Hello, opening the attached sample config input file with dnsmasq results in a crash (SIGSEGV). The input file is fuzzed with american fuzzy lop http://lcamtuf.coredump.cx/afl/.
version: commit b2a9c571ebb333acbaa6bd752142df6821cb410c how to reproduce: $ ./src/dnsmasq --test -C <attached config file> gdb: Program terminated with signal SIGSEGV, Segmentation fault. #0 hostname_isequal (a=0x0, b=0x84f01f "be# If you w0") at util.c:312 312 c1 = (unsigned char) *a++; (gdb) bt #0 hostname_isequal (a=0x0, b=0x84f01f "be# If you w0") at util.c:312 #1 0x0000000000441a45 in one_opt (option=<optimized out>, arg=0x84f01f "be# If you w0", errstr=<optimized out>, gen_err=<optimized out>, command_line=<optimized out>, servers_only=<optimized out>) at option.c:3853 #2 0x0000000000422e7c in read_file (file=<optimized out>, f=<optimized out>, hard_opt=<optimized out>) at option.c:4304 #3 0x000000000042159a in one_file (file=0x84feb0 "/tmp/dnsmasq_crash", hard_opt=0) at option.c:4396 #4 0x0000000000424c3d in read_opts (argc=4, argv=0x7ffcedcbca18, compile_opts=<optimized out>) at option.c:4733 #5 0x0000000000457557 in main (argc=0, argv=0x84f01f) at dnsmasq.c:89 valgrind: ==4077== Memcheck, a memory error detector ==4077== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==4077== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info ==4077== Command: ./src/dnsmasq --test -C /tmp/dnsmasq_crash ==4077== ==4077== Invalid read of size 1 ==4077== at 0x41EA1C: hostname_isequal (util.c:312) ==4077== by 0x441A44: one_opt (option.c:3853) ==4077== by 0x422E7B: read_file (option.c:4304) ==4077== by 0x421599: one_file (option.c:4396) ==4077== by 0x424C3C: read_opts (option.c:4733) ==4077== by 0x457556: main (dnsmasq.c:89) ==4077== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==4077== ==4077== ==4077== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==4077== Access not within mapped region at address 0x0 ==4077== at 0x41EA1C: hostname_isequal (util.c:312) ==4077== by 0x441A44: one_opt (option.c:3853) ==4077== by 0x422E7B: read_file (option.c:4304) ==4077== by 0x421599: one_file (option.c:4396) ==4077== by 0x424C3C: read_opts (option.c:4733) ==4077== by 0x457556: main (dnsmasq.c:89) ==4077== If you believe this happened as a result of a stack ==4077== overflow in your program's main thread (unlikely but ==4077== possible), you can try to increase the size of the ==4077== main thread stack using the --main-stacksize= flag. ==4077== The main thread stack size used in this run was 8388608. ==4077== ==4077== HEAP SUMMARY: ==4077== in use at exit: 3,973 bytes in 32 blocks ==4077== total heap usage: 33 allocs, 1 frees, 8,069 bytes allocated ==4077== ==4077== LEAK SUMMARY: ==4077== definitely lost: 0 bytes in 0 blocks ==4077== indirectly lost: 0 bytes in 0 blocks ==4077== possibly lost: 0 bytes in 0 blocks ==4077== still reachable: 3,973 bytes in 32 blocks ==4077== suppressed: 0 bytes in 0 blocks ==4077== Rerun with --leak-check=full to see details of leaked memory ==4077== ==4077== For counts of detected and suppressed errors, rerun with: -v ==4077== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)  4077 segmentation fault valgrind ./src/dnsmasq --test -C /tmp/dnsmasq_crash Regards, Stephan -- Stephan Zeisberg Security Researcher m: stephan.zeisb...@splone.com pgp: 3C2B 7189 9C16 1E71 5BFB 8690 2C3F EF24 6DBF B588 splone UG (haftungsbeschränkt) c/o Freie Universität Berlin Malteserstr. 74-100 12249 Berlin https://splone.com HRB 166495 Amtsgericht Charlottenburg USt-Identnummer: DE300454199 twitter: http://twitter.com/sploneberlin Confidentiality: This e-mail contains confidential information intended only for the addressee. If you are not the intended recipient you may not disclose, copy, use or otherwise distribute the content of this email.
Description: Binary data
Description: OpenPGP digital signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasqemail@example.com http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss