[Dnsmasq-discuss] dnsmsaq potential vulnerability

Nick Sampanis nicksampanis at gmail.com
Tue Apr 7 08:49:30 BST 2015

Dear sirs,
             I discovered one potential vulnerability in dnsmasq.
More specifically, in tcp_request(), setup_reply() gets called and the
returned value
is used as a size argument in a write function.

m = setup_reply(header, (unsigned int)size, addrp, flags,
read_write(confd, packet, m + sizeof(u16), 0))

Although, setup_reply can't return a size variable greater than
packet[65535+ MAXDNAME + RRFIXEDSZ + sizeof(u16))],
an ignored error value(NULL) of  skip_questions() might lead to a negative

size_t setup_reply(struct dns_header *header, size_t qlen,
struct all_addr *addrp, unsigned int flags, unsigned long ttl)
   unsigned char *p = skip_questions(header, qlen)
   return p - (unsigned char *)header

read_write checks if the size argument is positive. In case of a 32 bit
size_t m would be 4 bytes and read_write will automatically exit. In case
of 64 bit
system size_t m is 8 bytes and may turn to positive if the sign bit of the
32 bit value is 0.

If m is less than 0xffffffff80000000, dnsmasq will be exploited
by a potential attacker who will remotely read dnsmasq heap until it
If the above condition is not met, dnsmasq  exits properly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150407/06570f47/attachment.html>

More information about the Dnsmasq-discuss mailing list