Commit Graph

8656 Commits

Author SHA1 Message Date
Dominik 6ef7e94de5 Merge pull request #2910 from rdevshp/edns0_optlen0_fix
fix OOB write in FTL_parse_pseudoheaders when optlen is 0
2026-06-13 17:43:29 +02:00
Dominik 57eb60ddec Merge pull request #2890 from pi-hole/update/dnsmasq
Update embedded dnsmasq to v2.93
2026-06-13 10:14:11 +02:00
Dominik ec6f5d9e9b Adjust tests after recent dnsmasq changes
Signed-off-by: Dominik <dl6er@dl6er.de>
2026-06-12 19:42:16 +02:00
DL6ER 6a66622a41 Follow-up fix after ff4964d01da230766bd3c561a7b577e781359a7b changed print_mac()'s buffer handling
Also fix add_pseudoheader() call sites for the v2.93 size_t out_size signature.

Signed-off-by: DL6ER <dl6er@dl6er.de>
2026-06-12 18:39:33 +02:00
rdevshp a0238d9987 fix OOB write in FTL_parse_pseudoheaders when optlen is 0
Signed-off-by: rdevshp <rdevshp@gmail.com>
2026-06-12 16:17:03 +00:00
Dominik 6c29e138aa Merge pull request #2907 from RamSet/macvendor-longest-prefix
macvendor: resolve sub-allocated blocks (MA-M/MA-S) via longest-prefix match
2026-06-12 17:54:04 +02:00
RamSet c32035d2fa macvendor: match sub-allocated MA-M/MA-S blocks (longest prefix)
getMACVendor() truncated the address to the 24-bit OUI (XX:YY:ZZ) and matched
that alone. Many OUIs are sub-divided into smaller MA-M (/28) and MA-S / IAB
(/36) assignments whose 24-bit prefix resolves only to "IEEE Registration
Authority" (or to no row at all) - so those devices showed a blank/useless
hardware vendor.

The macvendor table already stores these finer assignments in Wireshark manuf
form (e.g. "34:E1:D1:80/28", "00:1B:C5:00:00/36"), so no database change is
needed: reconstruct the candidate /24, /28 and /36 keys from the queried MAC in
SQL and let the longest match win. Existing /24 keys are matched unchanged, so
this is purely additive - no generator change, no DB rebuild, no transition.

Add a BATS test seeding MA-L/MA-M/MA-S rows that asserts each resolves, that two
devices under the same 24-bit parent resolve independently, and that an unknown
OUI yields no match.

Signed-off-by: RamSet <ramset@gmail.com>
2026-06-10 07:07:03 -06:00
Dominik 364504490a Update dnsmasq tag to v2.93
Signed-off-by: Dominik <dl6er@dl6er.de>
2026-06-08 19:59:53 +02:00
Simon Kelley 42ed6042ca Fix OOB-read crash in get_rdata().
get_rdata() contains another instance of a crash caused by
a false value of RDLEN in a resource-record.

An RR containing name which is longer than the rdlen of the RR can
get get_rdata into a state where it calculates the length of the data
following the name as a negative number which is then promoted
to a very large positive number, and causing SIGSEGV.

This can be triggered by crafted packets from malicous DNS servers,
but only when DNSSEC validation is enabled. The attack packets do not
have to be correctly DNSSEC signed.

Thanks to Tristan G. for spotting this problem.

Also fix error handling for RRs with a fixed size fields in the specification
where the rrsize indicates that there are zero bytes in that position.

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-06-08 19:59:28 +02:00
Simon Kelley 236d42ab2c Better code to make human-friendly tokens for pointers in log-malloc.
It turns out that subtracting NULL from a pointer to turn it into
an integer is not a good idea, because subtracting a NULL pointer
is undefined behaviour in C.

The correct way to do this is simply to cast the pointer to
uintptr_t. The only fly in this ointment is that the C standard
does not mandate support for uintptr_t.  In practice, I doubt
anyone is running dnsmasq on the long-dead architectures where
this might be a problem.

Thanks to Matthias Andree for the heads-up.

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-06-08 19:59:25 +02:00
Simon Kelley 40e6d3457b Add the ability to bail before EOF to get_line_alloc();
If we stop reading a file before getting to the end, get_line_alloc()
will not clean up the memory it allocated. Give get_line_alloc()
the ability to do a forced cleanup by calling it with a NULL file,
and use that ability where we stop reading a file early.

Also clear the state variables when we free the memory, to
pre-empt use-after-free.

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-06-08 19:59:20 +02:00
Simon Kelley 4c49de193d Fix get_line_alloc()
Assigning the result of getc() to a char makes comparing it to EOF
unreliable, at the very least. You're never too old to make newbie
mistakes.

Thanks to Sebastian Gottschall  for spotting this.

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-06-08 19:59:18 +02:00
Simon Kelley d686ebea6d Re-implement print_mac() to do its own buffer managment.
print_mac() used to output into caller-supplied buffer with no
length checking. The various callers supplied different
length buffers and did their own, ad-hoc, length checking before
calling print_mac(). This was an accident waiting to happen and
it had actually happened in couple of places, with buffer
overflows possible.

print_mac() now returns the address of its own buffer, which
is grown as required.

