<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hey Simon,</p>
<p>we found a bug resulting in a use-after-free returning garbage
data and possibly crash when using DHCP + stale cache data.</p>
<p>The bug is triggered when using DHCP and a lease expires. It's
name is then free'd in kill_name() + do_script_run(). When the PTR
record is queried thereafter and use-stale-cache is enabled,
dnsmasq accesses this dangling pointer and returns random data -
often a string containing a few control characters, once dnsmasq
even SEGFAULTed.</p>
<p>Related dnsmasq.log:</p>
<pre class="codeblock-buttons"><code class="hljs language-apache"
data-highlighted="yes"><span class="hljs-attribute">May</span> <span
class="hljs-number">5</span> <span class="hljs-number">19</span>:<span
class="hljs-number">00</span>:<span class="hljs-number">00</span> dnsmasq[<span
class="hljs-number">4395</span>]: query[PTR] <span
class="hljs-number">141.2.168.192</span>.in-addr.arpa from <span
class="hljs-number">127.0.0.1</span>
<span class="hljs-attribute">May</span> <span class="hljs-number">5</span> <span
class="hljs-number">19</span>:<span class="hljs-number">00</span>:<span
class="hljs-number">00</span> dnsmasq[<span class="hljs-number">4395</span>]: DHCP <span
class="hljs-number">192.168.2.141</span> is **<name unprintable>**
<span class="hljs-attribute">May</span> <span class="hljs-number">5</span> <span
class="hljs-number">19</span>:<span class="hljs-number">00</span>:<span
class="hljs-number">00</span> dnsmasq[<span class="hljs-number">4395</span>]: forwarded <span
class="hljs-number">141.2.168.192</span>.in-addr.arpa to <span
class="hljs-number">1.0.0.1</span></code></pre>
<p></p>
<p>The final immediate "forwarded" line comes from dnsmasq itself
and confirms that this was triggered by use-stale-cache.</p>
<p>Best,<br>
Dominik<br>
</p>
<p>P.S.: The patch recently sent by Erik Karlsson doesn't fix this,
it touches other code.<br>
</p>
</body>
</html>