[Dnsmasq-discuss] [BUG] SIGSEGV when parsing invalid "--interface-name" or "--dynamic-host" options

Toliak Purple toliakpurple at gmail.com
Tue Apr 21 14:08:35 UTC 2026 

Hello.
I would like to report a segmentation fault that occurs in dnsmasq
when an empty interface name is provided to the --interface-name or
--dynamic-host option.

Version: 2.90 (also verified on the latest commit
`2d0e0c7a54f73d10d7afa15691c08cf5ec1e4ee2`)
```
Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN
DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset auth
no-cryptohash no-DNSSEC loop-detect inotify dumpfile
```

Reproduction Steps. Both commands cause a segmentation fault:
```
dnsmasq --interface-name=,
dnsmasq --dynamic-host=,::,
```

Stack Trace (ASAN, v2.90)
```
==1817==ERROR: AddressSanitizer: SEGV on unknown address
0x000000000000 (pc 0x7f0203d22845 bp 0x7ffc3316b920 sp 0x7ffc3316b0a0
T0)
==1817==The signal is caused by a READ memory access.
==1817==Hint: address points to the zero page.
    #0 0x7f0203d22845 in __interceptor_strncmp
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:488
    #1 0x5563361feeb3 in iface_allowed /opt/dnsmasq/src/network.c:361
    #2 0x556336203aca in iface_allowed_v6 /opt/dnsmasq/src/network.c:622
    #3 0x55633625cc4c in iface_enumerate /opt/dnsmasq/src/netlink.c:291
    #4 0x55633620573c in enumerate_interfaces /opt/dnsmasq/src/network.c:836
    #5 0x55633615c3fe in main /opt/dnsmasq/src/dnsmasq.c:367
```

The fault occurs due to a null-pointer dereference in iface_allowed()
at line 361:
```
if (strncmp(label, int_name->intr, IF_NAMESIZE) == 0)      //// here
int_name->intr is NULL
```

That occurs due to a null-pointer assignment in the option.c at line 4856:
```
new->intr = opt_string_alloc(arg);               //// if arg is empty
string, the opt_string_alloc will return NULL
```

Proposed Fix (based on the commit `2d0e0c7a54f73d10d7afa15691c08cf5ec1e4ee2 `).
```
diff --git a/src/option.c b/src/option.c
index 9a2d45d..40414e8 100644
--- a/src/option.c
+++ b/src/option.c
@@ -4960,7 +4960,7 @@ err:
              arg = NULL; /* provoke error below */
          }

-       if (!domain || !arg || !(new->name = canonicalise_opt(domain)))
+       if (!domain || !arg || !new->intr || !(new->name =
canonicalise_opt(domain)))
          ret_err(option == LOPT_DYNHOST ?
                  _("bad dynamic host") : _("bad interface name"));

```

This ensures that if memory allocation for the new entry fails
(resulting in new->intr == NULL), the option parsing function will
fail.


Have a nice day,
  -- Anatolii

More information about the Dnsmasq-discuss mailing list