[Dnsmasq-discuss] [Bug] Buffer underflow in hostname_issubdomain() - Verified on 2.93test4-11-gcf08eee

[Critizero Chen]

Hi all,

I am reporting an issue found in src/util.c. This is a pointer underflow
vulnerability in the hostname_issubdomain() function, which I have verified
on the latest development version: *dnsmasq 2.93test4-11-gcf08eee*.
Summary

The function hostname_issubdomain(char *a, char *b) fails to handle cases
where the parameter b is an empty string. When b is empty, the pointer bp
underflows during the first iteration of the do-while loop, leading to an
out-of-bounds read.
Root Cause Analysis

In src/util.c (around line 436 in the current master):

  /* move to the end */
  for (bp = b; *bp; bp++); // If b is "", bp remains equal to b
  ...
  do
    {
      c1 = (unsigned char) *(--ap);
      c2 = (unsigned char) *(--bp);  // BUG: bp becomes b-1 (Underflow)
      ...
    } while (bp != b); // Since bp is already < b, this condition stays true

When b is an empty string (length 0), the initialization loop for bp does
nothing. The subsequent do-while loop immediately decrements bp to b-1,
reading memory outside the allocated buffer.
Trigger Path & Verification

This can be triggered by sending a CHAOS class DNS query for the root
domain (.):

   1.

   extract_name() parses the root domain as an empty string "".
   2.

   In src/rfc1035.c, it calls hostname_issubdomain("bind", name).
   3.

   With name as "", the underflow occurs.

*Reproducer:* dig @127.0.0.1 -p [PORT] -c CH -t TXT .
Severity & Impact

I performed dynamic testing with >100,000 queries. While a persistent
infinite loop (DoS) is difficult to achieve because the loop usually breaks
when c1 != c2 (random stack data), Valgrind consistently reports an *Invalid
read of size 1*.

This memory safety issue leads to *Undefined Behavior* and potential minor
information leakage from the stack or heap area immediately preceding the
buffer.
Evidence (Valgrind Output)
==73== Invalid read of size 1
==73==    at 0x11E139: hostname_issubdomain (in /root/dnsmasq/src/dnsmasq)
==73==    by 0x11B424: answer_request (in /root/dnsmasq/src/dnsmasq)
==73==    by 0x12FE31: receive_query (in /root/dnsmasq/src/dnsmasq)
==73==    by 0x1129D4: main (in /root/dnsmasq/src/dnsmasq)
==73==  Address 0x4a8b48f is 1 bytes before a block of size 2,051 alloc'd
==73==    at 0x484DA83: calloc (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==73==    by 0x11DE34: safe_malloc (in /root/dnsmasq/src/dnsmasq)
==73==    by 0x12AB68: read_opts (in /root/dnsmasq/src/dnsmasq)
==73==    by 0x1113F1: main (in /root/dnsmasq/src/dnsmasq)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20260323/a6d81bf9/attachment-0001.htm>