[Dnsmasq-discuss] dnsmasq DHCP server crash on latest FreshTomato router firmware

Simon Kelley simon at thekelleys.org.uk
Fri Mar 14 15:24:44 UTC 2025 

Good catch!

I've understood and reproduced this now, and I'm happy that the patch 
fixes it..

I've committed the patch, and tagged 2.91rc6. I'd hoped to release 2.91 
today, but I'll give it a few days with this and some other fixes before 
doing that.

Cheers,

Simon.

On 3/13/25 13:52, Tijs Van Buggenhout via Dnsmasq-discuss wrote:
> Hi Simon,
> 
> This is a regression. When dnsmasq is started without upstreams (yet), but a
> DNS query comes in that needs forwarding dnsmasq now potentially crashes as
> the value for "first" variable is undetermined.
> 
> A segmentation violation occurs when the index is out of bounds of
> serverarray.
> 
> (gdb) run -d --log-queries --log-debug -R
> Starting program: /var/tmp/git/dnsmasq/src/dnsmasq -d --log-queries --log-
> debug -R
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib64/libthread_db.so.1".
> dnsmasq: started, version 2.91rc5-2-ge427d4b cachesize 150
> dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN
> DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset auth no-DNSSEC loop-
> detect inotify dumpfile
> dnsmasq: warning: no upstream servers configured
> dnsmasq: read /etc/hosts - 42 names
> dnsmasq: *** log_query_mysockaddr: IN
> dnsmasq: query[A] freshtomato.org from 127.0.0.1
> dnsmasq: *** forward_query: IN
> dnsmasq: *** forward_query: new query
> dnsmasq: *** forward_query: if (!lookup_domain())
> dnsmasq: *** forward_query: before master =
> dnsmasq: *** forward_query: first=[-8080]
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x0000555555578c83 in forward_query (udpfd=udpfd at entry=4,
> udpaddr=udpaddr at entry=0x7fffffffe180, dst_addr=dst_addr at entry=0x7fffffffe160,
> dst_iface=dst_iface at entry=1, header=header at entry=0x5555555be2f0,
> plen=plen at entry=56, replylimit=1232, now=1741871839, forward=0x0,
> fwd_flags=160, fast_retry=0) at forward.c:398
> 398           master = daemon->serverarray[first];
> (gdb) bt
> #0  0x0000555555578c83 in forward_query (udpfd=udpfd at entry=4,
> udpaddr=udpaddr at entry=0x7fffffffe180, dst_addr=dst_addr at entry=0x7fffffffe160,
> dst_iface=dst_iface at entry=1, header=header at entry=0x5555555be2f0,
> plen=plen at entry=56,
>      replylimit=1232, now=1741871839, forward=0x0, fwd_flags=160, fast_retry=0)
> at forward.c:398
> #1  0x0000555555579c27 in receive_query (listen=<optimized out>,
> now=now at entry=1741871839) at forward.c:2053
> #2  0x000055555557e184 in check_dns_listeners (now=now at entry=1741871839) at
> dnsmasq.c:1912
> #3  0x000055555555dfc0 in main (argc=<optimized out>, argv=<optimized out>) at
> dnsmasq.c:1289
> (gdb) quit
> 
> Please consider the following patch...
> 
> Credits go to pedro0311 <pedro at freshtomato.org>
> 
>>From 0d87b0ac8ed525ab1eb43b753145702eba0db197 Mon Sep 17 00:00:00 2001
> From: Tijs Van Buggenhout <tijs.van.buggenhout at axsguard.com>
> Date: Thu, 13 Mar 2025 14:42:10 +0100
> Subject: [PATCH] Partially revert "Always save  forwarded query locally."
> 
> This partially reverts commit 3b6df06fb8cb3652d2e7afd085fae3f416408013.
> ---
>   src/forward.c | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/src/forward.c b/src/forward.c
> index 8207a7e..939a4dc 100644
> --- a/src/forward.c
> +++ b/src/forward.c
> @@ -353,9 +353,7 @@ static void forward_query(int udpfd, union mysockaddr
> *udpaddr,
>   	  ede = EDE_NOT_READY;
>   	  flags = 0;
>   	}
> -
> -      master = daemon->serverarray[first];
> -
> +
>         /* don't forward A or AAAA queries for simple names, except the empty
> name */
>         if (!flags &&
>   	  option_bool(OPT_NODOTS_LOCAL) &&
> @@ -368,6 +366,8 @@ static void forward_query(int udpfd, union mysockaddr
> *udpaddr,
>         if (flags || ede == EDE_NOT_READY)
>   	goto reply;
>         
> +      master = daemon->serverarray[first];
> +
>         if (!(forward = get_new_frec(now, master, 0)))
>   	goto reply;
>         /* table full - flags == 0, return REFUSED */
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list