[Dnsmasq-discuss] Use-after-free with DHCP + use-stale-cache
Dominik Derigs
dl6er at dl6er.de
Mon May 6 04:31:00 UTC 2024
Hey Simon,
we found a bug resulting in a use-after-free returning garbage data and
possibly crash when using DHCP + stale cache data.
The bug is triggered when using DHCP and a lease expires. It's name is
then free'd in kill_name() + do_script_run(). When the PTR record is
queried thereafter and use-stale-cache is enabled, dnsmasq accesses this
dangling pointer and returns random data - often a string containing a
few control characters, once dnsmasq even SEGFAULTed.
Related dnsmasq.log:
|May 5 19:00:00 dnsmasq[4395]: query[PTR] 141.2.168.192.in-addr.arpa
from 127.0.0.1 May 5 19:00:00 dnsmasq[4395]: DHCP 192.168.2.141 is
**<name unprintable>** May 5 19:00:00 dnsmasq[4395]: forwarded
141.2.168.192.in-addr.arpa to 1.0.0.1|
The final immediate "forwarded" line comes from dnsmasq itself and
confirms that this was triggered by use-stale-cache.
Best,
Dominik
P.S.: The patch recently sent by Erik Karlsson doesn't fix this, it
touches other code.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20240506/90955d2b/attachment.htm>
More information about the Dnsmasq-discuss
mailing list