Hello, This patch fixes a buffer overflow in TCP requests. Since the read is not actually being retried, the byte written by the child can be left in the pipe. When that happens, cache_recv_insert() reads the length of the name, which is now multiplied by 256 due to the extra 0 byte (8 bit shift) and results in daemon->namebuff being overflowed. Namebuff is immediately before the daemon struct in memory so it ends up corrupting the beginning of the daemon struct.
diff --git a/src/dnsmasq.c b/src/dnsmasq.c index 6481de8..457dea3 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c @@ -1887,7 +1887,7 @@ static void check_dns_listeners(time_t now) single byte comes back up the pipe, which is sent by the child after it has closed the netlink socket. */ - retry_send(read(pipefd[0], &a, 1)); + while (retry_send(read(pipefd[0], &a, 1))); #endif break; } @@ -1928,7 +1928,7 @@ static void check_dns_listeners(time_t now) #ifdef HAVE_LINUX_NETWORK /* See comment above re netlink socket. */ close(daemon->netlinkfd); - retry_send(write(pipefd[1], &a, 1)); + while (retry_send(write(pipefd[1], &a, 1))); #endif } Frank _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss