Hey Simon,
we found a bug resulting in a use-after-free returning garbage data and
possibly crash when using DHCP + stale cache data.
The bug is triggered when using DHCP and a lease expires. It's name is
then free'd in kill_name() + do_script_run(). When the PTR record is
queried thereafter and use-stale-cache is enabled, dnsmasq accesses this
dangling pointer and returns random data - often a string containing a
few control characters, once dnsmasq even SEGFAULTed.
Related dnsmasq.log:
|May 5 19:00:00 dnsmasq[4395]: query[PTR] 141.2.168.192.in-addr.arpa
from 127.0.0.1 May 5 19:00:00 dnsmasq[4395]: DHCP 192.168.2.141 is
**<name unprintable>** May 5 19:00:00 dnsmasq[4395]: forwarded
141.2.168.192.in-addr.arpa to 1.0.0.1|
The final immediate "forwarded" line comes from dnsmasq itself and
confirms that this was triggered by use-stale-cache.
Best,
Dominik
P.S.: The patch recently sent by Erik Karlsson doesn't fix this, it
touches other code.
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss