[Dnsmasq-discuss] DNSSEC validation causes SIGSEGV by strcpy from 0x0
Simon Kelley
simon at thekelleys.org.uk
Tue Mar 25 22:34:44 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks for that. The immediate fix is obvious, but I'm not sure why
it's executing that code for that query. Could you share a little more
of your configuration? What upstream server are you using?
Thinking about this made me look at the analogous code in for TCP,
which may take a little while to sort out :(
Cheers,
Simon.
On 25/03/14 21:54, Alex Xu wrote:
> *some* requests cause dnsmasq to segfault in DNSSEC code in both
> 2.69rc1 and git master:
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x00000034a92934e7 in __strcpy_sse2_unaligned () from
> /lib64/libc.so.6 (gdb) bt #0 0x00000034a92934e7 in
> __strcpy_sse2_unaligned () from /lib64/libc.so.6 #1
> 0x000000000041864f in strcpy (__src=0x0, __dest=0x44b210 "org") at
> /usr/include/bits/string3.h:104 #2 send_check_sign
> (now=1395783172, header=<optimized out>, plen=<optimized out>,
> name=<optimized out>, keyname=0x44b210 "org") at forward.c:1331 #3
> 0x00000000004183df in reply_query (fd=<optimized out>,
> family=<optimized out>, now=now at entry=1395783172) at forward.c:823
> #4 0x000000000041b38c in check_dns_listeners
> (set=set at entry=0x7fffffffe370, now=now at entry=1395783172) at
> dnsmasq.c:1431 #5 0x000000000041caac in main (argc=<optimized
> out>, argv=<optimized out>) at dnsmasq.c:951
>
> The chances of this being exploitable are low as it is a NULL
> dereference, but it is still a possible DoS attack.
>
> Also reproduced with -O0:
>
> (gdb) bt #0 0x00000034a92934e7 in __strcpy_sse2_unaligned () from
> /lib64/libc.so.6 #1 0x000000000041e1ae in send_check_sign
> (now=1395783599, header=0x45b200, plen=71, name=0x45a010
> "www.dnssec-failed.org", keyname=0x45c210 "org") at forward.c:1331
> #2 0x000000000041cf20 in reply_query (fd=11, family=2,
> now=1395783599) at forward.c:823 #3 0x0000000000425da0 in
> check_dns_listeners (set=0x7fffffffe240, now=1395783599) at
> dnsmasq.c:1431 #4 0x0000000000424c9a in main (argc=2,
> argv=0x7fffffffe688) at dnsmasq.c:951 (gdb) select-frame 1 (gdb)
> print name_start $1 = 0x0
>
>
>
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMyBIQACgkQKPyGmiibgrdnJACgpPns8hC6Cwr6+ypP4K9MbQ8e
W2IAnj0ZsJJ0dLEfS3YmtumoEf3cEkiz
=x0gY
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss
mailing list