[Dnsmasq-discuss] NULL dereference in cache_insert
Török Edwin
edwin+ml-cerowrt at etorok.net
Sat Nov 14 09:57:13 GMT 2015
Hi,
dnsmasq 2.73 and 2.75 on OpenWrt CHAOS CALMER (15.05, r46767) crashes with a NULL dereference when certain domain names are resolved that are also overridden using addn-hosts:
#0 0x00405612 in cache_insert (name=name at entry=0x42f008 "bbc.112.2o7.net", addr=addr at entry=0x0, now=now at entry=1447493529, ttl=45, flags=296) at cache.c:490
else if ((flags & F_IPV6) && (new->flags & F_IPV6) &&
IN6_ARE_ADDR_EQUAL(&new->addr.addr.addr.addr6, &addr->addr.addr6))
#1 0x0040683e in extract_addresses (header=header at entry=0x42fb30, qlen=qlen at entry=122, name=<optimized out>, now=now at entry=1447493529, ipsets=ipsets at entry=0x0,
is_sign=0, check_rebind=check_rebind at entry=1, no_cache_dnssec=no_cache_dnssec at entry=0, secure=secure at entry=0, doctored=doctored at entry=0x7fff6a60) at rfc1035.c:1132
newc = cache_insert(name, NULL, now, ttl ? ttl : cttl, F_FORWARD | F_NEG | flags | secflag);
#2 0x0040ca1e in process_reply (header=header at entry=0x42fb30, now=now at entry=1447493529, server=server at entry=0x437e70, n=n at entry=122, check_rebind=1, no_cache=0,
added_pheader=0, check_subnet=0, query_source=query_source at entry=0x4383e0, do_bit=<optimized out>, ad_reqd=<optimized out>, bogusanswer=0, cache_secure=0)
at forward.c:644
#3 0x0040d864 in reply_query (fd=<optimized out>, family=<optimized out>, now=now at entry=1447493529) at forward.c:1095
#4 0x0040f2c0 in check_dns_listeners (now=now at entry=1447493529) at dnsmasq.c:1510
#5 0x00403a3c in main (argc=<optimized out>, argv=<optimized out>) at dnsmasq.c:1004
As a temporary workaround to stop it from crashing I have added a NULL check, but I'm not sure what the intended behaviour would be when addr is NULL:
--- ./build_dir/target-mips_34kc_uClibc-0.9.33.2/dnsmasq-dhcpv6/dnsmasq-2.75/src/cache.c 2015-07-30 22:59:07.000000000 +0300
+++ ./build_dir/target-mips_34kc_uClibc-0.9.33.2/dnsmasq-nodhcpv6/dnsmasq-2.75/src/cache.c 2015-11-14 11:41:52.655551879 +0200
@@ -481,7 +481,7 @@
existing record is for an A or AAAA and
the record we're trying to insert is the same,
just drop the insert, but don't error the whole process. */
- if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD))
+ if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD) && addr)
$ grep bbc.112 /etc/block.hosts
0.0.0.0 bbc.112.2o7.net
:: bbc.112.2o7.net
$ cat /var/etc/dnsmasq.conf
# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=/lan/
addn-hosts=/etc/block.hosts
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
stop-dns-rebind
rebind-localhost-ok
rebind-domain-ok=skylable.com
dhcp-broadcast=tag:needs-broadcast
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
dhcp-host=e0:3f:49:a0:6e:d4,192.168.1.2,debian
dhcp-host=64:51:06:22:ad:dd,192.168.1.129,hp
dhcp-range=lan,192.168.1.100,192.168.1.249,255.255.255.0,12h
no-dhcp-interface=pppoe-wan
--
Edwin Török | Co-founder and Lead Developer
Skylable open-source object storage: reliable, fast, secure
http://www.skylable.com
More information about the Dnsmasq-discuss
mailing list