惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The GitHub Blog
The GitHub Blog
P
Privacy International News Feed
博客园_首页
Hugging Face - Blog
Hugging Face - Blog
A
About on SuperTechFans
量子位
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
雷峰网
雷峰网
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V
V2EX
Recent Announcements
Recent Announcements
博客园 - 叶小钗
B
Blog RSS Feed
Apple Machine Learning Research
Apple Machine Learning Research
Microsoft Azure Blog
Microsoft Azure Blog
H
Help Net Security
C
Check Point Blog
N
Netflix TechBlog - Medium
Y
Y Combinator Blog
P
Proofpoint News Feed
T
The Blog of Author Tim Ferriss
D
DataBreaches.Net
月光博客
月光博客
Engineering at Meta
Engineering at Meta
博客园 - 【当耐特】
Martin Fowler
Martin Fowler
小众软件
小众软件
博客园 - 司徒正美
大猫的无限游戏
大猫的无限游戏
爱范儿
爱范儿
M
MIT News - Artificial intelligence
G
Google Developers Blog
MyScale Blog
MyScale Blog
Google DeepMind News
Google DeepMind News
D
Docker
有赞技术团队
有赞技术团队
H
Hackread – Cybersecurity News, Data Breaches, AI and More
V
Visual Studio Blog
Recorded Future
Recorded Future
I
InfoQ
T
Tailwind CSS Blog
MongoDB | Blog
MongoDB | Blog
人人都是产品经理
人人都是产品经理
云风的 BLOG
云风的 BLOG
美团技术团队
Vercel News
Vercel News
GbyAI
GbyAI
aimingoo的专栏
aimingoo的专栏
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
WordPress大学
WordPress大学

