[Dnsmasq-discuss] Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly

Alexander E. Patrakov patrakov at gmail.com
Mon Apr 18 13:52:43 BST 2016


The company I work for has a server with Ubuntu 16.04 installed on it 
(yes, I know, not officially out yet, but the server is not in 
production either). Dnsmasq (version 2.75) is there because it is the 
simplest option to provide DHCP and DNS to LXC containers.

While playing with this setup, I found a reproducible crasher. I have 
set up a domain name, broken-record.chickenkiller.com, that can be used 
to expose this crash.

To reproduce the crasher, please create a VM with Ubuntu 16.04, on a 
network that has both IPv4 and IPv6, with static addresses.

In /etc/hostname, put this line:


In /etc/hosts, put these lines: localhost.localdomain localhost
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

<ipv4-address> broken-record.chickenkiller.com broken-record
<ipv6-address> broken-record.chickenkiller.com broken-record

Ubuntu runs dnsmasq as follows:

/usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -r 
/var/run/dnsmasq/resolv.conf -7 
/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service 

There is already a record in DNS that maps 
crashme.broken-record.chickenkiller.com. as a CNAME to 
broken-record.chickenkiller.com. Also, there is an A record for 
broken-record.chickenkiller.com, but there is no AAAA record.

Again, it is important to name the VM as 
"broken-record.chickenkiller.com", because the crash happens only if a 
CNAME points to a record that exists in /etc/hosts as an IPv6 address.

So - this query reliably crashes dnsmasq:

dig @ crashme.broken-record.chickenkiller.com. AAAA

The crash is in cache_insert(), which is called from extract_addresses().

Alexander E. Patrakov

More information about the Dnsmasq-discuss mailing list