Re: [Dnsmasq-discuss] reproducible segmentation fault - bisected!

2017-09-06 Thread Simon Kelley
Thanks everyone who's been working on this, and apologies for going MIA until now. Looking through the code, I think I can seen what's happening: memset(((char *)header) + qlen, 0, (limit - ((char *)header)) - qlen); Concentrate on the calculation of the length of the memset (limit

Re: [Dnsmasq-discuss] reproducible segmentation fault - bisected!

2017-08-29 Thread Kevin Darbyshire-Bryant
On 28/08/17 17:27, Christian Kujau wrote: On Mon, 28 Aug 2017, Christian Kujau wrote: On Mon, 28 Aug 2017, Kevin Darbyshire-Bryant wrote: My workaround is to only call memset if the difference between buffer begin and buffer limit is bigger than the query length, thus it retains Simon's

Re: [Dnsmasq-discuss] reproducible segmentation fault - bisected!

2017-08-29 Thread Kevin Darbyshire-Bryant
I've a *much* better fix for this. Will submit once I've collected someone from the station! Mad busy life, Kevin On 28/08/17 17:27, Christian Kujau wrote: On Mon, 28 Aug 2017, Christian Kujau wrote: On Mon, 28 Aug 2017, Kevin Darbyshire-Bryant wrote: My workaround is to only call memset

Re: [Dnsmasq-discuss] reproducible segmentation fault - bisected!

2017-08-28 Thread Christian Kujau
On Mon, 28 Aug 2017, Kevin Darbyshire-Bryant wrote: > My workaround is to only call memset if the difference between buffer begin > and buffer limit is bigger than the query length, thus it retains Simon's > intent of clearing memory most of the time but avoids the SIGSEGV trampling. Thanks, with

Re: [Dnsmasq-discuss] reproducible segmentation fault - bisected!

2017-08-28 Thread Christian Kujau
On Mon, 28 Aug 2017, Christian Kujau wrote: > On Mon, 28 Aug 2017, Kevin Darbyshire-Bryant wrote: > > My workaround is to only call memset if the difference between buffer begin > > and buffer limit is bigger than the query length, thus it retains Simon's > > intent of clearing memory most of the

Re: [Dnsmasq-discuss] reproducible segmentation fault - bisected!

2017-08-28 Thread Kevin Darbyshire-Bryant
On 27/08/17 08:18, Christian Kujau wrote: OK, so I should have done this in the first place and used git bisect to find out which commit in Dnsmasq introduced this behaviour: fa78573778cb23337f67f5d0c9de723169919047 is the first bad commit commit fa78573778cb23337f67f5d0c9de723169919047

Re: [Dnsmasq-discuss] reproducible segmentation fault

2017-08-28 Thread Kevin Darbyshire-Bryant
On 28/08/17 09:27, Juan Manuel Fernandez wrote: Hi, Last weeks we were fuzzing dnsmasq and found this crash (https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg11597.html ) . We tried

Re: [Dnsmasq-discuss] reproducible segmentation fault

2017-08-28 Thread Juan Manuel Fernandez
Hi, Last weeks we were fuzzing dnsmasq and found this crash ( https://www.mail-archive.com/dnsmasq-discuss@lists.thekelle ys.org.uk/msg11597.html) . We tried to reach Simon on Friday but we have not had any response from him. We asked mitre for a CVE id and were assigned CVE-2017-13704. In our

Re: [Dnsmasq-discuss] reproducible segmentation fault

2017-08-27 Thread AW
> (gdb) print daemon->edns_pktsz > $1 = 4096 > that is weird... why is and the same then in the stack trace in answer_request(...)? i mean: what sets to zero? what about compiling with "-O0 -g"? -arne ___ Dnsmasq-discuss mailing list

Re: [Dnsmasq-discuss] reproducible segmentation fault

2017-08-27 Thread Christian Kujau
On Sun, 27 Aug 2017, Christian Kujau wrote: > > can u say what gdb says when u type > > # frame 2 > > # print daemon->edns_pktsz > > Hm, this doesn't work: Hah, in another attempt this worked: (gdb) frame 2 #2 0x0040d047 in receive_query (listen=listen@entry=0x8202c0,

Re: [Dnsmasq-discuss] reproducible segmentation fault

2017-08-27 Thread Christian Kujau
On Sun, 27 Aug 2017, AW wrote: > m = answer_auth(header, ((char *) header) + udp_size, (size_t)n, ... > it seems like udp_size is 0, which causes memset to be called with weird > parameters, which causes the segmentation violation... > so we should find out, what sets udp_size to 0... See my

Re: [Dnsmasq-discuss] reproducible segmentation fault - bisected!

2017-08-27 Thread Christian Kujau
OK, so I should have done this in the first place and used git bisect to find out which commit in Dnsmasq introduced this behaviour: fa78573778cb23337f67f5d0c9de723169919047 is the first bad commit commit fa78573778cb23337f67f5d0c9de723169919047 Author: Simon Kelley

Re: [Dnsmasq-discuss] reproducible segmentation fault

2017-08-26 Thread AW
ohoh...I just found that u already used gdb... :) when it calls m = answer_auth(header, ((char *) header) + udp_size, (size_t)n, ... it seems like udp_size is 0, which causes memset to be called with weird parameters, which causes the segmentation violation... so we should find out, what sets 

Re: [Dnsmasq-discuss] reproducible segmentation fault

2017-08-26 Thread AW
1. what about this patch? http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011697.html 2. what if u compile dnsmasq with -g and then run it in gdb when the crash happens? -arne ___ Dnsmasq-discuss mailing list

Re: [Dnsmasq-discuss] reproducible segmentation fault

2017-08-25 Thread Christian Kujau
On Mon, 21 Aug 2017, AW wrote: > i found something > similar:http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011691.html > what happens, if u compile dnsmasq with -D_LARGEFILE_SOURCE > -D_FILE_OFFSET_BITS=64 ? Sorry for the late reply. Unfortunately, these adding these options

Re: [Dnsmasq-discuss] reproducible segmentation fault

2017-08-21 Thread AW
i found something similar:http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011691.html what happens, if u compile dnsmasq with -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 ? -Arne Christian Kujau schrieb am 10:34 Montag, 21.August 2017: Hi, while

[Dnsmasq-discuss] reproducible segmentation fault

2017-08-21 Thread Christian Kujau
Hi, while playing around with the "dnseval" tool from the dnsdiag package[0], I accidently crashed my dnsmasq instance that was running on my router. This router is running Dnsmasq version 2.77 on a current LEDE operating system, where similar have been reported in the past: > sending