[Dnsmasq-discuss] [PATCH] Heap use after free in dhcp6_no_relay (CVE-2022-0934)
Lonnie Abelbeck
lists at lonnie.abelbeck.com
Sat Apr 2 15:09:07 UTC 2022
Hey Petr,
Your analysis is much appreciated! Thank you.
Lonnie
> On Apr 2, 2022, at 10:01 AM, Petr Menšík <pemensik at redhat.com> wrote:
>
> Hi Lonnie,
>
> I made just quick evaluation, but it does not seem possible. It happens
> during creating a reply to dhcp message. ra-only ranges should not
> create DHCP range, which would accept incoming message. It should log
> message "no address range available for DHCPv6 request" followed by some
> detail. If it does so, then it avoids function where only it may happen.
>
> If no DHCP6 messages are involved, this vulnerability cannot be
> triggered. ra-only should only broadcast its prefix(es) to end stations
> without accepting messages from them. It should be safe.
>
> Regards,
> Petr
>
> On 4/1/22 16:37, Lonnie Abelbeck wrote:
>>> On Mar 31, 2022, at 2:04 PM, Petr Menšík <pemensik at redhat.com> wrote:
>>>
>>> Possible vulnerability were found in latest dnsmasq. It were found with help of oss-fuzz Google project by me and short after that independently also by Richard Johnson of Trellix Threat Labs.
>>>
>>> It is affected only by DHCPv6 requests, which could be crafted to modify already freed memory. Red Hat security assigned this vulnerability CVE-2022-0934.
>> Are dnsmasq IPv6 configs *only* using "ra-only" (ex.):
>> --
>> dhcp-range=...,ra-only,64,24h
>> --
>> Immune from CVE-2022-0934 ?
>>
>> Lonnie
>>
> --
> Petr Menšík
> Software Engineer
> Red Hat, http://www.redhat.com/
> email: pemensik at redhat.com
> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
>
>
More information about the Dnsmasq-discuss
mailing list