Re: [Dnsmasq-discuss] Segmentation fault when providing invalid --dhcp-match command line option

2019-12-12 Thread Simon Kelley
On 03/12/2019 22:52, Klaus Eisentraut wrote:
> Hi,
> 
> I recently did some fuzzing with afl-fuzz in the config file parsing
> part of dnsmasq. I know it is not very useful, but it was very easy to
> start with.
> 
> Anyway, I found a (non-exploitable) crash in dnsmasq which can be
> triggered by providing an invalid configuration file or an invalid
> command line option. In order to reproduce it, just run
> 
>   dnsmasq --dhcp-match=a,120,
> 
> The bug is in line 1473 of option.c where the statement "m[0] = 0" is
> executed while m is set to NULL.
> 
>> (gdb) run --dhcp-match=a,120,
>> Starting program: dnsmasq --dhcp-match=a,120,
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x5556aaf8 in parse_dhcp_opt (errstr=0x555c06b0 "",
>> arg=0x555c02a6 "", flags=128) at option.c:1473
>> 1473 m[0] = 0;
>> (gdb) p m
>> $1 = (unsigned char *) 0x0
> 
> Is this interesting for you at all?

It is.   Fix committed.


Cheers,

Simon.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


[Dnsmasq-discuss] Segmentation fault when providing invalid --dhcp-match command line option

2019-12-03 Thread Klaus Eisentraut
Hi,

I recently did some fuzzing with afl-fuzz in the config file parsing
part of dnsmasq. I know it is not very useful, but it was very easy to
start with.

Anyway, I found a (non-exploitable) crash in dnsmasq which can be
triggered by providing an invalid configuration file or an invalid
command line option. In order to reproduce it, just run

  dnsmasq --dhcp-match=a,120,

The bug is in line 1473 of option.c where the statement "m[0] = 0" is
executed while m is set to NULL.

> (gdb) run --dhcp-match=a,120,
> Starting program: dnsmasq --dhcp-match=a,120,
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x5556aaf8 in parse_dhcp_opt (errstr=0x555c06b0 "",
> arg=0x555c02a6 "", flags=128) at option.c:1473
> 1473  m[0] = 0;
> (gdb) p m
> $1 = (unsigned char *) 0x0

Is this interesting for you at all?

Kind regards,
Klaus Eisentraut



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss