[Dnsmasq-discuss] Memory corruption in parse_hex (util.c), SIGSEGV
Stephan Zeisberg
stephan.zeisberg at splone.com
Wed May 3 16:52:00 BST 2017
Hello,
opening the attached sample config input file with dnsmasq results in a
crash (SIGSEGV). The input file is fuzzed with american fuzzy
lop http://lcamtuf.coredump.cx/afl/.
version:
commit b2a9c571ebb333acbaa6bd752142df6821cb410c
how to reproduce:
$ ./src/dnsmasq --test -C <attached config file>
gdb:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f283acdc24e in _int_free () from /usr/lib/libc.so.6
(gdb) bt
#0 0x00007f283acdc24e in _int_free () from /usr/lib/libc.so.6
#1 0x00007f283acd922b in __GI__IO_setb () from /usr/lib/libc.so.6
#2 0x00007f283acd785e in __GI__IO_file_close_it () from /usr/lib/libc.so.6
#3 0x00007f283accadef in fclose@@GLIBC_2.2.5 () from /usr/lib/libc.so.6
#4 0x0000000000423003 in read_file (file=<optimized out>, f=<optimized out>, hard_opt=<optimized out>) at option.c:4315
#5 0x000000000042159a in one_file (file=0x1355eb0 "/tmp/dnsmasq_crash", hard_opt=0) at option.c:4396
#6 0x0000000000424c3d in read_opts (argc=4, argv=0x7ffc2f1a2708, compile_opts=<optimized out>) at option.c:4733
#7 0x0000000000457557 in main (argc=989862624, argv=0x0) at dnsmasq.c:89
valgrind:
==23713== Memcheck, a memory error detector
==23713== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==23713== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==23713== Command: ./src/dnsmasq --test -C /tmp/dnsmasq_crash
==23713==
==23713== Invalid write of size 1
==23713== at 0x41F5EB: parse_hex (util.c:504)
==23713== by 0x43AA07: one_opt (option.c:3495)
==23713== by 0x422E7B: read_file (option.c:4304)
==23713== by 0x421599: one_file (option.c:4396)
==23713== by 0x424C3C: read_opts (option.c:4733)
==23713== by 0x457556: main (dnsmasq.c:89)
==23713== Address 0x51dd758 is 0 bytes after a block of size 56 alloc'd
==23713== at 0x4C2CF35: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23713== by 0x41E647: safe_malloc (util.c:247)
==23713== by 0x43A8C6: opt_malloc (option.c:557)
==23713== by 0x43A8C6: one_opt (option.c:3492)
==23713== by 0x422E7B: read_file (option.c:4304)
==23713== by 0x421599: one_file (option.c:4396)
==23713== by 0x424C3C: read_opts (option.c:4733)
==23713== by 0x457556: main (dnsmasq.c:89)
==23713==
dnsmasq: syntax check OK.
==23713==
==23713== HEAP SUMMARY:
==23713== in use at exit: 3,763 bytes in 28 blocks
==23713== total heap usage: 31 allocs, 3 frees, 8,430 bytes allocated
==23713==
==23713== LEAK SUMMARY:
==23713== definitely lost: 367 bytes in 1 blocks
==23713== indirectly lost: 0 bytes in 0 blocks
==23713== possibly lost: 0 bytes in 0 blocks
==23713== still reachable: 3,396 bytes in 27 blocks
==23713== suppressed: 0 bytes in 0 blocks
==23713== Rerun with --leak-check=full to see details of leaked memory
==23713==
==23713== For counts of detected and suppressed errors, rerun with: -v
==23713== ERROR SUMMARY: 9 errors from 1 contexts (suppressed: 0 from 0)
Regards,
Stephan
--
Stephan Zeisberg
Security Researcher
m: stephan.zeisberg at splone.com
pgp: 3C2B 7189 9C16 1E71 5BFB 8690 2C3F EF24 6DBF B588
splone UG (haftungsbeschränkt)
c/o Freie Universität Berlin
Malteserstr. 74-100
12249 Berlin
https://splone.com
HRB 166495 Amtsgericht Charlottenburg
USt-Identnummer: DE300454199
twitter: http://twitter.com/sploneberlin
Confidentiality: This e-mail contains confidential information intended
only for the addressee. If you are not the intended recipient you may
not disclose, copy, use or otherwise distribute the content of this
email.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnsmasq_crash
Type: application/octet-stream
Size: 524 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170503/97d61ced/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170503/97d61ced/attachment.sig>
More information about the Dnsmasq-discuss
mailing list