Hey Erik,
sorry for the late reply.. I wanted to err on the side of caution this
time. We have been testing with your patch applied on top of latest
master for almost four days now and - so far - no new use-after-free
events occurred. Before, it happened at least once a day. Seems I have
misinterpreted when SIGALRM is used so I thought your patch wouldn't be
effective in our case. Sorry for this and thanks for challenging my
earlier statement.
Best,
Dominik
On 06.05.24 11:39, Erik Karlsson wrote:
Hi Dominik,
Are you sure the patch I sent does not solve this? I think it should
or are there more places where a lease_update_dns(0) is missing?
Alternatively, can there be dangling pointers left even
after lease_update_dns has been run?
Best regards,
Erik
Den mån 6 maj 2024 07:14Dominik Derigs via Dnsmasq-discuss
<dnsmasq-discuss@lists.thekelleys.org.uk> skrev:
Hey Simon,
we found a bug resulting in a use-after-free returning garbage
data and possibly crash when using DHCP + stale cache data.
The bug is triggered when using DHCP and a lease expires. It's
name is then free'd in kill_name() + do_script_run(). When the PTR
record is queried thereafter and use-stale-cache is enabled,
dnsmasq accesses this dangling pointer and returns random data -
often a string containing a few control characters, once dnsmasq
even SEGFAULTed.
Related dnsmasq.log:
|May 5 19:00:00 dnsmasq[4395]: query[PTR]
141.2.168.192.in-addr.arpa from 127.0.0.1 May 5 19:00:00
dnsmasq[4395]: DHCP 192.168.2.141 is **<name unprintable>** May 5
19:00:00 dnsmasq[4395]: forwarded 141.2.168.192.in-addr.arpa to
1.0.0.1|
The final immediate "forwarded" line comes from dnsmasq itself and
confirms that this was triggered by use-stale-cache.
Best,
Dominik
P.S.: The patch recently sent by Erik Karlsson doesn't fix this,
it touches other code.
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss