[Dnsmasq-discuss] Memory corruption in hostname_isequal (util.c), SIGSEGV

Stephan Zeisberg stephan.zeisberg at splone.com
Wed May 3 16:42:00 BST 2017 

Hello,

opening the attached sample config input file with dnsmasq results in a 
crash (SIGSEGV). The input file is fuzzed with american fuzzy 
lop http://lcamtuf.coredump.cx/afl/.

version:

commit b2a9c571ebb333acbaa6bd752142df6821cb410c

how to reproduce:

$ ./src/dnsmasq --test -C <attached config file>

gdb:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  hostname_isequal (a=0x0, b=0x84f01f "be# If you w0") at util.c:312
312	    c1 = (unsigned char) *a++;
(gdb) bt
#0  hostname_isequal (a=0x0, b=0x84f01f "be# If you w0") at util.c:312
#1  0x0000000000441a45 in one_opt (option=<optimized out>, arg=0x84f01f "be# If you w0", errstr=<optimized out>, gen_err=<optimized out>, command_line=<optimized out>, servers_only=<optimized out>)
    at option.c:3853
#2  0x0000000000422e7c in read_file (file=<optimized out>, f=<optimized out>, hard_opt=<optimized out>) at option.c:4304
#3  0x000000000042159a in one_file (file=0x84feb0 "/tmp/dnsmasq_crash", hard_opt=0) at option.c:4396
#4  0x0000000000424c3d in read_opts (argc=4, argv=0x7ffcedcbca18, compile_opts=<optimized out>) at option.c:4733
#5  0x0000000000457557 in main (argc=0, argv=0x84f01f) at dnsmasq.c:89

valgrind:

==4077== Memcheck, a memory error detector
==4077== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==4077== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==4077== Command: ./src/dnsmasq --test -C /tmp/dnsmasq_crash
==4077== 
==4077== Invalid read of size 1
==4077==    at 0x41EA1C: hostname_isequal (util.c:312)
==4077==    by 0x441A44: one_opt (option.c:3853)
==4077==    by 0x422E7B: read_file (option.c:4304)
==4077==    by 0x421599: one_file (option.c:4396)
==4077==    by 0x424C3C: read_opts (option.c:4733)
==4077==    by 0x457556: main (dnsmasq.c:89)
==4077==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4077== 
==4077== 
==4077== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==4077==  Access not within mapped region at address 0x0
==4077==    at 0x41EA1C: hostname_isequal (util.c:312)
==4077==    by 0x441A44: one_opt (option.c:3853)
==4077==    by 0x422E7B: read_file (option.c:4304)
==4077==    by 0x421599: one_file (option.c:4396)
==4077==    by 0x424C3C: read_opts (option.c:4733)
==4077==    by 0x457556: main (dnsmasq.c:89)
==4077==  If you believe this happened as a result of a stack
==4077==  overflow in your program's main thread (unlikely but
==4077==  possible), you can try to increase the size of the
==4077==  main thread stack using the --main-stacksize= flag.
==4077==  The main thread stack size used in this run was 8388608.
==4077== 
==4077== HEAP SUMMARY:
==4077==     in use at exit: 3,973 bytes in 32 blocks
==4077==   total heap usage: 33 allocs, 1 frees, 8,069 bytes allocated
==4077== 
==4077== LEAK SUMMARY:
==4077==    definitely lost: 0 bytes in 0 blocks
==4077==    indirectly lost: 0 bytes in 0 blocks
==4077==      possibly lost: 0 bytes in 0 blocks
==4077==    still reachable: 3,973 bytes in 32 blocks
==4077==         suppressed: 0 bytes in 0 blocks
==4077== Rerun with --leak-check=full to see details of leaked memory
==4077== 
==4077== For counts of detected and suppressed errors, rerun with: -v
==4077== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    4077 segmentation fault  valgrind ./src/dnsmasq --test -C /tmp/dnsmasq_crash

Regards,
Stephan
-- 
Stephan Zeisberg
Security Researcher

m: stephan.zeisberg at splone.com
pgp: 3C2B 7189 9C16 1E71 5BFB 8690 2C3F EF24 6DBF B588

splone UG (haftungsbeschränkt)
c/o Freie Universität Berlin
Malteserstr. 74-100
12249 Berlin
https://splone.com
HRB 166495 Amtsgericht Charlottenburg
USt-Identnummer: DE300454199

twitter: http://twitter.com/sploneberlin

Confidentiality: This e-mail contains confidential information intended
only for the addressee. If you are not the intended recipient you may
not disclose, copy, use or otherwise distribute the content of this
email.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnsmasq_crash
Type: application/octet-stream
Size: 8734 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170503/7e74dd0e/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170503/7e74dd0e/attachment.sig>

More information about the Dnsmasq-discuss mailing list