dnsmasq-discuss

[Dnsmasq-discuss] Announce: dnsmasq-2.92rc2 Re: [Dnsmasq-discuss] [PATCH] Fix arguments order for chaos subdomain check Re: [Dnsmasq-discuss] patch: block-file/allow-file - for review/feedback Re: [Dnsmasq-discuss] patch: block-file/allow-file - for review/feedback Re: [Dnsmasq-discuss] patch: block-file/allow-file - for review/feedback Re: [Dnsmasq-discuss] patch: block-file/allow-file - for review/feedback [Dnsmasq-discuss] patch: block-file/allow-file - for review/feedback Re: [Dnsmasq-discuss] server= with interface parameter changes behavior over time [Dnsmasq-discuss] NFTsets and hosts-files [Dnsmasq-discuss] [PATCH] Allow expired RRSIGs when stale caching is enabled [Dnsmasq-discuss] [PATCH] Fix local host records being overridden by upstream NXDOMAIN [Dnsmasq-discuss] [PATCH] Fix arguments order for chaos subdomain check Re: [Dnsmasq-discuss] Malformed RRSIG Can Crash dnsmasq [Dnsmasq-discuss] Malformed NSEC/NSEC3 Can Hang dnsmasq [Dnsmasq-discuss] Malformed RRSIG Can Crash dnsmasq [Dnsmasq-discuss] Security - IMPORTANT Re: [Dnsmasq-discuss] Issue with circuit-id matching on dhcp requests Re: [Dnsmasq-discuss] Issue with circuit-id matching on dhcp requests Re: [Dnsmasq-discuss] Issue with circuit-id matching on dhcp requests [Dnsmasq-discuss] Issue with circuit-id matching on dhcp requests Re: [Dnsmasq-discuss] [PATCH] bpf.c: fix memory leak in arp_enumerate() on BSD Re: [Dnsmasq-discuss] [PATCH] bpf.c: fix memory leak in arp_enumerate() on BSD Re: [Dnsmasq-discuss] dnssec problem here and now Re: [Dnsmasq-discuss] dnssec problem here and now [Dnsmasq-discuss] dnssec problem here and now Re: [Dnsmasq-discuss] server= with interface parameter changes behavior over time Re: [Dnsmasq-discuss] [PATCH] bpf.c: fix memory leak in arp_enumerate() on BSD Re: [Dnsmasq-discuss] [PATCH] bpf.c: fix memory leak in arp_enumerate() on BSD Re: [Dnsmasq-discuss] [PATCH] Preserve existing log file permissions when adding group-write bit. [Dnsmasq-discuss] server= with interface parameter changes behavior over time [Dnsmasq-discuss] [PATCH] bpf.c: fix memory leak in arp_enumerate() on BSD Re: [Dnsmasq-discuss] [PATCH] Preserve existing log file permissions when adding group-write bit. Re: [Dnsmasq-discuss] [BUG] SIGSEGV when parsing invalid "--interface-name" or "--dynamic-host" options Re: [Dnsmasq-discuss] Suggestion to increase default for max-tcp-connections [Dnsmasq-discuss] server priority clarification after e86d53c [Dnsmasq-discuss] [BUG] SIGSEGV when parsing invalid "--interface-name" or "--dynamic-host" options [Dnsmasq-discuss] Suggestion to increase default for max-tcp-connections Re: [Dnsmasq-discuss] [PATCH] Preserve existing log file permissions when adding group-write bit. [Dnsmasq-discuss] [Bug] Heap buffer overflow in cache_recv_insert() due to pipe de-synchronization Re: [Dnsmasq-discuss] Regression/Feature Request for 2.92 Re: [Dnsmasq-discuss] [PATCH] DHCPv6 network range is not checked well with dhcp-sequential-ip [Dnsmasq-discuss] [PATCH] Don't penalize conditional forwarders for REFUSED responses [Dnsmasq-discuss] BUG:Heap buffer overflow in src/forward.c due to incorrect pointer arithmetic (CWE-122) Re: [Dnsmasq-discuss] Regression/Feature Request for 2.92 Re: [Dnsmasq-discuss] Regression/Feature Request for 2.92 Re: [Dnsmasq-discuss] Regression/Feature Request for 2.92 Re: [Dnsmasq-discuss] Potential privacy issue: filter-rr inefficiency Re: [Dnsmasq-discuss] TCP optimization regressions Re: [Dnsmasq-discuss] Bug: Null pointer dereference in domain-match.c at line 82 (dnsmasq 2.92test21-1-gee09f06) [Dnsmasq-discuss] [PATCH] ubus: add lease management methods [Dnsmasq-discuss] Regression/Feature Request for 2.92 [Dnsmasq-discuss] cotillon por mayor [Dnsmasq-discuss] Por Qué el Alquiler de Plataformas Elevadoras es la Clave del Éxito para Tu Empresa Re: [Dnsmasq-discuss] [PATCH] dnsmasq: failed to create inotify for /etc/resolv.conf: No space left on device [Dnsmasq-discuss] Bug: Null pointer dereference in domain-match.c at line 82 (dnsmasq 2.92test21-1-gee09f06) [Dnsmasq-discuss] TCP optimization regressions Re: [Dnsmasq-discuss] [PATCH] dnsmasq: failed to create inotify for /etc/resolv.conf: No space left on device Re: [Dnsmasq-discuss] dnsmasq 2.92 build-error against Nettle 4.0 Re: [Dnsmasq-discuss] dnsmasq 2.92 build-error against Nettle 4.0 Re: [Dnsmasq-discuss] dnsmasq 2.92 build-error against Nettle 4.0 [Dnsmasq-discuss] dnsmasq 2.92 build-error against Nettle 4.0 [Dnsmasq-discuss] Potential privacy issue: filter-rr inefficiency Re: [Dnsmasq-discuss] Bug with NS records when using dnsmasq as authoritative nameserver without specific auth-interface Re: [Dnsmasq-discuss] Bug with NS records when using dnsmasq as authoritative nameserver without specific auth-interface Re: [Dnsmasq-discuss] segfault with an empty OPTION_SNAME [Dnsmasq-discuss] Bug with NS records when using dnsmasq as authoritative nameserver without specific auth-interface Re: [Dnsmasq-discuss] segfault with an empty OPTION_SNAME [Dnsmasq-discuss] segfault with an empty OPTION_SNAME Re: [Dnsmasq-discuss] Shut down caused by device request address. Re: [Dnsmasq-discuss] Shut down caused by device request address. Re: [Dnsmasq-discuss] Shut down caused by device request address. [Dnsmasq-discuss] Shut down caused by device request address. [Dnsmasq-discuss] [PATCH] dnsmasq: failed to create inotify for /etc/resolv.conf: No space left on device Re: [Dnsmasq-discuss] dnsmasq with high availability and dynamic range [Dnsmasq-discuss] dnsmasq with high availability and dynamic range [Dnsmasq-discuss] PATCH] PXE boot server (PXEBS) responses broken in 2.92 — missing else in dhcp.c [Dnsmasq-discuss] PATCH] PXE boot server (PXEBS) responses broken in 2.92 — missing else in dhcp.c [Dnsmasq-discuss] Potential memory leak Re: [Dnsmasq-discuss] Incorrect SERVFAIL on dnssec and rivcoed.org. domain [Dnsmasq-discuss] Announce: dnsmasq-2.92 Re: [Dnsmasq-discuss] dnsmasq does not forward requests with no default route is set [Dnsmasq-discuss] DNSSEC validation fails for wildcard subdomains [Dnsmasq-discuss] Add an option to not always add a pseudo header? Re: [Dnsmasq-discuss] Announce: 2.92.rc1, rc3 & patches overseen Re: [Dnsmasq-discuss] Portable PXE boot appliance [Dnsmasq-discuss] Portable PXE boot appliance Re: [Dnsmasq-discuss] Question about IPv6 settings [Dnsmasq-discuss] Incorrect SERVFAIL on dnssec and rivcoed.org. domain [Dnsmasq-discuss] Question about IPv6 settings Re: [Dnsmasq-discuss] iPhone 17 Pro Max DHCP not working [Dnsmasq-discuss] iPhone 17 Pro Max DHCP not working Re: [Dnsmasq-discuss] [PATCH 0/3] Announce: 2.92.rc1 [Dnsmasq-discuss] [PATCH 0/3] Announce: 2.92.rc1 [Dnsmasq-discuss] [PATCH 3/3] Fix some issues with the swedish manual page, some causing lintian warnings [Dnsmasq-discuss] [PATCH2/3] Fix typos in the english manual page [Dnsmasq-discuss] [PATCH 1/3] Remove trailing white space from dnsmasq.conf.example [Dnsmasq-discuss] Announce: 2.92.rc1 [Dnsmasq-discuss] dnsmasq rejects TCP queries originating from Kubernetes pods Re: [Dnsmasq-discuss] Git: Is first dhcp.c address_available() for/if code correct? [Dnsmasq-discuss] [PATCH dnsmasq 1/1] fix SIGSEGV in dbus.c when no dhcp-range is configured
[Dnsmasq-discuss] [Bug] Buffer underflow in hostname_issubdomain()
Critizero Chen · 2026-04-21 · via dnsmasq-discuss
Hi all,

