resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915)

The default network value of zero for net was never tested for and
results in a DNS query constructed from uninitialized stack bytes.
The solution is to provide a default query for the case where net
is zero.

Adding a test case for this was straight forward given the existence of
tst-resolv-network and if the test is added without the fix you observe
this failure:

FAIL: resolv/tst-resolv-network
original exit status 1
error: tst-resolv-network.c:174: invalid QNAME: \146\218\129\128
error: 1 test failures

With a random QNAME resulting from the use of uninitialized stack bytes.

After the fix the test passes.

Additionally verified using wireshark before and after to ensure
on-the-wire bytes for the DNS query were as expected.

No regressions on x86_64.

Reviewed-by: Florian Weimer <fweimer@redhat.com>

resolv/nss_dns/dns-network.c

@@ -207,6 +207,10 @@ _nss_dns_getnetbyaddr_r (uint32_t net, int type, struct netent *result,
       sprintf (qbuf, "%u.%u.%u.%u.in-addr.arpa", net_bytes[3], net_bytes[2],
 	       net_bytes[1], net_bytes[0]);
       break;
+    default:
+      /* Default network (net is originally zero).  */
+      strcpy (qbuf, "0.0.0.0.in-addr.arpa");
+      break;
     }
 
   net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);

resolv/tst-resolv-network.c

@@ -46,6 +46,9 @@ handle_code (const struct resolv_response_context *ctx,
 {
   switch (code)
     {
+    case 0:
+      send_ptr (b, qname, qclass, qtype, "0.in-addr.arpa");
+      break;
     case 1:
       send_ptr (b, qname, qclass, qtype, "1.in-addr.arpa");
       break;
@@ -265,6 +268,9 @@ do_test (void)
                 "error: TRY_AGAIN\n");
 
   /* Lookup by address, success cases.  */
+  check_reverse (0,
+                 "name: 0.in-addr.arpa\n"
+                 "net: 0x00000000\n");
   check_reverse (1,
                  "name: 1.in-addr.arpa\n"
                  "net: 0x00000001\n");