diff options
author | Hauke Mehrtens <hauke@hauke-m.de> | 2020-01-06 16:21:25 +0100 |
---|---|---|
committer | Hauke Mehrtens <hauke@hauke-m.de> | 2020-01-06 17:44:22 +0100 |
commit | 414d0541381d432e69190f394dfe2a6e8122d6bb (patch) | |
tree | d08fe2fe013d82436fb8ba66ab805c79b27b05be /package/network/services/dnsmasq/patches | |
parent | 99dd2709b855baa9e68c7c7106743a7c4a91ee0c (diff) | |
download | upstream-414d0541381d432e69190f394dfe2a6e8122d6bb.tar.gz upstream-414d0541381d432e69190f394dfe2a6e8122d6bb.tar.bz2 upstream-414d0541381d432e69190f394dfe2a6e8122d6bb.zip |
dnsmasq: Fix potential dnsmasq crash with TCP
This is a backport from the dnsmasq master which should fix a bug which
could cause a crash in dnsmasq.
I saw the following crashes in my log:
[522413.117215] do_page_fault(): sending SIGSEGV to dnsmasq for invalid read access from 2a001450
[522413.124464] epc = 004197f1 in dnsmasq[400000+23000]
[522413.129459] ra = 004197ef in dnsmasq[400000+23000]
This is happening in blockdata_write() when block->next is
dereferenced, but I am not sure if this is related to this problem or if
this is a different problem. I am unable to reproduce this problem.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Diffstat (limited to 'package/network/services/dnsmasq/patches')
-rw-r--r-- | package/network/services/dnsmasq/patches/0040-Fix-crash-when-negative-SRV-response-over-TCP-gets-s.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/package/network/services/dnsmasq/patches/0040-Fix-crash-when-negative-SRV-response-over-TCP-gets-s.patch b/package/network/services/dnsmasq/patches/0040-Fix-crash-when-negative-SRV-response-over-TCP-gets-s.patch new file mode 100644 index 0000000000..5b1d59566d --- /dev/null +++ b/package/network/services/dnsmasq/patches/0040-Fix-crash-when-negative-SRV-response-over-TCP-gets-s.patch @@ -0,0 +1,35 @@ +From e710c34469af4378c2db6fa0b0be88313adcb68f Mon Sep 17 00:00:00 2001 +From: Alin Nastac <alin.nastac@gmail.com> +Date: Mon, 30 Sep 2019 15:30:26 +0100 +Subject: [PATCH] Fix crash when negative SRV response over TCP gets stored in + LRU cache entry. + +Patch extended to receive side of pipe by SRK. +--- + src/cache.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/src/cache.c ++++ b/src/cache.c +@@ -665,7 +665,11 @@ void cache_end_insert(void) + if (flags & (F_IPV4 | F_IPV6 | F_DNSKEY | F_DS | F_SRV)) + read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr, sizeof(new_chain->addr), 0); + if (flags & F_SRV) +- blockdata_write(new_chain->addr.srv.target, new_chain->addr.srv.targetlen, daemon->pipe_to_parent); ++ { ++ /* A negative SRV entry is possible and has no data, obviously. */ ++ if (!(flags & F_NEG)) ++ blockdata_write(new_chain->addr.srv.target, new_chain->addr.srv.targetlen, daemon->pipe_to_parent); ++ } + #ifdef HAVE_DNSSEC + if (flags & F_DNSKEY) + { +@@ -737,7 +741,7 @@ int cache_recv_insert(time_t now, int fd + if (!read_write(fd, (unsigned char *)&addr, sizeof(addr), 1)) + return 0; + +- if (flags & F_SRV && !(addr.srv.target = blockdata_read(fd, addr.srv.targetlen))) ++ if ((flags & F_SRV) && !(flags & F_NEG) && !(addr.srv.target = blockdata_read(fd, addr.srv.targetlen))) + return 0; + + #ifdef HAVE_DNSSEC |