[Dnsmasq-discuss] [BUG] [PATCH] Segmentation fault in src/forward.c
Dominik DL6ER
dl6er at dl6er.de
Wed Sep 15 16:02:18 UTC 2021
Hey Simon,
today we discovered a segmentation fault in
forward.c:allocate_rfd().
It checks "if (serv->sfd)" before accessing "serv->sfd->fd".
However, we've seen that the value of serv->sfd can be arbitrary
nonsense (such as 0xa1), hence, the access causes a crash here.
The reason for this is that we allocate different amounts of
space in domain-match.c:add_update_server():
> size_t size;
>
> if (flags & SERV_LITERAL_ADDRESS)
> {
> if (flags & SERV_6ADDR)
> size = sizeof(struct serv_addr6);
> else if (flags & SERV_4ADDR)
> size = sizeof(struct serv_addr4);
> else
> size = sizeof(struct serv_local);
> }
> else
> size = sizeof(struct server);
>
> if (!(serv = whine_malloc(size)))
> return 0;
and store the result in daemon->servers as "struct server".
In the crash we've seen allocate_rfd() tried to access the struct
element ->sfd of an "struct serv_addr6" which obviously pointed
deeply into nowhere and sometimes happens to pick up some random
data eventually leading to a crash.
The attached patch tries to fix this by first checking if we are
really dealing with a full "struct server" here. I cannot get
dnsmasq to crash with it.
---
How to reproduce the crash yourself:
1. Use the attached config line.
2. Query "dig A mobile-ixanycast.ftl.netflix.com"
3. Repeat step no. 2 a few times until dnsmasq crashes.
---
Best,
Dominik
-------------- next part --------------
server=/netflix.com/#
address=/netflix.com/::
server=/netflix.net/#
address=/netflix.net/::
server=/nflxext.com/#
address=/nflxext.com/::
server=/nflximg.net/#
address=/nflximg.net/::
server=/nflxvideo.net/#
address=/nflxvideo.net/::
server=/swplus-aws.canal-plus.com/#
address=/swplus-aws.canal-plus.com/::
server=/canalplus-bo.net/#
address=/canalplus-bo.net/::
server=/canalplus-cdn.net/#
address=/canalplus-cdn.net/::
server=/apiwaka.azure-api.net/#
address=/apiwaka.azure-api.net/::
server=/wakanim-vid.akamaized.net/#
address=/wakanim-vid.akamaized.net/#
server=/wakanimksm.azurewebsites.net/#
address=/wakanimksm.azurewebsites.net/::
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-allocate_rfd-tries-to-access-the-passed-serv-as-stru.patch
Type: text/x-patch
Size: 1206 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210915/79253a34/attachment.bin>
More information about the Dnsmasq-discuss
mailing list