[Dnsmasq-discuss] [PATCH] Heap use after free in dhcp6_no_relay (CVE-2022-0934)
Petr Menšík
pemensik at redhat.com
Sat Apr 2 15:01:57 UTC 2022
Hi Lonnie,
I made just quick evaluation, but it does not seem possible. It happens
during creating a reply to dhcp message. ra-only ranges should not
create DHCP range, which would accept incoming message. It should log
message "no address range available for DHCPv6 request" followed by some
detail. If it does so, then it avoids function where only it may happen.
If no DHCP6 messages are involved, this vulnerability cannot be
triggered. ra-only should only broadcast its prefix(es) to end stations
without accepting messages from them. It should be safe.
Regards,
Petr
On 4/1/22 16:37, Lonnie Abelbeck wrote:
>> On Mar 31, 2022, at 2:04 PM, Petr Menšík <pemensik at redhat.com> wrote:
>>
>> Possible vulnerability were found in latest dnsmasq. It were found with help of oss-fuzz Google project by me and short after that independently also by Richard Johnson of Trellix Threat Labs.
>>
>> It is affected only by DHCPv6 requests, which could be crafted to modify already freed memory. Red Hat security assigned this vulnerability CVE-2022-0934.
> Are dnsmasq IPv6 configs *only* using "ra-only" (ex.):
> --
> dhcp-range=...,ra-only,64,24h
> --
> Immune from CVE-2022-0934 ?
>
> Lonnie
>
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
More information about the Dnsmasq-discuss
mailing list