[Dnsmasq-discuss] crash with DNSSEC on 2.80

Graham Menhennitt graham+dnsmasq at menhennitt.com.au
Wed Jul 17 10:03:29 BST 2019


Thanks for replying, Simon. I won't be able to test until the weekend.

Graham

On 16/7/19 7:06 am, Simon Kelley wrote:
> Ugh,  that's nasty. Thanks for the good bug report.
>
> It this reproducible? A domain which when validated always prompts a
> crash would be very useful.
>
>   From the information we have, the obvious problem is rrsetidx=27430912
> which makes no sense, and will surely crash a buffer. That value is
> generated in explore_rrset() which should return either 1, and a valid
> value for the number of RRsets, or zero if there's an error.
>
> In fact there are a couple of cases where the code detects a malformed
> packet, and returns STAT_BOGUS (which is not zero) thus allowing the
> calling code to continue with an undefined value for the number of
> RRsets. So, certain kinds of malformed packets may cause this crash.
>
> This looks like an incomplete refactoring, that code used to return a
> STAT_* return code but the explore_rrset stuff got pulled out and
> returns true/false, but a couple of code paths got missed.
>
>
> Does
>
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=05299fdd5a3b6ace43224c7d27d06a57b175639f
>
> Seem to fix things? That would be a nice, easy fix if so.
>
>
> Cheers,
>
> Simon.
>
>
> On 14/07/2019 02:21, Graham Menhennitt wrote:
>> Hello dnsmasqers,
>>
>> I'm running dnsmasq 2.80 on FreeBSD 12-stable. It works perfectly when I
>> have DNSSEC disabled. But when I enable it, I get crashes every hour or
>> so. I haven't worked out what's happening exactly, but it looks like
>> it's accessing past the end of a buffer. Running in lldb gives the
>> following info:
>>
>> Process 19920 stopped
>> * thread #1, name = 'dnsmasq', stop reason = signal SIGSEGV: invalid
>> address (fault address: 0x8)
>>       frame #0: 0x0000000000274802
>> dnsmasq`sort_rrset(header=0x0000000801a29000, plen=512,
>> rr_desc=0x000000000027f474, rrsetidx=27430912, rrset=0x00000008013f87d0,
>> buff1="mozilla.org", buff2="mozilla.org") at dnssec.c:304
>>      301            end1 = p1 + rdlen1;
>>      302
>>      303            p2 += 8; /* skip class, type, ttl */
>> -> 304            GETSHORT(rdlen2, p2);
>>      305            end2 = p2 + rdlen2;
>>      306
>>      307            dp1 = dp2 = rr_desc;
>> (lldb) bt
>> * thread #1, name = 'dnsmasq', stop reason = signal SIGSEGV: invalid
>> address (fault address: 0x8)
>>     * frame #0: 0x0000000000274802
>> dnsmasq`sort_rrset(header=0x0000000801a29000, plen=512,
>> rr_desc=0x000000000027f474, rrsetidx=27430912, rrset=0x00000008013f87d0,
>> buff1="mozilla.org", buff2="mozilla.org") at dnssec.c:304
>>       frame #1: 0x00000000002714c1 dnsmasq`validate_rrset(now=1562977226,
>> header=0x0000000801a29000, plen=512, class=1, type=5, sigidx=8,
>> rrsetidx=27430912, name="incoming.telemetry.mozilla.org",
>> keyname="mozilla.org", wildcard_out=0x00007fffffffe388,
>> key=0x0000000000000000, keylen=0, algo_in=0, keytag_in=0) at dnssec.c:506
>>       frame #2: 0x0000000000273479
>> dnsmasq`dnssec_validate_reply(now=1562977226, header=0x0000000801a29000,
>> plen=512, name="incoming.telemetry.mozilla.org", keyname="mozilla.org",
>> class=0x0000000801a1f248, check_unsigned=1,
>> neganswer=0x0000000000000000, nons=0x0000000000000000) at dnssec.c:1920
>>       frame #3: 0x000000000023306f dnsmasq`reply_query(fd=15, family=2,
>> now=1562977226) at forward.c:1029
>>       frame #4: 0x000000000024211c
>> dnsmasq`check_dns_listeners(now=1562977226) at dnsmasq.c:1644
>>       frame #5: 0x0000000000240bab dnsmasq`main(argc=6,
>> argv=0x00007fffffffe9f8) at dnsmasq.c:1104
>>       frame #6: 0x000000000021311b dnsmasq`_start(ap=<unavailable>,
>> cleanup=<unavailable>) at crt1.c:76
>>
>> My dnsmasq.conf is below.
>>
>> Does anybody have any clues, please?
>>
>> Thanks,
>>       Graham
>>
>> conf-file=/etc/dnsmasq-conf.conf
>> resolv-file=/etc/dnsmasq-resolv.conf
>>
>> server=8.8.8.8
>> server=8.8.4.4
>>
>> # use DNSSEC
>> dnssec
>> trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
>>
>> trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
>>
>> dnssec-check-unsigned
>>
>> # filter what we send upstream
>> domain-needed
>> bogus-priv
>> localise-queries
>>
>> # allow /etc/hosts and dhcp lookups via *.lan
>> domain=menhennitt.com.au
>> expand-hosts
>> no-negcache
>>
>> # enable dhcp (start,end,netmask,leasetime)
>> dhcp-authoritative
>> dhcp-range=re0,203.3.73.51,203.3.73.90,255.255.255.0,12h
>> # default route(s)
>> dhcp-option=3,203.3.73.1
>>
>> # use /etc/ethers for static hosts; same format as --dhcp-host
>> # <hwaddr> <ipaddr>
>> read-ethers
>>
>>
>>
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss






More information about the Dnsmasq-discuss mailing list