[Dnsmasq-discuss] [BUG] [PATCH] Segmentation fault in src/forward.c

Dominik DL6ER dl6er at dl6er.de
Wed Sep 15 16:02:18 UTC 2021


Hey Simon,

today we discovered a segmentation fault in
forward.c:allocate_rfd().

It checks "if (serv->sfd)" before accessing "serv->sfd->fd".
However, we've seen that the value of serv->sfd can be arbitrary
nonsense (such as 0xa1), hence, the access causes a crash here.

The reason for this is that we allocate different amounts of
space in domain-match.c:add_update_server():

>       size_t size;
> 
>       if (flags & SERV_LITERAL_ADDRESS)
> 	{
> 	  if (flags & SERV_6ADDR)
> 	    size = sizeof(struct serv_addr6);
> 	  else if (flags & SERV_4ADDR)
> 	    size = sizeof(struct serv_addr4);
> 	  else
> 	    size = sizeof(struct serv_local);
> 	}
>       else
> 	size = sizeof(struct server);
>       
>       if (!(serv = whine_malloc(size)))
> 	return 0;

and store the result in daemon->servers as "struct server".

In the crash we've seen allocate_rfd() tried to access the struct
element ->sfd of an "struct serv_addr6" which obviously pointed
deeply into nowhere and sometimes happens to pick up some random
data eventually leading to a crash.

The attached patch tries to fix this by first checking if we are
really dealing with a full "struct server" here. I cannot get
dnsmasq to crash with it.

---

How to reproduce the crash yourself:

1. Use the attached config line.
2. Query "dig A mobile-ixanycast.ftl.netflix.com"
3. Repeat step no. 2 a few times until dnsmasq crashes.

---

Best,
Dominik
-------------- next part --------------
server=/netflix.com/#
address=/netflix.com/::
server=/netflix.net/#
address=/netflix.net/::
server=/nflxext.com/#
address=/nflxext.com/::
server=/nflximg.net/#
address=/nflximg.net/::
server=/nflxvideo.net/#
address=/nflxvideo.net/::
server=/swplus-aws.canal-plus.com/#
address=/swplus-aws.canal-plus.com/::
server=/canalplus-bo.net/#
address=/canalplus-bo.net/::
server=/canalplus-cdn.net/#
address=/canalplus-cdn.net/::
server=/apiwaka.azure-api.net/#
address=/apiwaka.azure-api.net/::
server=/wakanim-vid.akamaized.net/#
address=/wakanim-vid.akamaized.net/#
server=/wakanimksm.azurewebsites.net/#
address=/wakanimksm.azurewebsites.net/::
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-allocate_rfd-tries-to-access-the-passed-serv-as-stru.patch
Type: text/x-patch
Size: 1206 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210915/79253a34/attachment.bin>


More information about the Dnsmasq-discuss mailing list