[Dnsmasq-discuss] [PATCH] A segmentation fault occurred in dnsmasq
renmingshuai
renmingshuai at huawei.com
Thu Aug 8 03:04:36 UTC 2024
DHCPv6 has the same problem.
>From 9c03568ab6e35408e7833b0621246b1e91812503 Mon Sep 17 00:00:00 2001
From: renmingshuai <renmingshuai at huawei.com>
Date: Fri, 2 Aug 2024 17:08:59 +0800
Subject: [PATCH] DCHPv6:Fix a coredump and UAF caused by trying to free
non-heap objects as DHCPv4 did.
---
src/rfc3315.c | 22 +++++++---------------
1 file changed, 7 insertions(+), 15 deletions(-)
diff --git a/src/rfc3315.c b/src/rfc3315.c
index 400d939..770e4ff 100644
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -266,7 +266,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
struct dhcp_opt *opt_cfg;
struct dhcp_netid *tagif;
struct dhcp_config *config = NULL;
- struct dhcp_netid known_id, iface_id, v6_id;
+ struct dhcp_netid known_id;
unsigned char outmsgtype;
struct dhcp_vendor *vendor;
struct dhcp_context *context_tmp;
@@ -287,14 +287,10 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
state->fqdn_flags = 0x01; /* default to send if we receive no FQDN option */
/* set tag with name == interface */
- iface_id.net = state->iface_name;
- iface_id.next = state->tags;
- state->tags = &iface_id;
+ state->tags = dhcp_netid_create(state->iface_name, state->tags);
/* set tag "dhcpv6" */
- v6_id.net = "dhcpv6";
- v6_id.next = state->tags;
- state->tags = &v6_id;
+ state->tags = dhcp_netid_create("dhcpv6", state->tags);
start_msg = save_counter(-1);
/* copy over transaction-id */
@@ -406,8 +402,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
for (i = 0; i <= (opt6_user_vendor_len(enc_opt) - vendor->len); i++)
if (memcmp(vendor->data, opt6_user_vendor_ptr(enc_opt, i), vendor->len) == 0)
{
- vendor->netid.next = state->tags;
- state->tags = &vendor->netid;
+ state->tags = dhcp_netid_create(vendor->netid.net, state->tags);
break;
}
}
@@ -452,8 +447,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
if (match)
{
- opt_cfg->netid->next = state->tags;
- state->tags = opt_cfg->netid;
+ state->tags = dhcp_netid_create(opt_cfg->netid->net, state->tags);
}
}
@@ -470,8 +464,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
((unsigned)mac_opt->hwaddr_type == state->mac_type || mac_opt->hwaddr_type == 0) &&
memcmp_masked(mac_opt->hwaddr, state->mac, state->mac_len, mac_opt->mask))
{
- mac_opt->netid.next = state->tags;
- state->tags = &mac_opt->netid;
+ state->tags = dhcp_netid_create(mac_opt->netid.net, state->tags);
}
}
else if (option_bool(OPT_LOG_OPTS))
@@ -534,8 +527,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
if (hostname_isequal(state->client_hostname, m->name) &&
(save == 0 || m->wildcard))
{
- m->netid->next = state->tags;
- state->tags = m->netid;
+ state->tags = dhcp_netid_create(m->netid->net, state->tags);
}
if (save != 0)
--
2.33.0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20240808/10b09142/attachment.htm>
More information about the Dnsmasq-discuss
mailing list