[Dnsmasq-discuss] dnsmsaq potential vulnerability
Nick Sampanis
nicksampanis at gmail.com
Tue Apr 7 08:49:30 BST 2015
Dear sirs,
I discovered one potential vulnerability in dnsmasq.
More specifically, in tcp_request(), setup_reply() gets called and the
returned value
is used as a size argument in a write function.
m = setup_reply(header, (unsigned int)size, addrp, flags,
daemon->local_ttl);
read_write(confd, packet, m + sizeof(u16), 0))
Although, setup_reply can't return a size variable greater than
packet[65535+ MAXDNAME + RRFIXEDSZ + sizeof(u16))],
an ignored error value(NULL) of skip_questions() might lead to a negative
pointer
value(-header)
size_t setup_reply(struct dns_header *header, size_t qlen,
struct all_addr *addrp, unsigned int flags, unsigned long ttl)
{
unsigned char *p = skip_questions(header, qlen)
return p - (unsigned char *)header
}
read_write checks if the size argument is positive. In case of a 32 bit
system
size_t m would be 4 bytes and read_write will automatically exit. In case
of 64 bit
system size_t m is 8 bytes and may turn to positive if the sign bit of the
32 bit value is 0.
If m is less than 0xffffffff80000000, dnsmasq will be exploited
by a potential attacker who will remotely read dnsmasq heap until it
crashes.
If the above condition is not met, dnsmasq exits properly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150407/06570f47/attachment.html>
More information about the Dnsmasq-discuss
mailing list