[Dnsmasq-discuss] Lease attribution on bad network when one configured interface does not exists

[Florent Fourcot]

Hello Simon,

We reproduced the bug. It needs a lot of context to be triggered, so 
it's probably a minor issue. However, in short:

   * It needs ranges configured without an explicit netmask, as you 
suspected ;
   * A "packet of death" with the uncommon option 118 set (RFC 3011) is 
mandatory. It explains why it can work several days without issue. After 
this packet, dnsmasq sends bad leases to all clients. A restart is 
mandatory ;
   * It looks like this option forces dnsmasq to "compute" the netmask, 
and its context/netmask configuration is then overwritten. In file 
rfc2131.c, function dhcp_reply:


       for (context_tmp = daemon->dhcp; context_tmp; context_tmp = 
context_tmp->next)
         {
           struct in_addr netmask = context_tmp->netmask;

           /* guess the netmask for relayed networks */
           if (!(context_tmp->flags & CONTEXT_NETMASK) && 
context_tmp->netmask.s_addr == 0)
         {
           if (IN_CLASSA(ntohl(context_tmp->start.s_addr)) && 
IN_CLASSA(ntohl(context_tmp->end.s_addr)))
             netmask.s_addr = htonl(0xff000000);


A full reproducer and documentation on our finding is available here: 
https://github.com/etene/dnsmasq-opt-118-bug-reproducer

Do not hesitate if we can help or provide more details.

Best regards,

Florent.

-- 
*Ce message et toutes les pièces jointes (ci-après le "message") sont 
établis à l’intention exclusive des destinataires désignés. Il contient des 
informations confidentielles et pouvant être protégé par le secret 
professionnel. Si vous recevez ce message par erreur, merci d'en avertir 
immédiatement l'expéditeur et de détruire le message. Toute utilisation de 
ce message non conforme à sa destination, toute diffusion ou toute 
publication, totale ou partielle, est interdite, sauf autorisation expresse 
de l'émetteur*