diff options
author | Hauke Mehrtens <hauke@hauke-m.de> | 2020-01-06 16:21:25 +0100 |
---|---|---|
committer | Hauke Mehrtens <hauke@hauke-m.de> | 2020-01-06 17:46:00 +0100 |
commit | f58705b77eb20a3c39b2274168aba06233df2bc8 (patch) | |
tree | 7ebd40a6a46d271364cf7de88f69cb08f86ac606 | |
parent | 54711e528d03bdbfa4df94d982aac5e70b8f81e5 (diff) | |
download | upstream-f58705b77eb20a3c39b2274168aba06233df2bc8.tar.gz upstream-f58705b77eb20a3c39b2274168aba06233df2bc8.tar.bz2 upstream-f58705b77eb20a3c39b2274168aba06233df2bc8.zip |
dnsmasq: Fix potential dnsmasq crash with TCP
This is a backport from the dnsmasq master which should fix a bug which
could cause a crash in dnsmasq.
I saw the following crashes in my log:
[522413.117215] do_page_fault(): sending SIGSEGV to dnsmasq for invalid read access from 2a001450
[522413.124464] epc = 004197f1 in dnsmasq[400000+23000]
[522413.129459] ra = 004197ef in dnsmasq[400000+23000]
This is happening in blockdata_write() when block->next is
dereferenced, but I am not sure if this is related to this problem or if
this is a different problem. I am unable to reproduce this problem.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 414d0541381d432e69190f394dfe2a6e8122d6bb)
-rw-r--r-- | package/network/services/dnsmasq/Makefile | 2 | ||||
-rw-r--r-- | package/network/services/dnsmasq/patches/0040-Fix-crash-when-negative-SRV-response-over-TCP-gets-s.patch | 35 |
2 files changed, 36 insertions, 1 deletions
diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index dc20ada292..4a93a2fa30 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq PKG_UPSTREAM_VERSION:=2.80 PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION))) -PKG_RELEASE:=14 +PKG_RELEASE:=15 PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq diff --git a/package/network/services/dnsmasq/patches/0040-Fix-crash-when-negative-SRV-response-over-TCP-gets-s.patch b/package/network/services/dnsmasq/patches/0040-Fix-crash-when-negative-SRV-response-over-TCP-gets-s.patch new file mode 100644 index 0000000000..5b1d59566d --- /dev/null +++ b/package/network/services/dnsmasq/patches/0040-Fix-crash-when-negative-SRV-response-over-TCP-gets-s.patch @@ -0,0 +1,35 @@ +From e710c34469af4378c2db6fa0b0be88313adcb68f Mon Sep 17 00:00:00 2001 +From: Alin Nastac <alin.nastac@gmail.com> +Date: Mon, 30 Sep 2019 15:30:26 +0100 +Subject: [PATCH] Fix crash when negative SRV response over TCP gets stored in + LRU cache entry. + +Patch extended to receive side of pipe by SRK. +--- + src/cache.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/src/cache.c ++++ b/src/cache.c +@@ -665,7 +665,11 @@ void cache_end_insert(void) + if (flags & (F_IPV4 | F_IPV6 | F_DNSKEY | F_DS | F_SRV)) + read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr, sizeof(new_chain->addr), 0); + if (flags & F_SRV) +- blockdata_write(new_chain->addr.srv.target, new_chain->addr.srv.targetlen, daemon->pipe_to_parent); ++ { ++ /* A negative SRV entry is possible and has no data, obviously. */ ++ if (!(flags & F_NEG)) ++ blockdata_write(new_chain->addr.srv.target, new_chain->addr.srv.targetlen, daemon->pipe_to_parent); ++ } + #ifdef HAVE_DNSSEC + if (flags & F_DNSKEY) + { +@@ -737,7 +741,7 @@ int cache_recv_insert(time_t now, int fd + if (!read_write(fd, (unsigned char *)&addr, sizeof(addr), 1)) + return 0; + +- if (flags & F_SRV && !(addr.srv.target = blockdata_read(fd, addr.srv.targetlen))) ++ if ((flags & F_SRV) && !(flags & F_NEG) && !(addr.srv.target = blockdata_read(fd, addr.srv.targetlen))) + return 0; + + #ifdef HAVE_DNSSEC |