *,char * *)	Unknown
 	ws2_32.dll!gethostname�()	Unknown
 	ws2_32.dll!__chkstk�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

This is now a loop of WinSock loading every last ethernet NIC driver, DNS driver, LDAP driver, pre-historic non-TCPIP (https://en.wikipedia.org/wiki/EtherType) [EtherType] protocol driver, Radius driver, ActiveDirectory driver, and TLS PKI root certificate that is listed in the Windows Registry.

>	ws2_32.dll!NSPROVIDER::Initialize(unsigned short *,struct _GUID *,unsigned long)	Unknown
 	ws2_32.dll!NSCATALOG::LoadProvider(class NSCATALOGENTRY *)	Unknown
 	ws2_32.dll!LookupBeginEnumerationProc(void *,class NSCATALOGENTRY *)	Unknown
 	ws2_32.dll!NSQUERY::LookupServiceBegin(struct _WSAQuerySetW *,unsigned long,class NSCATALOG *)	Unknown
 	ws2_32.dll!WSALookupServiceBeginW�()	Unknown
 	ws2_32.dll!WSALookupServiceBeginA�()	Unknown
 	ws2_32.dll!getxyDataEnt(char * *,unsigned long,char *,struct _GUID *,char * *)	Unknown
 	ws2_32.dll!gethostname�()	Unknown
 	ws2_32.dll!__chkstk�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

Something matched from one of our protocol drivers. Time to ASCII-ify our retval. Remember folks, the output of RtlUnicodeStringToAnsiString() and WideCharToMultiByte() aren't always identical.

Public API function call WideCharToMultiByte() gets its static const U16 unicode_tables[]; updated every 3-12 months by MS.

Public API function call RtlUnicodeStringToAnsiString() is frozen at Draft 9 of ISO 10646, from 1988 or 1987 or 1986. Only Dave Cutler (1942-) and Hugh McGregor Ross (1917-2014) know the truth. Converting single-byte Code Page, WTF-8, and UTF-8 encoded password strings to UTF-16 password strings was a huge historical mistake by MS that they can't undo because it is part of Public API. Sucks for them.

>	KernelBase.dll!WideCharToMultiByte()	Unknown
 	ws2_32.dll!ansi_dup_from_wcs(unsigned short *)	Unknown
 	ws2_32.dll!MapUnicodeQuerySetToAnsi(struct _WSAQuerySetW *,unsigned long *,struct _WSAQuerySetA *)	Unknown
 	ws2_32.dll!WSALookupServiceNextA�()	Unknown
 	ws2_32.dll!getxyDataEnt(char * *,unsigned long,char *,struct _GUID *,char * *)	Unknown
 	ws2_32.dll!gethostname�()	Unknown
 	ws2_32.dll!__chkstk�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

Finally, time to dtor the std::MS::WinDNS object.

>	mswsock.dll!Dns_NSPLookupServiceEnd�()	Unknown
 	ws2_32.dll!NSQUERY::LookupServiceEnd(void)	Unknown
 	ws2_32.dll!WSALookupServiceEnd�()	Unknown
 	ws2_32.dll!getxyDataEnt(char * *,unsigned long,char *,struct _GUID *,char * *)	Unknown
 	ws2_32.dll!gethostname�()	Unknown
 	ws2_32.dll!__chkstk�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C

Oh no, another loop through some array of EtherType Protocol drivers. I'll skip the rest of this loop.

>	ws2_32.dll!MapAnsiQuerySetToUnicode(struct _WSAQuerySetA *,unsigned long *,struct _WSAQuerySetW *)	Unknown
 	ws2_32.dll!WSALookupServiceBeginA�()	Unknown
 	ws2_32.dll!getxyDataEnt(char * *,unsigned long,char *,struct _GUID *,char * *)	Unknown
 	ws2_32.dll!gethostbyname�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

This nonsense is why Go runtime and Zig runtime reverse engineered (or copied from Wine/ReactOS) all of WinSock's DeviceIOControl() constants that it send to afd.sys, and both them directly call Micosoft's undocumented TCP/UDP/DNS kernel driver directly with no bloated Ring-3 middleware.

>	mswsock.dll!Dns_NSPLookupServiceNext�()	Unknown
 	ws2_32.dll!NSQUERY::LookupServiceNext(unsigned long,unsigned long *,struct _WSAQuerySetW *)	Unknown
 	ws2_32.dll!WSALookupServiceNextW�()	Unknown
 	ws2_32.dll!WSALookupServiceNextA�()	Unknown
 	ws2_32.dll!getxyDataEnt(char * *,unsigned long,char *,struct _GUID *,char * *)	Unknown
 	ws2_32.dll!gethostbyname�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

Who knows what this does but the symbol names in the BT are cute.

>	ws2_32.dll!FixList(void * * *,unsigned __int64)	Unknown
 	ws2_32.dll!UnpackHostEnt(struct hostent *)	Unknown
 	ws2_32.dll!gethostbyname�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

Now time for Winsock to call the secret America OnLine callback hooks if they are available !!!!!

The AOL GUI gets to filter the retval for perl542.dll!win32_gethostbyname() before WinSock returns control to perl542.dll!win32_gethostbyname().

>	ws2_32.dll!LoadAutodialHelperDll(void)	Unknown
 	ws2_32.dll!WSNoteSuccessfulHostentLookup(char const *,unsigned long)	Unknown
 	ws2_32.dll!gethostbyname�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

Uh oh, WinSock actually found the "America OnLine" DLL on my system. The disk name of the DLL is "rasadhlp.dll". I will need to rev eng this ("rasadhlp.dll") later for my own curiosity.

>	ntdll.dll!RtlInitAnsiStringEx�()	Unknown
 	KernelBase.dll!LoadLibraryExA()	Unknown
 	ws2_32.dll!LoadAutodialHelperDll(void)	Unknown
 	ws2_32.dll!WSNoteSuccessfulHostentLookup(char const *,unsigned long)	Unknown
 	ws2_32.dll!gethostbyname�()	Unknown
 	perl542.dll!win32_gethostbyname(const char * name) Line 649	C
 	perl542.dll!Perl_pp_ghostent(interpreter * my_perl) Line 5270	C
 	perl542.dll!Perl_runops_standard(interpreter * my_perl) Line 41	C
 	perl542.dll!S_run_body(interpreter * my_perl, long oldscope) Line 2886	C
 	perl542.dll!perl_run(interpreter * my_perl) Line 2799	C
 	perl542.dll!RunPerl(int argc, char * * argv, char * * env) Line 219	C++
 	[Inline Frame] perl.exe!invoke_main() Line 78	C++
 	perl.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk�()	Unknown
 	ntdll.dll!RtlUserThreadStart�()	Unknown

The function call that winsock called inside "rasadhlp.dll" was a 1 or 2 CPU instructions long noop();.

FINALLY back inside perl542.dll. I can confirm there is no heap corruption or buffer over-read going on inside libperl. The retval * from the winsock fn symbol is 100% correctly filled out by the winsock dll.

This bug is about grade D+ API docs somewhere inside the p5p/.git/pod folder.

This bug isn't about any C code inside p5p/.git, unless someone else (not @bulk88), thinks line

perl5/pp_sys.c

Line 5265 in b40ae72

const char* const name = POPpbytex;

needs to be changed to something more fuzz-resistant. Perhaps something like this:

    SV* namesv = POPs;
    SvGETMAGIC(namesv);
    if ( !SvPOK(namesv) || SvUTF8(namesv) || SvEND(namesv) )
         croak("%s: the SV* you passed holds garbage", "gethostbyname");
    hent = PerlSock_gethostbyname(SvPVX_const(namesv));

[mauke]

I and everyone else only needs to know the errno token works just like you would expect,

There is no errno "token" in Perl, and C gethostbyname does not touch errno.

and won't pop up a runloop blocking GUI box where the end user must click on radio buttons with the labels of "VMS", "Windows", "OS/2" and "Z/OS".

jesse-wtf-are-you-talking-about.jpg

Nothing on the page https://perldoc.perl.org/functions/gethostbyname says that

gethostbyname(undef)/gethostbyname()/gethostbyname("")/my $scalar = gethostbyname;

means "use default value of XYZ" or "use $_ as the input string", so I filed this bug.

No, you filed this bug because you thought there was a memory corruption bug.

gethostbyname does not use $_. perldoc -f gethostbyname lists gethostbyname as taking a single string argument:

gethostbyname NAME

Which is correct:

$ perl -we 'gethostbyname()'
Not enough arguments for gethostbyname at -e line 1, near "gethostbyname()
"
Execution of -e aborted due to compilation errors.
$ perl -we 'my $scalar = gethostbyname;'
Not enough arguments for gethostbyname at -e line 1, near "gethostbyname;"
Execution of -e aborted due to compilation errors.
$ perl -we 'my @x = gethostbyname(undef)'
Use of uninitialized value in gethostbyname at -e line 1.

Passing no arguments is a syntax error; passing undef converts it to a string. At no point is $_ involved.

I'm not going to wade through the rest of this logorrhea.