Hey Simon,
the attached patch fixes a double free() corruption leading to a crash
during startup of dnsmasq. The crash can be reproduced by using a
rev-server addresses with a prefix length != {8,16,24,32}, e.g.
rev-server=192.168.0.0/25,home.mydomain.com
The crash is caused by freeing too early (within the loop). The crash
does not happen for prefix lengths {8,16,24,32} as the loop runs only
once. However, for other prefixes, the loop runs more often (e.g. 128x
for /25 networks as above).
Best,
Dominik
From bf4c149f814ce2826f7db487a44d3eef7209ba14 Mon Sep 17 00:00:00 2001
From: DL6ER <dl...@dl6er.de>
Date: Mon, 17 Jun 2024 17:36:43 +0200
Subject: [PATCH] Fix crash caused by double free() corruption encountered with
rev-server addresses with prefix lengths != {8,16,24,32}
Signed-off-by: DL6ER <dl...@dl6er.de>
---
src/option.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/option.c b/src/option.c
index f4ff7c0..8fc2950 100644
--- a/src/option.c
+++ b/src/option.c
@@ -1188,11 +1188,11 @@ static char *domain_rev4(int from_file, char *server, struct in_addr *addr4, int
if (!add_update_server(flags, &serv_addr, &source_addr, interface, domain, NULL))
return _("error");
}
-
- if (sdetails.orig_hostinfo)
- freeaddrinfo(sdetails.orig_hostinfo);
}
}
+
+ if (sdetails.orig_hostinfo)
+ freeaddrinfo(sdetails.orig_hostinfo);
return NULL;
}
@@ -1276,11 +1276,11 @@ static char *domain_rev6(int from_file, char *server, struct in6_addr *addr6, in
if (!add_update_server(flags, &serv_addr, &source_addr, interface, domain, NULL))
return _("error");
}
-
- if (sdetails.orig_hostinfo)
- freeaddrinfo(sdetails.orig_hostinfo);
}
}
+
+ if (sdetails.orig_hostinfo)
+ freeaddrinfo(sdetails.orig_hostinfo);
return NULL;
}
--
2.34.1
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
