Thanks for replying, Simon. I won't be able to test until the weekend.

Graham

On 16/7/19 7:06 am, Simon Kelley wrote:
Ugh,  that's nasty. Thanks for the good bug report.

It this reproducible? A domain which when validated always prompts a
crash would be very useful.

  From the information we have, the obvious problem is rrsetidx=27430912
which makes no sense, and will surely crash a buffer. That value is
generated in explore_rrset() which should return either 1, and a valid
value for the number of RRsets, or zero if there's an error.

In fact there are a couple of cases where the code detects a malformed
packet, and returns STAT_BOGUS (which is not zero) thus allowing the
calling code to continue with an undefined value for the number of
RRsets. So, certain kinds of malformed packets may cause this crash.

This looks like an incomplete refactoring, that code used to return a
STAT_* return code but the explore_rrset stuff got pulled out and
returns true/false, but a couple of code paths got missed.


Does

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=05299fdd5a3b6ace43224c7d27d06a57b175639f

Seem to fix things? That would be a nice, easy fix if so.


Cheers,

Simon.


On 14/07/2019 02:21, Graham Menhennitt wrote:
Hello dnsmasqers,

I'm running dnsmasq 2.80 on FreeBSD 12-stable. It works perfectly when I
have DNSSEC disabled. But when I enable it, I get crashes every hour or
so. I haven't worked out what's happening exactly, but it looks like
it's accessing past the end of a buffer. Running in lldb gives the
following info:

Process 19920 stopped
* thread #1, name = 'dnsmasq', stop reason = signal SIGSEGV: invalid
address (fault address: 0x8)
      frame #0: 0x0000000000274802
dnsmasq`sort_rrset(header=0x0000000801a29000, plen=512,
rr_desc=0x000000000027f474, rrsetidx=27430912, rrset=0x00000008013f87d0,
buff1="mozilla.org", buff2="mozilla.org") at dnssec.c:304
     301            end1 = p1 + rdlen1;
     302
     303            p2 += 8; /* skip class, type, ttl */
-> 304            GETSHORT(rdlen2, p2);
     305            end2 = p2 + rdlen2;
     306
     307            dp1 = dp2 = rr_desc;
(lldb) bt
* thread #1, name = 'dnsmasq', stop reason = signal SIGSEGV: invalid
address (fault address: 0x8)
    * frame #0: 0x0000000000274802
dnsmasq`sort_rrset(header=0x0000000801a29000, plen=512,
rr_desc=0x000000000027f474, rrsetidx=27430912, rrset=0x00000008013f87d0,
buff1="mozilla.org", buff2="mozilla.org") at dnssec.c:304
      frame #1: 0x00000000002714c1 dnsmasq`validate_rrset(now=1562977226,
header=0x0000000801a29000, plen=512, class=1, type=5, sigidx=8,
rrsetidx=27430912, name="incoming.telemetry.mozilla.org",
keyname="mozilla.org", wildcard_out=0x00007fffffffe388,
key=0x0000000000000000, keylen=0, algo_in=0, keytag_in=0) at dnssec.c:506
      frame #2: 0x0000000000273479
dnsmasq`dnssec_validate_reply(now=1562977226, header=0x0000000801a29000,
plen=512, name="incoming.telemetry.mozilla.org", keyname="mozilla.org",
class=0x0000000801a1f248, check_unsigned=1,
neganswer=0x0000000000000000, nons=0x0000000000000000) at dnssec.c:1920
      frame #3: 0x000000000023306f dnsmasq`reply_query(fd=15, family=2,
now=1562977226) at forward.c:1029
      frame #4: 0x000000000024211c
dnsmasq`check_dns_listeners(now=1562977226) at dnsmasq.c:1644
      frame #5: 0x0000000000240bab dnsmasq`main(argc=6,
argv=0x00007fffffffe9f8) at dnsmasq.c:1104
      frame #6: 0x000000000021311b dnsmasq`_start(ap=<unavailable>,
cleanup=<unavailable>) at crt1.c:76

My dnsmasq.conf is below.

Does anybody have any clues, please?

Thanks,
      Graham

conf-file=/etc/dnsmasq-conf.conf
resolv-file=/etc/dnsmasq-resolv.conf

server=8.8.8.8
server=8.8.4.4

# use DNSSEC
dnssec
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5

trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

dnssec-check-unsigned

# filter what we send upstream
domain-needed
bogus-priv
localise-queries

# allow /etc/hosts and dhcp lookups via *.lan
domain=menhennitt.com.au
expand-hosts
no-negcache

# enable dhcp (start,end,netmask,leasetime)
dhcp-authoritative
dhcp-range=re0,203.3.73.51,203.3.73.90,255.255.255.0,12h
# default route(s)
dhcp-option=3,203.3.73.1

# use /etc/ethers for static hosts; same format as --dhcp-host
# <hwaddr> <ipaddr>
read-ethers





_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss




_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to