Hello, opening the attached sample config input file with dnsmasq results in a crash (SIGSEGV). The input file is fuzzed with american fuzzy lop http://lcamtuf.coredump.cx/afl/.
version: commit b2a9c571ebb333acbaa6bd752142df6821cb410c how to reproduce: $ ./src/dnsmasq --test -C <attached config file> gdb: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f283acdc24e in _int_free () from /usr/lib/libc.so.6 (gdb) bt #0 0x00007f283acdc24e in _int_free () from /usr/lib/libc.so.6 #1 0x00007f283acd922b in __GI__IO_setb () from /usr/lib/libc.so.6 #2 0x00007f283acd785e in __GI__IO_file_close_it () from /usr/lib/libc.so.6 #3 0x00007f283accadef in fclose@@GLIBC_2.2.5 () from /usr/lib/libc.so.6 #4 0x0000000000423003 in read_file (file=<optimized out>, f=<optimized out>, hard_opt=<optimized out>) at option.c:4315 #5 0x000000000042159a in one_file (file=0x1355eb0 "/tmp/dnsmasq_crash", hard_opt=0) at option.c:4396 #6 0x0000000000424c3d in read_opts (argc=4, argv=0x7ffc2f1a2708, compile_opts=<optimized out>) at option.c:4733 #7 0x0000000000457557 in main (argc=989862624, argv=0x0) at dnsmasq.c:89 valgrind: ==23713== Memcheck, a memory error detector ==23713== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==23713== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info ==23713== Command: ./src/dnsmasq --test -C /tmp/dnsmasq_crash ==23713== ==23713== Invalid write of size 1 ==23713== at 0x41F5EB: parse_hex (util.c:504) ==23713== by 0x43AA07: one_opt (option.c:3495) ==23713== by 0x422E7B: read_file (option.c:4304) ==23713== by 0x421599: one_file (option.c:4396) ==23713== by 0x424C3C: read_opts (option.c:4733) ==23713== by 0x457556: main (dnsmasq.c:89) ==23713== Address 0x51dd758 is 0 bytes after a block of size 56 alloc'd ==23713== at 0x4C2CF35: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==23713== by 0x41E647: safe_malloc (util.c:247) ==23713== by 0x43A8C6: opt_malloc (option.c:557) ==23713== by 0x43A8C6: one_opt (option.c:3492) ==23713== by 0x422E7B: read_file (option.c:4304) ==23713== by 0x421599: one_file (option.c:4396) ==23713== by 0x424C3C: read_opts (option.c:4733) ==23713== by 0x457556: main (dnsmasq.c:89) ==23713== dnsmasq: syntax check OK. ==23713== ==23713== HEAP SUMMARY: ==23713== in use at exit: 3,763 bytes in 28 blocks ==23713== total heap usage: 31 allocs, 3 frees, 8,430 bytes allocated ==23713== ==23713== LEAK SUMMARY: ==23713== definitely lost: 367 bytes in 1 blocks ==23713== indirectly lost: 0 bytes in 0 blocks ==23713== possibly lost: 0 bytes in 0 blocks ==23713== still reachable: 3,396 bytes in 27 blocks ==23713== suppressed: 0 bytes in 0 blocks ==23713== Rerun with --leak-check=full to see details of leaked memory ==23713== ==23713== For counts of detected and suppressed errors, rerun with: -v ==23713== ERROR SUMMARY: 9 errors from 1 contexts (suppressed: 0 from 0) Regards, Stephan -- Stephan Zeisberg Security Researcher m: stephan.zeisb...@splone.com pgp: 3C2B 7189 9C16 1E71 5BFB 8690 2C3F EF24 6DBF B588 splone UG (haftungsbeschränkt) c/o Freie Universität Berlin Malteserstr. 74-100 12249 Berlin https://splone.com HRB 166495 Amtsgericht Charlottenburg USt-Identnummer: DE300454199 twitter: http://twitter.com/sploneberlin Confidentiality: This e-mail contains confidential information intended only for the addressee. If you are not the intended recipient you may not disclose, copy, use or otherwise distribute the content of this email.
dnsmasq_crash
Description: Binary data
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss