This patch fixes a buffer overflow in TCP requests. Since the read is not 
actually being retried, the byte written by the child can be left in the pipe. 
When that happens, cache_recv_insert() reads the length of the name, which is 
now multiplied by 256 due to the extra 0 byte (8 bit shift) and results in 
daemon->namebuff being overflowed. Namebuff is immediately before the daemon 
struct in memory so it ends up corrupting the beginning of the daemon struct.

diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 6481de8..457dea3 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -1887,7 +1887,7 @@ static void check_dns_listeners(time_t now)
                           single byte comes back up the pipe, which
                           is sent by the child after it has closed the
                           netlink socket. */
-                       retry_send(read(pipefd[0], &a, 1));
+                       while (retry_send(read(pipefd[0], &a, 1)));
@@ -1928,7 +1928,7 @@ static void check_dns_listeners(time_t now)
                  /* See comment above re netlink socket. */
-                 retry_send(write(pipefd[1], &a, 1));
+                 while (retry_send(write(pipefd[1], &a, 1)));


Dnsmasq-discuss mailing list

Reply via email to