<div dir="auto">Hi Dominik,<div dir="auto"><br></div><div dir="auto">Are you sure the patch I sent does not solve this? I think it should or are there more places where a lease_update_dns(0) is missing? Alternatively, can there be dangling pointers left even after lease_update_dns has been run?</div><div dir="auto"><br></div><div dir="auto">Best regards,</div><div dir="auto">Erik</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Den mån 6 maj 2024 07:14Dominik Derigs via Dnsmasq-discuss <<a href="mailto:dnsmasq-discuss@lists.thekelleys.org.uk" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">dnsmasq-discuss@lists.thekelleys.org.uk</a>> skrev:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div>
<p>Hey Simon,</p>
<p>we found a bug resulting in a use-after-free returning garbage
data and possibly crash when using DHCP + stale cache data.</p>
<p>The bug is triggered when using DHCP and a lease expires. It's
name is then free'd in kill_name() + do_script_run(). When the PTR
record is queried thereafter and use-stale-cache is enabled,
dnsmasq accesses this dangling pointer and returns random data -
often a string containing a few control characters, once dnsmasq
even SEGFAULTed.</p>
<p>Related dnsmasq.log:</p>
<pre><code><span>May</span> <span>5</span> <span>19</span>:<span>00</span>:<span>00</span> dnsmasq[<span>4395</span>]: query[PTR] <span>141.2.168.192</span>.in-addr.arpa from <span>127.0.0.1</span>
<span>May</span> <span>5</span> <span>19</span>:<span>00</span>:<span>00</span> dnsmasq[<span>4395</span>]: DHCP <span>192.168.2.141</span> is **<name unprintable>**
<span>May</span> <span>5</span> <span>19</span>:<span>00</span>:<span>00</span> dnsmasq[<span>4395</span>]: forwarded <span>141.2.168.192</span>.in-addr.arpa to <span>1.0.0.1</span></code></pre>
<p></p>
<p>The final immediate "forwarded" line comes from dnsmasq itself
and confirms that this was triggered by use-stale-cache.</p>
<p>Best,<br>
Dominik<br>
</p>
<p>P.S.: The patch recently sent by Erik Karlsson doesn't fix this,
it touches other code.<br>
</p>
</div>
_______________________________________________<br>
Dnsmasq-discuss mailing list<br>
<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" rel="noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
<a href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss" rel="noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a><br>
</blockquote></div>