[Dnsmasq-discuss] crash with DNSSEC on 2.80

Simon Kelley simon at thekelleys.org.uk
Mon Jul 15 22:06:44 BST 2019 

Ugh,  that's nasty. Thanks for the good bug report.

It this reproducible? A domain which when validated always prompts a
crash would be very useful.

>From the information we have, the obvious problem is rrsetidx=27430912
which makes no sense, and will surely crash a buffer. That value is
generated in explore_rrset() which should return either 1, and a valid
value for the number of RRsets, or zero if there's an error.

In fact there are a couple of cases where the code detects a malformed
packet, and returns STAT_BOGUS (which is not zero) thus allowing the
calling code to continue with an undefined value for the number of
RRsets. So, certain kinds of malformed packets may cause this crash.

This looks like an incomplete refactoring, that code used to return a
STAT_* return code but the explore_rrset stuff got pulled out and
returns true/false, but a couple of code paths got missed.


Does

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=05299fdd5a3b6ace43224c7d27d06a57b175639f

Seem to fix things? That would be a nice, easy fix if so.


Cheers,

Simon.


On 14/07/2019 02:21, Graham Menhennitt wrote:
> 
> Hello dnsmasqers,
> 
> I'm running dnsmasq 2.80 on FreeBSD 12-stable. It works perfectly when I
> have DNSSEC disabled. But when I enable it, I get crashes every hour or
> so. I haven't worked out what's happening exactly, but it looks like
> it's accessing past the end of a buffer. Running in lldb gives the
> following info:
> 
> Process 19920 stopped
> * thread #1, name = 'dnsmasq', stop reason = signal SIGSEGV: invalid
> address (fault address: 0x8)
>     frame #0: 0x0000000000274802
> dnsmasq`sort_rrset(header=0x0000000801a29000, plen=512,
> rr_desc=0x000000000027f474, rrsetidx=27430912, rrset=0x00000008013f87d0,
> buff1="mozilla.org", buff2="mozilla.org") at dnssec.c:304
>    301            end1 = p1 + rdlen1;
>    302
>    303            p2 += 8; /* skip class, type, ttl */
> -> 304            GETSHORT(rdlen2, p2);
>    305            end2 = p2 + rdlen2;
>    306
>    307            dp1 = dp2 = rr_desc;
> (lldb) bt
> * thread #1, name = 'dnsmasq', stop reason = signal SIGSEGV: invalid
> address (fault address: 0x8)
>   * frame #0: 0x0000000000274802
> dnsmasq`sort_rrset(header=0x0000000801a29000, plen=512,
> rr_desc=0x000000000027f474, rrsetidx=27430912, rrset=0x00000008013f87d0,
> buff1="mozilla.org", buff2="mozilla.org") at dnssec.c:304
>     frame #1: 0x00000000002714c1 dnsmasq`validate_rrset(now=1562977226,
> header=0x0000000801a29000, plen=512, class=1, type=5, sigidx=8,
> rrsetidx=27430912, name="incoming.telemetry.mozilla.org",
> keyname="mozilla.org", wildcard_out=0x00007fffffffe388,
> key=0x0000000000000000, keylen=0, algo_in=0, keytag_in=0) at dnssec.c:506
>     frame #2: 0x0000000000273479
> dnsmasq`dnssec_validate_reply(now=1562977226, header=0x0000000801a29000,
> plen=512, name="incoming.telemetry.mozilla.org", keyname="mozilla.org",
> class=0x0000000801a1f248, check_unsigned=1,
> neganswer=0x0000000000000000, nons=0x0000000000000000) at dnssec.c:1920
>     frame #3: 0x000000000023306f dnsmasq`reply_query(fd=15, family=2,
> now=1562977226) at forward.c:1029
>     frame #4: 0x000000000024211c
> dnsmasq`check_dns_listeners(now=1562977226) at dnsmasq.c:1644
>     frame #5: 0x0000000000240bab dnsmasq`main(argc=6,
> argv=0x00007fffffffe9f8) at dnsmasq.c:1104
>     frame #6: 0x000000000021311b dnsmasq`_start(ap=<unavailable>,
> cleanup=<unavailable>) at crt1.c:76
> 
> My dnsmasq.conf is below.
> 
> Does anybody have any clues, please?
> 
> Thanks,
>     Graham
> 
> conf-file=/etc/dnsmasq-conf.conf
> resolv-file=/etc/dnsmasq-resolv.conf
> 
> server=8.8.8.8
> server=8.8.4.4
> 
> # use DNSSEC
> dnssec
> trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
> 
> trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
> 
> dnssec-check-unsigned
> 
> # filter what we send upstream
> domain-needed
> bogus-priv
> localise-queries
> 
> # allow /etc/hosts and dhcp lookups via *.lan
> domain=menhennitt.com.au
> expand-hosts
> no-negcache
> 
> # enable dhcp (start,end,netmask,leasetime)
> dhcp-authoritative
> dhcp-range=re0,203.3.73.51,203.3.73.90,255.255.255.0,12h
> # default route(s)
> dhcp-option=3,203.3.73.1
> 
> # use /etc/ethers for static hosts; same format as --dhcp-host
> # <hwaddr> <ipaddr>
> read-ethers
> 
> 
> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list