[Dnsmasq-discuss] segfault with an empty OPTION_SNAME
Jeff Allen
jeff.allen at exoscale.ch
Tue Feb 24 13:30:08 UTC 2026
Hello,
Today I debugged an unexpected new segfault in dnsmasq that appeared on a
pre-production system. I found the culprit: a malformed "dhcp-option" line.
It was malformed because of a difference between the systems that generate
configs in preprod and prod.
But that's my bug, and I'll fix it myself. However, I thought you'd like to
know about the possibility of getting segfaults in dnsmasq anyway.
It comes, in dnsmasq 2.90, from rfc2131.c line 2493:
2490 if ((!req_options || !in_list(req_options, OPTION_SNAME)) &&
2491 (opt = option_find2(OPTION_SNAME)) && !(opt->flags & DHOPT_FORCE))
2492 {
2493 safe_strncpy((char *)mess->sname, (char *)opt->val,
sizeof(mess->sname));
2494 done_server = 1;
2495 }
If opt->val is NULL, then safe_strcpy will cause a segfault.
Opt-val was NULL in my case because of this line in my config file:
dhcp-option=tag:!ARISTA,66,
The tag ARISTA was not set, so this option was used. If there's
something after the comma, the crash goes away.
Have a nice day,
-jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20260224/9f833868/attachment.htm>
More information about the Dnsmasq-discuss
mailing list