Patch accepted, with one change

>         snprintf(daemon->namebuff+oldlen, sizeof(daemon->namebuff)-oldlen, 
> "%.2x-%.2x-%.2x-%.2x-%.2x-%.2x/",

daemon->namebuff is a char *, so sizeof(daemon->namebuff) is 4 or 8 and
sizeof(daemon->namebuff)-oldlen is a negative number which is a large
positive number when promoted  to unsigned size_t. There's thus
effectively no protection here against buffer overflow.

In such ways are security CVEs seeded :)

A changed sizeof(daemon->namebuff) to (MAXDNAME-1) which is the
buffer-size limit used elsewhere in this code.



Dnsmasq-discuss mailing list

Reply via email to