seems like something weird is going on in helper.c... see the gdb output...

since transfer->file->filename can never be zero (as long as transfer->file 
plus 20 bytes or so is not zero),it seems like someone is writing zeroes to the 
stack after the correct transfer->file->filename has been wrilten and b4 
strlen() is called(or do they use a register at -O2? nope: pushl  0x40(%esp) // 
call   3700 <strlen@plt>)...
maybe someone who knows more about transfer->file can see, what is wrong here...
gdb output:dnsmasq-dhcp: 3182551826 sent size:  4 option: 28 broadcast 3182551826 sent size: 12 option:209   
70:78:65:2f:67:72:75:62:2e:63:66:67dnsmasq-dhcp: 3182551826 sent size:  4 
option:  3 router error 8 User aborted the transfer 
received from failed sending 
/var/dnsmasq/tftpboot/pxe/x86_64-efi/core.efi to sent 
/var/dnsmasq/tftpboot/pxe/x86_64-efi/core.efi to
Program received signal SIGSEGV, Segmentation fault.0xb7ef0bc6 in __strlen_sse2 
() from /usr/lib/ where#0  0xb7ef0bc6 in __strlen_sse2 () from 
/usr/lib/  0x8002b8b7 in queue_tftp (file_len=203776, filename=0x0, 
peer=0x8005bf68) at helper.c:819#2  0x8002d3b3 in do_tftp_script_run () at 
tftp.c:811#3  0x80006875 in main (argc=<optimized out>, argv=<optimized out>) 
at dnsmasq.c:955(gdb) frame 1#1  0x8002b8b7 in queue_tftp (file_len=203776, 
filename=0x0, peer=0x8005bf68) at helper.c:819819   filename_len = 
strlen(filename) + 1;(gdb) list814 815   /* no script */816   if 
(daemon->helperfd == -1)817     return;818   819   filename_len = 
strlen(filename) + 1;820   buff_alloc(sizeof(struct script_data) +  
filename_len);821   memset(buf, 0, sizeof(struct script_data));822 823   
buf->action = ACTION_TFTP;(gdb) print filename$1 = 0x0(gdb) frame 2#2  
0x8002d3b3 in do_tftp_script_run () at tftp.c:811811       
queue_tftp(transfer->file->size, transfer->file->filename, 
&transfer->peer);(gdb) list806 807   if ((transfer = 
daemon->tftp_done_trans))808     {809       daemon->tftp_done_trans = 
transfer->next;810 #ifdef HAVE_SCRIPT811       queue_tftp(transfer->file->size, 
transfer->file->filename, &transfer->peer);812 #endif813       
free_transfer(transfer);814       return 1;815     }(gdb) print 
*transfer->file$2 = {refcount = 1, fd = 15, size = 203776, dev = 20, inode = 
5570, filename = 0x8005bf68 "/var/dnsmasq/tftpboot/pxe/x86_64-efi/core.efi"}

Dnsmasq-discuss mailing list

Reply via email to