惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Comments on: Blog
S
Schneier on Security
Microsoft Azure Blog
Microsoft Azure Blog
T
Tor Project blog
V
Visual Studio Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Spread Privacy
Spread Privacy
月光博客
月光博客
罗磊的独立博客
Cisco Talos Blog
Cisco Talos Blog
P
Privacy International News Feed
T
Tenable Blog
阮一峰的网络日志
阮一峰的网络日志
AWS News Blog
AWS News Blog
T
ThreatConnect
博客园 - 三生石上(FineUI控件)
Recorded Future
Recorded Future
Hugging Face - Blog
Hugging Face - Blog
T
Tailwind CSS Blog
博客园 - 叶小钗
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
A
Arctic Wolf
L
LINUX DO - 最新话题
美团技术团队
大猫的无限游戏
大猫的无限游戏
I
Intezer
博客园 - 司徒正美
酷 壳 – CoolShell
酷 壳 – CoolShell
量子位
小众软件
小众软件
T
Threatpost
V
V2EX
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
宝玉的分享
宝玉的分享
The Register - Security
The Register - Security
Project Zero
Project Zero
J
Java Code Geeks
Cyberwarzone
Cyberwarzone
IT之家
IT之家
MyScale Blog
MyScale Blog
T
Threat Research - Cisco Blogs
T
The Blog of Author Tim Ferriss
腾讯CDC
S
SegmentFault 最新的问题
F
Fox-IT International blog
S
Security Archives - TechRepublic
Last Week in AI
Last Week in AI
G
GRAHAM CLULEY
M
MIT News - Artificial intelligence

dnsmasq-discuss

Re: [Dnsmasq-discuss] patch: block-file/allow-file - for review/feedback Re: [Dnsmasq-discuss] patch: block-file/allow-file - for review/feedback Re: [Dnsmasq-discuss] patch: block-file/allow-file - for review/feedback Re: [Dnsmasq-discuss] patch: block-file/allow-file - for review/feedback [Dnsmasq-discuss] patch: block-file/allow-file - for review/feedback Re: [Dnsmasq-discuss] server= with interface parameter changes behavior over time [Dnsmasq-discuss] NFTsets and hosts-files [Dnsmasq-discuss] [PATCH] Allow expired RRSIGs when stale caching is enabled [Dnsmasq-discuss] [PATCH] Fix local host records being overridden by upstream NXDOMAIN [Dnsmasq-discuss] [PATCH] Fix arguments order for chaos subdomain check Re: [Dnsmasq-discuss] Malformed RRSIG Can Crash dnsmasq [Dnsmasq-discuss] Malformed NSEC/NSEC3 Can Hang dnsmasq [Dnsmasq-discuss] Malformed RRSIG Can Crash dnsmasq [Dnsmasq-discuss] Security - IMPORTANT Re: [Dnsmasq-discuss] Issue with circuit-id matching on dhcp requests Re: [Dnsmasq-discuss] Issue with circuit-id matching on dhcp requests Re: [Dnsmasq-discuss] Issue with circuit-id matching on dhcp requests [Dnsmasq-discuss] Issue with circuit-id matching on dhcp requests Re: [Dnsmasq-discuss] [PATCH] bpf.c: fix memory leak in arp_enumerate() on BSD Re: [Dnsmasq-discuss] [PATCH] bpf.c: fix memory leak in arp_enumerate() on BSD Re: [Dnsmasq-discuss] dnssec problem here and now Re: [Dnsmasq-discuss] dnssec problem here and now [Dnsmasq-discuss] dnssec problem here and now Re: [Dnsmasq-discuss] server= with interface parameter changes behavior over time Re: [Dnsmasq-discuss] [PATCH] bpf.c: fix memory leak in arp_enumerate() on BSD Re: [Dnsmasq-discuss] [PATCH] bpf.c: fix memory leak in arp_enumerate() on BSD Re: [Dnsmasq-discuss] [PATCH] Preserve existing log file permissions when adding group-write bit. [Dnsmasq-discuss] server= with interface parameter changes behavior over time [Dnsmasq-discuss] [PATCH] bpf.c: fix memory leak in arp_enumerate() on BSD Re: [Dnsmasq-discuss] [PATCH] Preserve existing log file permissions when adding group-write bit. Re: [Dnsmasq-discuss] [BUG] SIGSEGV when parsing invalid "--interface-name" or "--dynamic-host" options Re: [Dnsmasq-discuss] Suggestion to increase default for max-tcp-connections [Dnsmasq-discuss] server priority clarification after e86d53c [Dnsmasq-discuss] [BUG] SIGSEGV when parsing invalid "--interface-name" or "--dynamic-host" options [Dnsmasq-discuss] Suggestion to increase default for max-tcp-connections Re: [Dnsmasq-discuss] [PATCH] Preserve existing log file permissions when adding group-write bit. Re: [Dnsmasq-discuss] Regression/Feature Request for 2.92 Re: [Dnsmasq-discuss] [PATCH] DHCPv6 network range is not checked well with dhcp-sequential-ip [Dnsmasq-discuss] [Bug] Buffer underflow in hostname_issubdomain() [Dnsmasq-discuss] [PATCH] Don't penalize conditional forwarders for REFUSED responses [Dnsmasq-discuss] BUG:Heap buffer overflow in src/forward.c due to incorrect pointer arithmetic (CWE-122) Re: [Dnsmasq-discuss] Regression/Feature Request for 2.92 Re: [Dnsmasq-discuss] Regression/Feature Request for 2.92 Re: [Dnsmasq-discuss] Regression/Feature Request for 2.92 Re: [Dnsmasq-discuss] Potential privacy issue: filter-rr inefficiency Re: [Dnsmasq-discuss] TCP optimization regressions Re: [Dnsmasq-discuss] Bug: Null pointer dereference in domain-match.c at line 82 (dnsmasq 2.92test21-1-gee09f06) [Dnsmasq-discuss] [PATCH] ubus: add lease management methods [Dnsmasq-discuss] Regression/Feature Request for 2.92 [Dnsmasq-discuss] cotillon por mayor [Dnsmasq-discuss] Por Qué el Alquiler de Plataformas Elevadoras es la Clave del Éxito para Tu Empresa Re: [Dnsmasq-discuss] [PATCH] dnsmasq: failed to create inotify for /etc/resolv.conf: No space left on device [Dnsmasq-discuss] Bug: Null pointer dereference in domain-match.c at line 82 (dnsmasq 2.92test21-1-gee09f06) [Dnsmasq-discuss] TCP optimization regressions Re: [Dnsmasq-discuss] [PATCH] dnsmasq: failed to create inotify for /etc/resolv.conf: No space left on device Re: [Dnsmasq-discuss] dnsmasq 2.92 build-error against Nettle 4.0 Re: [Dnsmasq-discuss] dnsmasq 2.92 build-error against Nettle 4.0 Re: [Dnsmasq-discuss] dnsmasq 2.92 build-error against Nettle 4.0 [Dnsmasq-discuss] dnsmasq 2.92 build-error against Nettle 4.0 [Dnsmasq-discuss] Potential privacy issue: filter-rr inefficiency Re: [Dnsmasq-discuss] Bug with NS records when using dnsmasq as authoritative nameserver without specific auth-interface Re: [Dnsmasq-discuss] Bug with NS records when using dnsmasq as authoritative nameserver without specific auth-interface Re: [Dnsmasq-discuss] segfault with an empty OPTION_SNAME [Dnsmasq-discuss] Bug with NS records when using dnsmasq as authoritative nameserver without specific auth-interface Re: [Dnsmasq-discuss] segfault with an empty OPTION_SNAME [Dnsmasq-discuss] segfault with an empty OPTION_SNAME Re: [Dnsmasq-discuss] Shut down caused by device request address. Re: [Dnsmasq-discuss] Shut down caused by device request address. Re: [Dnsmasq-discuss] Shut down caused by device request address. Re: [Dnsmasq-discuss] Shut down caused by device request address. Re: [Dnsmasq-discuss] Shut down caused by device request address. [Dnsmasq-discuss] Shut down caused by device request address. Re: [Dnsmasq-discuss] [PATCH] dnsmasq: failed to create inotify for /etc/resolv.conf: No space left on device Re: [Dnsmasq-discuss] [PATCH] dnsmasq: failed to create inotify for /etc/resolv.conf: No space left on device [Dnsmasq-discuss] [PATCH] dnsmasq: failed to create inotify for /etc/resolv.conf: No space left on device Re: [Dnsmasq-discuss] dnsmasq with high availability and dynamic range [Dnsmasq-discuss] dnsmasq with high availability and dynamic range Re: [Dnsmasq-discuss] PATCH] PXE boot server (PXEBS) responses broken in 2.92 — missing else in dhcp.c Re: [Dnsmasq-discuss] Potential memory leak [Dnsmasq-discuss] PATCH] PXE boot server (PXEBS) responses broken in 2.92 — missing else in dhcp.c Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Potential memory leak [Dnsmasq-discuss] Potential memory leak
[Dnsmasq-discuss] [Bug] Heap buffer overflow in cache_recv_insert() due to pipe de-synchronization
2026-04-21 · via dnsmasq-discuss 
Hi all,

I have identified a high-severity heap buffer overflow vulnerability in
src/cache.c. This issue arises from a synchronization failure in the
TCP/DNS pipe communication between the parent and child processes when a
memory allocation fails.
Summary

In cache_recv_insert(), when blockdata_read() fails to allocate memory
(returning NULL), the code uses a continue statement to skip the current
iteration. However, because blockdata_read() returns before consuming the
expected number of bytes from the file descriptor (fd), the unread Resource
Record (RR) data remains in the pipe.

In the next iteration of the loop, this leftover data is incorrectly
interpreted as the length of the next domain name (m), leading to a heap
buffer overflow when reading into daemon->namebuff.
Technical Details

*File:* src/cache.c *Function:* cache_recv_insert() *Impacted Lines:* 1018,
1025, 1032 (in master/2.93test7)

*Vulnerable Logic:*

// src/cache.c:1018if ((flags & F_RR) && !(flags & F_NEG) && (flags & F_KEYTAG)
    && !(block = addr.rrblock.rrdata = blockdata_read(fd,
addr.rrblock.datalen)))
  continue; // BUG: Should be 'return 0' to abort the transaction

When blockdata_read() fails at src/blockdata.c:92 (due to new_block()
returning NULL), it returns NULL without reading any data from the pipe.
The continue statement then forces the loop to start over:

   1.

   The loop tries to read m (the next name length).
   2.

   It instead reads the *first 8 bytes of the unconsumed RR data* as m.
   3.

   If the attacker-controlled RR data results in an m > MAXDNAME (1024),
   the subsequent read_write(fd, daemon->namebuff, m, ..) call overflows
   the daemon->namebuff heap buffer.

Impact

An attacker can trigger this by:

   1.

   Sending a DNS query that generates a large RR response (setting F_RR).
   2.

   Inducing memory pressure (or exploiting a specific allocation limit).
   3.

   Once blockdata_read fails, the pipe desyncs, allowing the attacker to
   control the m value and execute a heap overflow.

This can lead to a *Denial of Service (DoS)* or potentially *Remote Code
Execution (RCE)* under specific memory layouts.

_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。