[Dnsmasq-discuss] DNSSEC validation causes SIGSEGV by strcpy from 0x0

Simon Kelley simon at thekelleys.org.uk
Tue Mar 25 22:34:44 UTC 2014

Hash: SHA1

Thanks for that. The immediate fix is obvious, but I'm not sure why
it's executing that code for that query. Could you share a little more
of your configuration? What upstream server are you using?

Thinking about this made me look at the analogous code in for TCP,
which may take a little while to sort out :(



On 25/03/14 21:54, Alex Xu wrote:
> *some* requests cause dnsmasq to segfault in DNSSEC code in both
> 2.69rc1 and git master:
> Program received signal SIGSEGV, Segmentation fault. 
> 0x00000034a92934e7 in __strcpy_sse2_unaligned () from
> /lib64/libc.so.6 (gdb) bt #0  0x00000034a92934e7 in
> __strcpy_sse2_unaligned () from /lib64/libc.so.6 #1
> 0x000000000041864f in strcpy (__src=0x0, __dest=0x44b210 "org") at 
> /usr/include/bits/string3.h:104 #2  send_check_sign
> (now=1395783172, header=<optimized out>, plen=<optimized out>,
> name=<optimized out>, keyname=0x44b210 "org") at forward.c:1331 #3
> 0x00000000004183df in reply_query (fd=<optimized out>, 
> family=<optimized out>, now=now at entry=1395783172) at forward.c:823 
> #4  0x000000000041b38c in check_dns_listeners 
> (set=set at entry=0x7fffffffe370, now=now at entry=1395783172) at
> dnsmasq.c:1431 #5  0x000000000041caac in main (argc=<optimized
> out>, argv=<optimized out>) at dnsmasq.c:951
> The chances of this being exploitable are low as it is a NULL 
> dereference, but it is still a possible DoS attack.
> Also reproduced with -O0:
> (gdb) bt #0  0x00000034a92934e7 in __strcpy_sse2_unaligned () from
> /lib64/libc.so.6 #1  0x000000000041e1ae in send_check_sign
> (now=1395783599, header=0x45b200, plen=71, name=0x45a010
> "www.dnssec-failed.org", keyname=0x45c210 "org") at forward.c:1331 
> #2  0x000000000041cf20 in reply_query (fd=11, family=2,
> now=1395783599) at forward.c:823 #3  0x0000000000425da0 in
> check_dns_listeners (set=0x7fffffffe240, now=1395783599) at
> dnsmasq.c:1431 #4  0x0000000000424c9a in main (argc=2,
> argv=0x7fffffffe688) at dnsmasq.c:951 (gdb) select-frame 1 (gdb)
> print name_start $1 = 0x0
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Dnsmasq-discuss mailing list