[Dnsmasq-discuss] dnsmasq DHCP server crash on latest FreshTomato router firmware

Thu Mar 13 13:52:45 UTC 2025

Hi Simon,

This is a regression. When dnsmasq is started without upstreams (yet), but a 
DNS query comes in that needs forwarding dnsmasq now potentially crashes as 
the value for "first" variable is undetermined.

A segmentation violation occurs when the index is out of bounds of 
serverarray.

(gdb) run -d --log-queries --log-debug -R
Starting program: /var/tmp/git/dnsmasq/src/dnsmasq -d --log-queries --log-
debug -R
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
dnsmasq: started, version 2.91rc5-2-ge427d4b cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN 
DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset auth no-DNSSEC loop-
detect inotify dumpfile
dnsmasq: warning: no upstream servers configured
dnsmasq: read /etc/hosts - 42 names
dnsmasq: *** log_query_mysockaddr: IN
dnsmasq: query[A] freshtomato.org from 127.0.0.1
dnsmasq: *** forward_query: IN
dnsmasq: *** forward_query: new query
dnsmasq: *** forward_query: if (!lookup_domain())
dnsmasq: *** forward_query: before master =
dnsmasq: *** forward_query: first=[-8080]

Program received signal SIGSEGV, Segmentation fault.
0x0000555555578c83 in forward_query (udpfd=udpfd at entry=4, 
udpaddr=udpaddr at entry=0x7fffffffe180, dst_addr=dst_addr at entry=0x7fffffffe160, 
dst_iface=dst_iface at entry=1, header=header at entry=0x5555555be2f0, 
plen=plen at entry=56, replylimit=1232, now=1741871839, forward=0x0, 
fwd_flags=160, fast_retry=0) at forward.c:398
398           master = daemon->serverarray[first];
(gdb) bt
#0  0x0000555555578c83 in forward_query (udpfd=udpfd at entry=4, 
udpaddr=udpaddr at entry=0x7fffffffe180, dst_addr=dst_addr at entry=0x7fffffffe160, 
dst_iface=dst_iface at entry=1, header=header at entry=0x5555555be2f0, 
plen=plen at entry=56, 
    replylimit=1232, now=1741871839, forward=0x0, fwd_flags=160, fast_retry=0) 
at forward.c:398
#1  0x0000555555579c27 in receive_query (listen=<optimized out>, 
now=now at entry=1741871839) at forward.c:2053
#2  0x000055555557e184 in check_dns_listeners (now=now at entry=1741871839) at 
dnsmasq.c:1912
#3  0x000055555555dfc0 in main (argc=<optimized out>, argv=<optimized out>) at 
dnsmasq.c:1289
(gdb) quit

Please consider the following patch...

Credits go to pedro0311 <pedro at freshtomato.org>

>From 0d87b0ac8ed525ab1eb43b753145702eba0db197 Mon Sep 17 00:00:00 2001
From: Tijs Van Buggenhout <tijs.van.buggenhout at axsguard.com>
Date: Thu, 13 Mar 2025 14:42:10 +0100
Subject: [PATCH] Partially revert "Always save  forwarded query locally."

This partially reverts commit 3b6df06fb8cb3652d2e7afd085fae3f416408013.
---
 src/forward.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/forward.c b/src/forward.c
index 8207a7e..939a4dc 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -353,9 +353,7 @@ static void forward_query(int udpfd, union mysockaddr 
*udpaddr,
 	  ede = EDE_NOT_READY;
 	  flags = 0;
 	}
-
-      master = daemon->serverarray[first];
-
+       
       /* don't forward A or AAAA queries for simple names, except the empty 
name */
       if (!flags &&
 	  option_bool(OPT_NODOTS_LOCAL) &&
@@ -368,6 +366,8 @@ static void forward_query(int udpfd, union mysockaddr 
*udpaddr,
       if (flags || ede == EDE_NOT_READY)
 	goto reply;
       
+      master = daemon->serverarray[first];
+      
       if (!(forward = get_new_frec(now, master, 0)))
 	goto reply;
       /* table full - flags == 0, return REFUSED */
-- 
2.37.4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20250313/3af17c5a/attachment.sig>
