[Dnsmasq-discuss] Hardenining dnsmasq memory allocator against overflows

Loganaden Velvindron loganaden at gmail.com
Mon Apr 13 01:19:44 BST 2015


>
> The principle is a good one, but looking through the patch, on none of
> the code that's changed, does either of the multiplication factors
> come from an untrusted source, and it's quite easy to demonstrate the
> it can never be big enough to overflow, except possibly if
> daemon->cachesize is very large. Since daemon->cachesize is a
> configuration item, any attacker who can control it has much more

> but in this case the size is the number of resource records in an
> RRset of an incoming (and therefore untrusted) DNS answer. But since a
> minimum-size RR is of the order of 10 bytes, and the maximum size of
> an answer, even over TCP, is limited to 2^16 bytes, that's not going
> to be overflow-able. there's also an explicit, hard coded, limit of
> 100 for the RRset size, to avoid just such attacks.
>
> The dnsmasq code tries hard to avoid mallocing during execution, and
> where it does, it's generally to expand a pool so that no malloc is
> needed next time. That means that the sort of code that feeds
> untrusted data to malloc doesn't really exist within the codebase.
>

Thanks for your feedback Simon !

I was thinking that having such an API in src/util.c might prove handy
in cases where the codebase evolve, and you need a safe way to do
multiplications that involve malloc & realloc.

One might argue that calloc() could be used, but in this case, there's
no zero'ing overhead.


>
> Cheers,
>
>
> Simon.
>
>
>
>
>> //Logan C-x-C-c
>>
>> _______________________________________________ Dnsmasq-discuss
>> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iEYEARECAAYFAlUq4iUACgkQKPyGmiibgrcbMQCgolFlgTHjjLn54TaCBqPxAhCj
> RvcAn2lfDpEbdeQxwOwHtXubfLYPOlrw
> =wva8
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



More information about the Dnsmasq-discuss mailing list