[Dnsmasq-discuss] DNSSEC validation causes SIGSEGV by strcpy from 0x0

[Alex Xu]

*some* requests cause dnsmasq to segfault in DNSSEC code in both 2.69rc1
and git master:

Program received signal SIGSEGV, Segmentation fault.
0x00000034a92934e7 in __strcpy_sse2_unaligned () from /lib64/libc.so.6
(gdb) bt
#0  0x00000034a92934e7 in __strcpy_sse2_unaligned () from /lib64/libc.so.6
#1  0x000000000041864f in strcpy (__src=0x0, __dest=0x44b210 "org") at
/usr/include/bits/string3.h:104
#2  send_check_sign (now=1395783172, header=<optimized out>,
plen=<optimized out>, name=<optimized out>, keyname=0x44b210 "org") at
forward.c:1331
#3  0x00000000004183df in reply_query (fd=<optimized out>,
family=<optimized out>, now=now at entry=1395783172) at forward.c:823
#4  0x000000000041b38c in check_dns_listeners
(set=set at entry=0x7fffffffe370, now=now at entry=1395783172) at dnsmasq.c:1431
#5  0x000000000041caac in main (argc=<optimized out>, argv=<optimized
out>) at dnsmasq.c:951

The chances of this being exploitable are low as it is a NULL
dereference, but it is still a possible DoS attack.

Also reproduced with -O0:

(gdb) bt
#0  0x00000034a92934e7 in __strcpy_sse2_unaligned () from /lib64/libc.so.6
#1  0x000000000041e1ae in send_check_sign (now=1395783599,
header=0x45b200, plen=71, name=0x45a010 "www.dnssec-failed.org",
keyname=0x45c210 "org") at forward.c:1331
#2  0x000000000041cf20 in reply_query (fd=11, family=2, now=1395783599)
at forward.c:823
#3  0x0000000000425da0 in check_dns_listeners (set=0x7fffffffe240,
now=1395783599) at dnsmasq.c:1431
#4  0x0000000000424c9a in main (argc=2, argv=0x7fffffffe688) at
dnsmasq.c:951
(gdb) select-frame 1
(gdb) print name_start
$1 = 0x0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140325/5e1c0e2e/attachment-0001.sig>