Stephan Zeisberg
2017-05-03 15:42:00 UTC
Hello,
opening the attached sample config input file with dnsmasq results in a
crash (SIGSEGV). The input file is fuzzed with american fuzzy
lop http://lcamtuf.coredump.cx/afl/.
version:
commit b2a9c571ebb333acbaa6bd752142df6821cb410c
how to reproduce:
$ ./src/dnsmasq --test -C <attached config file>
gdb:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 hostname_isequal (a=0x0, b=0x84f01f "be# If you w0") at util.c:312
312 c1 = (unsigned char) *a++;
(gdb) bt
#0 hostname_isequal (a=0x0, b=0x84f01f "be# If you w0") at util.c:312
#1 0x0000000000441a45 in one_opt (option=<optimized out>, arg=0x84f01f "be# If you w0", errstr=<optimized out>, gen_err=<optimized out>, command_line=<optimized out>, servers_only=<optimized out>)
at option.c:3853
#2 0x0000000000422e7c in read_file (file=<optimized out>, f=<optimized out>, hard_opt=<optimized out>) at option.c:4304
#3 0x000000000042159a in one_file (file=0x84feb0 "/tmp/dnsmasq_crash", hard_opt=0) at option.c:4396
#4 0x0000000000424c3d in read_opts (argc=4, argv=0x7ffcedcbca18, compile_opts=<optimized out>) at option.c:4733
#5 0x0000000000457557 in main (argc=0, argv=0x84f01f) at dnsmasq.c:89
valgrind:
==4077== Memcheck, a memory error detector
==4077== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==4077== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==4077== Command: ./src/dnsmasq --test -C /tmp/dnsmasq_crash
==4077==
==4077== Invalid read of size 1
==4077== at 0x41EA1C: hostname_isequal (util.c:312)
==4077== by 0x441A44: one_opt (option.c:3853)
==4077== by 0x422E7B: read_file (option.c:4304)
==4077== by 0x421599: one_file (option.c:4396)
==4077== by 0x424C3C: read_opts (option.c:4733)
==4077== by 0x457556: main (dnsmasq.c:89)
==4077== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4077==
==4077==
==4077== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==4077== Access not within mapped region at address 0x0
==4077== at 0x41EA1C: hostname_isequal (util.c:312)
==4077== by 0x441A44: one_opt (option.c:3853)
==4077== by 0x422E7B: read_file (option.c:4304)
==4077== by 0x421599: one_file (option.c:4396)
==4077== by 0x424C3C: read_opts (option.c:4733)
==4077== by 0x457556: main (dnsmasq.c:89)
==4077== If you believe this happened as a result of a stack
==4077== overflow in your program's main thread (unlikely but
==4077== possible), you can try to increase the size of the
==4077== main thread stack using the --main-stacksize= flag.
==4077== The main thread stack size used in this run was 8388608.
==4077==
==4077== HEAP SUMMARY:
==4077== in use at exit: 3,973 bytes in 32 blocks
==4077== total heap usage: 33 allocs, 1 frees, 8,069 bytes allocated
==4077==
==4077== LEAK SUMMARY:
==4077== definitely lost: 0 bytes in 0 blocks
==4077== indirectly lost: 0 bytes in 0 blocks
==4077== possibly lost: 0 bytes in 0 blocks
==4077== still reachable: 3,973 bytes in 32 blocks
==4077== suppressed: 0 bytes in 0 blocks
==4077== Rerun with --leak-check=full to see details of leaked memory
==4077==
==4077== For counts of detected and suppressed errors, rerun with: -v
==4077== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 4077 segmentation fault valgrind ./src/dnsmasq --test -C /tmp/dnsmasq_crash
Regards,
Stephan
--
Stephan Zeisberg
Security Researcher
m: ***@splone.com
pgp: 3C2B 7189 9C16 1E71 5BFB 8690 2C3F EF24 6DBF B588
splone UG (haftungsbeschrÀnkt)
c/o Freie UniversitÀt Berlin
Malteserstr. 74-100
12249 Berlin
https://splone.com
HRB 166495 Amtsgericht Charlottenburg
USt-Identnummer: DE300454199
twitter: http://twitter.com/sploneberlin
Confidentiality: This e-mail contains confidential information intended
only for the addressee. If you are not the intended recipient you may
not disclose, copy, use or otherwise distribute the content of this
email.
