[Dnsmasq-discuss] Malformed RRSIG Can Crash dnsmasq
Simon Kelley
simon at thekelleys.org.uk
Tue May 12 10:03:56 UTC 2026
Dan,
Thanks for this. The fix (and the fix for the second bug you reported)
was released yesterday.
dnsmasq-2.92rel2 or dnsmasq-2.93rc1
Cheers,
Simon.
On 12.05.2026 02:55, Daniel Anderson wrote:
> A malformed DNSSEC RRSIG response can crash DNSSEC-enabled dnsmasq during RSA signature verification.
>
> Code location: src/dnssec.c, validate_rrset() RRSIG parsing; crash reaches src/crypto.c, dnsmasq_rsa_verify().
>
> dnsmasq parses the RRSIG signer name using the full DNS packet length instead of the declared RRSIG RDATA boundary. It then computes:
>
> sig_len = rdlen - (p - psav);
>
> If the RRSIG RDATA contains only the fixed 18-byte prefix and the next packet byte is parseable as a DNS name, p advances beyond the RDATA and sig_len becomes negative. That value is later passed as a size_t into GMP mpz_import().
>
> I reproduced this with a controlled upstream DNS server returning crash. A plus a malformed RRSIG. An ASAN build crashed in __gmpz_import() through dnsmasq_rsa_verify(); a normal non-ASAN build also crashed with Bus error: 10.
>
> Suggested fix: after signer-name parsing, reject if p > psav + rdlen.
>
> I am attaching the POC and the patch. Copy files to a director on your computer and run using ```./run-live-poc.sh dnssec2```
>
> Note: This POC showcases two bugs and I’ll be filing the next bug in a few minutes. Also, I found this bug while testing the N184 Bug and Vulnerability Scanning Suite (https://github.com/MillaFleurs/N184).
>
> Thank you,
>
> Dan
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
More information about the Dnsmasq-discuss
mailing list