[Dnsmasq-discuss] 2.44test1 crashes after HUP and route changes

[Jean Wolter]

Hello,

it looks like there is a bug in 2.44test1. It crashed in
nl_routechange, aparrently while dereferencing
daemon->srv_save->sfd, which is set to zero in reload_servers().

Information from the core file:

Core was generated by `dnsmasq --min-port=4096'.
Program terminated with signal 11, Segmentation fault.
#0  0x0805afa9 in nl_routechange (h=0x10) at netlink.c:245
245             while(sendto(daemon->srv_save->sfd->fd, daemon->packet, daemon->packet_len, 0,
246                          &daemon->srv_save->addr.sa, sa_len(&daemon->srv_save->addr)) == -1 && retry_send()); 

0x0805af87 <nl_routechange+53>: mov    0x8062e78,%eax
0x0805af8c <nl_routechange+58>: pushl  0x118(%eax)      # &daemon->srv_save->addr.sa
0x0805af92 <nl_routechange+64>: push   $0x0             # 0
0x0805af94 <nl_routechange+66>: pushl  0x11c(%eax)      # daemon->packet_len
0x0805af9a <nl_routechange+72>: pushl  0xf0(%eax)       # daemon->packet
0x0805afa0 <nl_routechange+78>: mov    0x118(%eax),%eax 
0x0805afa6 <nl_routechange+84>: mov    0x4c(%eax),%eax  
0x0805afa9 <nl_routechange+87>: pushl  (%eax)           # daemon->srv_save->sfd->fd, with sfd == 0
0x0805afab <nl_routechange+89>: call   0x8049958 <sendto at plt>

(gdb) i r
eax            0x0      0

eax is zero, dereferencing it leads to a SEGV.

It looks like dnsmasq received a HUP to re-read its config files and
detected a route change shortly after that. It tries to re-send the
last request, and derefences daemon->srv_save->sfd, which was set to 0
while re-reading the config files.

regards,
Jean