I am reporting an issue found in src/util.c. This is a pointer underflow
vulnerability in the hostname_issubdomain() function, which I have verified
on the latest development version: *dnsmasq 2.93test4-11-gcf08eee*.
Summary

The function hostname_issubdomain(char *a, char *b) fails to handle cases
where the parameter b is an empty string. When b is empty, the pointer bp
underflows during the first iteration of the do-while loop, leading to an
out-of-bounds read.
Root Cause Analysis

In src/util.c (around line 436 in the current master):

  /* move to the end */
  for (bp = b; *bp; bp++); // If b is "", bp remains equal to b
  ...
  do
    {
      c1 = (unsigned char) *(--ap);
      c2 = (unsigned char) *(--bp);  // BUG: bp becomes b-1 (Underflow)
      ...
    } while (bp != b); // Since bp is already < b, this condition stays true

When b is an empty string (length 0), the initialization loop for bp does
nothing. The subsequent do-while loop immediately decrements bp to b-1,
reading memory outside the allocated buffer.
Trigger Path & Verification

This can be triggered by sending a CHAOS class DNS query for the root
domain (.):

   1.

   extract_name() parses the root domain as an empty string "".
   2.

   In src/rfc1035.c, it calls hostname_issubdomain("bind", name).
   3.

   With name as "", the underflow occurs.

*Reproducer:* dig @127.0.0.1 -p [PORT] -c CH -t TXT .
Severity & Impact

I performed dynamic testing with >100,000 queries. While a persistent
infinite loop (DoS) is difficult to achieve because the loop usually breaks
when c1 != c2 (random stack data), Valgrind consistently reports an *Invalid
read of size 1*.

This memory safety issue leads to *Undefined Behavior* and potential minor
information leakage from the stack or heap area immediately preceding the
buffer.
Evidence (Valgrind Output)
==73== Invalid read of size 1
==73==    at 0x11E139: hostname_issubdomain (in /root/dnsmasq/src/dnsmasq)
==73==    by 0x11B424: answer_request (in /root/dnsmasq/src/dnsmasq)
==73==    by 0x12FE31: receive_query (in /root/dnsmasq/src/dnsmasq)
==73==    by 0x1129D4: main (in /root/dnsmasq/src/dnsmasq)
==73==  Address 0x4a8b48f is 1 bytes before a block of size 2,051 alloc'd
==73==    at 0x484DA83: calloc (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==73==    by 0x11DE34: safe_malloc (in /root/dnsmasq/src/dnsmasq)
==73==    by 0x12AB68: read_opts (in /root/dnsmasq/src/dnsmasq)
==73==    by 0x1113F1: main (in /root/dnsmasq/src/dnsmasq)
_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss