[Dnsmasq-discuss] [BUG] [PATCH] Segmentation fault in src/forward.c

Petr Menšík pemensik at redhat.com
Wed Sep 22 22:07:37 UTC 2021

Good catch. A new bug #2006367 [1] were also reported on Fedora. It
seems to point to related structures and memory corruption in them. I
have no coredump to check it (yet), so mostly guessing.

Juggling with type unsafe structures with few common members is quite
bad idea. I think those structures should contain common server_local
struct member at the start. They could pass pointer to it on every place
which needs working just with those common parts.

On domain-match.c:677 is also suspicious memset. Its flags are not
directly related to allocated size. I think there might be a case, when
it overwrites more memory than allocated for the pointer. On line 696 it
may overwrite interface target even with flags SERV_4ADDR | SERV_6ADDR.
Both allow rewriting uid member when HAVE_LOOP is set, which is a
default. I see many tricky corners without simple and readable checks
ensuring it always does what it should. I think char type enum would
definitely not hurt in common structure instead of this juggling with
flags. It would be much more clear what members are available. I think
default struct should be the smallest one and only retyped to bigger
struct, if some flag clearly indicated it is there. Preferred would be
separate type member.

At first it should be fixed by minimal fix. I think constant sized
structure with some unused members would be far more safe. I think union
would be good candidate here. Its a pity we did not notice those issues
before release. I should spend some time on basic automated tests again.
I think dnsmasq it small, but needs more regular testing.



1. https://bugzilla.redhat.com/show_bug.cgi?id=2006367

On 9/16/21 16:31, Dominik DL6ER wrote:
> Addendum: Depending on the configuration, it can happen that the
> query is sent to another server that is configured to be used for
> an altogether different domain, e.g.
>> server=
>> server=::1#5353
>> rev-server=,
>> server=/fritz.box/
>> server=/bo.net/#
>> address=/bo.net/#/
> resulting in "A bo.net" being sent to
> Something is definitely fishy here.
> Best,
> Dominik
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the Dnsmasq-discuss mailing list