[Dnsmasq-discuss] [BUG] SIGSEGV when parsing invalid "--interface-name" or "--dynamic-host" options

Simon Kelley simon at thekelleys.org.uk
Tue Apr 21 21:36:21 UTC 2026 

Patch applied.   Good catch.


Cheers,

Simon.

On 21/04/2026 15:08, Toliak Purple wrote:
> Hello.
> I would like to report a segmentation fault that occurs in dnsmasq
> when an empty interface name is provided to the --interface-name or
> --dynamic-host option.
> 
> Version: 2.90 (also verified on the latest commit
> `2d0e0c7a54f73d10d7afa15691c08cf5ec1e4ee2`)
> ```
> Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
> Compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN
> DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset auth
> no-cryptohash no-DNSSEC loop-detect inotify dumpfile
> ```
> 
> Reproduction Steps. Both commands cause a segmentation fault:
> ```
> dnsmasq --interface-name=,
> dnsmasq --dynamic-host=,::,
> ```
> 
> Stack Trace (ASAN, v2.90)
> ```
> ==1817==ERROR: AddressSanitizer: SEGV on unknown address
> 0x000000000000 (pc 0x7f0203d22845 bp 0x7ffc3316b920 sp 0x7ffc3316b0a0
> T0)
> ==1817==The signal is caused by a READ memory access.
> ==1817==Hint: address points to the zero page.
>      #0 0x7f0203d22845 in __interceptor_strncmp
> ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:488
>      #1 0x5563361feeb3 in iface_allowed /opt/dnsmasq/src/network.c:361
>      #2 0x556336203aca in iface_allowed_v6 /opt/dnsmasq/src/network.c:622
>      #3 0x55633625cc4c in iface_enumerate /opt/dnsmasq/src/netlink.c:291
>      #4 0x55633620573c in enumerate_interfaces /opt/dnsmasq/src/network.c:836
>      #5 0x55633615c3fe in main /opt/dnsmasq/src/dnsmasq.c:367
> ```
> 
> The fault occurs due to a null-pointer dereference in iface_allowed()
> at line 361:
> ```
> if (strncmp(label, int_name->intr, IF_NAMESIZE) == 0)      //// here
> int_name->intr is NULL
> ```
> 
> That occurs due to a null-pointer assignment in the option.c at line 4856:
> ```
> new->intr = opt_string_alloc(arg);               //// if arg is empty
> string, the opt_string_alloc will return NULL
> ```
> 
> Proposed Fix (based on the commit `2d0e0c7a54f73d10d7afa15691c08cf5ec1e4ee2 `).
> ```
> diff --git a/src/option.c b/src/option.c
> index 9a2d45d..40414e8 100644
> --- a/src/option.c
> +++ b/src/option.c
> @@ -4960,7 +4960,7 @@ err:
>                arg = NULL; /* provoke error below */
>            }
> 
> -       if (!domain || !arg || !(new->name = canonicalise_opt(domain)))
> +       if (!domain || !arg || !new->intr || !(new->name =
> canonicalise_opt(domain)))
>            ret_err(option == LOPT_DYNHOST ?
>                    _("bad dynamic host") : _("bad interface name"));
> 
> ```
> 
> This ensures that if memory allocation for the new entry fails
> (resulting in new->intr == NULL), the option parsing function will
> fail.
> 
> 
> Have a nice day,
>    -- Anatolii
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>

More information about the Dnsmasq-discuss mailing list