[Dnsmasq-discuss] Use-after-free with DHCP + use-stale-cache
Erik Karlsson
erik.r.karlsson at gmail.com
Mon May 6 09:39:57 UTC 2024
Hi Dominik,
Are you sure the patch I sent does not solve this? I think it should or are
there more places where a lease_update_dns(0) is missing? Alternatively,
can there be dangling pointers left even after lease_update_dns has been
run?
Best regards,
Erik
Den mån 6 maj 2024 07:14Dominik Derigs via Dnsmasq-discuss <
dnsmasq-discuss at lists.thekelleys.org.uk> skrev:
> Hey Simon,
>
> we found a bug resulting in a use-after-free returning garbage data and
> possibly crash when using DHCP + stale cache data.
>
> The bug is triggered when using DHCP and a lease expires. It's name is
> then free'd in kill_name() + do_script_run(). When the PTR record is
> queried thereafter and use-stale-cache is enabled, dnsmasq accesses this
> dangling pointer and returns random data - often a string containing a few
> control characters, once dnsmasq even SEGFAULTed.
>
> Related dnsmasq.log:
>
> May 5 19:00:00 dnsmasq[4395]: query[PTR] 141.2.168.192.in-addr.arpa from 127.0.0.1May 5 19:00:00 dnsmasq[4395]: DHCP 192.168.2.141 is **<name unprintable>**May 5 19:00:00 dnsmasq[4395]: forwarded 141.2.168.192.in-addr.arpa to 1.0.0.1
>
> The final immediate "forwarded" line comes from dnsmasq itself and
> confirms that this was triggered by use-stale-cache.
>
> Best,
> Dominik
>
> P.S.: The patch recently sent by Erik Karlsson doesn't fix this, it
> touches other code.
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20240506/f6369c9c/attachment.htm>
More information about the Dnsmasq-discuss
mailing list