opening the attached sample config input file with dnsmasq results in a
crash (SIGSEGV). The input file is fuzzed with american fuzzy
lop http://lcamtuf.coredump.cx/afl/.
version:
commit b2a9c571ebb333acbaa6bd752142df6821cb410c
how to reproduce:
$ ./src/dnsmasq --test -C <attached config file>
gdb:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 hostname_isequal (a=0x0, b=0x84f01f "be# If you w0") at util.c:312
312 c1 = (unsigned char) *a++;
(gdb) bt
#0 hostname_isequal (a=0x0, b=0x84f01f "be# If you w0") at util.c:312
#1 0x0000000000441a45 in one_opt (option=<optimized out>, arg=0x84f01f "be# If you w0", errstr=<optimized out>, gen_err=<optimized out>, command_line=<optimized out>, servers_only=<optimized out>)
at option.c:3853
#2 0x0000000000422e7c in read_file (file=<optimized out>, f=<optimized out>, hard_opt=<optimized out>) at option.c:4304
#3 0x000000000042159a in one_file (file=0x84feb0 "/tmp/dnsmasq_crash", hard_opt=0) at option.c:4396
#4 0x0000000000424c3d in read_opts (argc=4, argv=0x7ffcedcbca18, compile_opts=<optimized out>) at option.c:4733
#5 0x0000000000457557 in main (argc=0, argv=0x84f01f) at dnsmasq.c:89
valgrind:
==4077== Memcheck, a memory error detector
==4077== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==4077== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==4077== Command: ./src/dnsmasq --test -C /tmp/dnsmasq_crash
==4077==
==4077== Invalid read of size 1
==4077== at 0x41EA1C: hostname_isequal (util.c:312)
==4077== by 0x441A44: one_opt (option.c:3853)
==4077== by 0x422E7B: read_file (option.c:4304)
==4077== by 0x421599: one_file (option.c:4396)
==4077== by 0x424C3C: read_opts (option.c:4733)
==4077== by 0x457556: main (dnsmasq.c:89)
==4077== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4077==
==4077==
==4077== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==4077== Access not within mapped region at address 0x0
==4077== at 0x41EA1C: hostname_isequal (util.c:312)
==4077== by 0x441A44: one_opt (option.c:3853)
==4077== by 0x422E7B: read_file (option.c:4304)
==4077== by 0x421599: one_file (option.c:4396)
==4077== by 0x424C3C: read_opts (option.c:4733)
==4077== by 0x457556: main (dnsmasq.c:89)
==4077== If you believe this happened as a result of a stack
==4077== overflow in your program's main thread (unlikely but
==4077== possible), you can try to increase the size of the
==4077== main thread stack using the --main-stacksize= flag.
==4077== The main thread stack size used in this run was 8388608.
==4077==
==4077== HEAP SUMMARY:
==4077== in use at exit: 3,973 bytes in 32 blocks
==4077== total heap usage: 33 allocs, 1 frees, 8,069 bytes allocated
==4077==
==4077== LEAK SUMMARY:
==4077== definitely lost: 0 bytes in 0 blocks
==4077== indirectly lost: 0 bytes in 0 blocks
==4077== possibly lost: 0 bytes in 0 blocks
==4077== still reachable: 3,973 bytes in 32 blocks
==4077== suppressed: 0 bytes in 0 blocks
==4077== Rerun with --leak-check=full to see details of leaked memory
==4077==
==4077== For counts of detected and suppressed errors, rerun with: -v
==4077== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 4077 segmentation fault valgrind ./src/dnsmasq --test -C /tmp/dnsmasq_crash
Regards,
Stephan
--
Stephan Zeisberg
Security Researcher
m: ***@splone.com
pgp: 3C2B 7189 9C16 1E71 5BFB 8690 2C3F EF24 6DBF B588
splone UG (haftungsbeschrÀnkt)
c/o Freie UniversitÀt Berlin
Malteserstr. 74-100
12249 Berlin
https://splone.com
HRB 166495 Amtsgericht Charlottenburg
USt-Identnummer: DE300454199
twitter: http://twitter.com/sploneberlin
Confidentiality: This e-mail contains confidential information intended
only for the addressee. If you are not the intended recipient you may
not disclose, copy, use or otherwise distribute the content of this
email.