<div dir="ltr">Hello Louis,<div><br></div><div>I asked this last night and got a response from Simon on this.</div><div><br></div><div><a href="https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg10244.html">https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg10244.html</a><br></div><div><br></div><div>I hope this helps.</div><div><br></div><div>Cheers,</div><div><br></div><div>Ethan</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 17, 2016 at 8:46 AM, Louis Munro <span dir="ltr"><<a href="mailto:lmunro@inverse.ca" target="_blank">lmunro@inverse.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Hello,<div><br></div><div>Buffer overflows are in the news again as I am sure people have heard by now.</div><div><br></div><div>The post on the google security blog about it seems to indicate that dnsmasq may be used to mitigate the problem, at least until patching could be done.</div><div><br></div><div>See: <a href="https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html" target="_blank">https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html</a></div><div><br></div><div>I have some production servers running both dnsmasq (2.48) and the affected glibc.</div><div><br></div><div>Do I understand correctly that running dnsmasq in its default configuration should limit dns replies handled to 1280 bytes?</div><div>I see this in the manpage: </div><div><br></div><div> -P, --edns-packet-max=<size><br> Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder. Defaults to 1280, which is<br> the RFC2671-recommended maximum for ethernet.</div><div><br></div><div>Since the vulnerability relies on a reply of at least 2048 bytes, can I assume I am fine until I can update these systems and reboot them (which should be soon, but just not yet…)? </div><div>Does that setting also apply to TCP replies?</div><div><br></div><div><br></div><div>Best regards,</div><div><div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div style="color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">--</div><div style="color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">Louis Munro<br><a href="mailto:lmunro@inverse.ca" target="_blank">lmunro@inverse.ca</a> :: <a href="http://www.inverse.ca" target="_blank">www.inverse.ca</a> <br><a href="tel:%2B1.514.447.4918%20x125" value="+15144474918" target="_blank">+1.514.447.4918 x125</a> :: <a href="tel:%2B1%20%28866%29%C2%A0353-6153%20x125" value="+18663536153" target="_blank">+1 (866) 353-6153 x125</a><br>Inverse inc. :: Leaders behind SOGo (<a href="http://www.sogo.nu" target="_blank">www.sogo.nu</a>) and PacketFence (<a href="http://www.packetfence.org" target="_blank">www.packetfence.org</a>)</div></div>
</div>
<br></div></div><br>_______________________________________________<br>
Dnsmasq-discuss mailing list<br>
<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
<a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br>
<br></blockquote></div><br></div>