Thanks to Nicholas Carlini <npc@anthropic.com> for spotting this problem.

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-06-08 19:59:01 +02:00
Simon Kelley 66dd2f7a08 Include fc00::/8 in the set of local addresses.
The current local address range is fd00::/8, but RFC 4193
para 3.1/3.2 reserves fc00::/8 for future use as local addresses,
so add that to the list.

Thanks to Michalis Vasileiadis for spotting this omission.

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-06-08 19:58:45 +02:00
Simon Kelley 50098190e7 Fix DNSSEC frec use-after-free in TCP validation path.
Full credit to Jerry Tom <goonsomeway@gmail.com> for finding this.

When DNSSEC validation falls back to TCP (via a forked child process),
the parent uses a uid-based check to detect whether a frec has been
freed and reused before the child returns. It doesn't, however check for
the more likely scenario which is that the frec has simply been
freed via the timeout path in get_new_frec(). This leads to a
use-after-free on an already freed frec.

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-06-08 19:58:40 +02:00
Simon Kelley 5f7c06ea32 Change "limit" arg to add_pseudoheader() to a length.
Also ripple effects for most of its callers.

This fixes an OOB write caused by bad pointer arithmetic
calculating the pointer-to-end-of-packet used before.

Thanks to Donghyeon Jeong for spotting the bug.

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-06-08 19:58:09 +02:00
Simon Kelley 50f90ca6c9 Change "limit" arg to make_local_answer() to a length.
This fixes an OOB write caused by bad pointer arithmetic
calculating the pointer-to-end-of-packet used before.

Thanks to Donghyeon Jeong for spotting the bug.

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-06-08 19:56:57 +02:00
Simon Kelley e81d3fc996 Tidy up get_line_alloc()
Signed-off-by: Dominik <dl6er@dl6er.de>
2026-06-08 19:56:04 +02:00
Simon Kelley 5291258487 Check for too-small packets in relay_upstream6()
Before this fix, the code could read a couple of bytes beyond
valid data when an invalid too-short packet was recieved.

Thanks to Sokhna Walo DIAKHATE <sokhnawalodiakhate@esp.sn>
for the bug report.

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-06-08 19:56:00 +02:00
Simon Kelley 0e9de57cc1 Fix hostname_issubdomain() confusion.
commit 1269f074f86bb959863012063060a3a082d37dc4 broke
hostname_issubdomain() and then accidentally fixed
some of the problems by inverting the argument order
in the new uses of the function it introduced.
All the pre-existing calls to hostname_issubdomain()
were left in a non-working state.

This fixes hostname_issubdomain() back to the state
before 1269f074f86bb959863012063060a3a082d37dc4, adds
some logic to give correct answers when comparing
to the root domain, and gets right the new calls to
hostname_issubdomain()  added in
1269f074f86bb959863012063060a3a082d37dc4

Thanks to Jean Thomas for spotting this problem.

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-06-08 19:55:57 +02:00
Simon Kelley 552ef3a179 Remove arbitrary limit on config file line lengths.
Stop using the namebuff buffer to read config file
lines. This reduced in size in
014e909f787e808bb35daa546d3f8f3663918de2 and caused
regressions. We now resize the buffer as needed,
so there is no practical limit.

Use the same code to remove the same limit when reading
/etc/ethers and /etc/resolv.conf. Also when copying output
from the lease-change script into the log.

Thanks to Kevin Darbyshire-Bryant for finding the regresssion.

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-06-08 19:55:52 +02:00
Dominik d4707286f5 Fix two minor issues
Signed-off-by: Dominik <dl6er@dl6er.de>
2026-06-08 19:55:34 +02:00
Dominik 079a5341a9 Merge branch 'development' into update/dnsmasq
Signed-off-by: Dominik <dl6er@dl6er.de>
2026-06-08 19:53:49 +02:00
yubiuser de6c215a87 Merge pull request #2905 from pi-hole/dependabot-github_actions-development-github_action-dependencies-882fedbe01
chore(deps): Bump the github_action-dependencies group across 1 directory with 2 updates
2026-06-06 13:16:08 +02:00
dependabot[bot] ae95195913 chore(deps): Bump the github_action-dependencies group across 1 directory with 2 updates
Bumps the github_action-dependencies group with 2 updates in the / directory: [actions/checkout](https://github.com/actions/checkout) and [github/codeql-action](https://github.com/github/codeql-action).


Updates `actions/checkout` from 6.0.2 to 6.0.3
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/de0fac2e4500dabe0009e67214ff5f5447ce83dd...df4cb1c069e1874edd31b4311f1884172cec0e10)

Updates `github/codeql-action` from 4.36.0 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/7211b7c8077ea37d8641b6271f6a365a22a5fbfa...8aad20d150bbac5944a9f9d289da16a4b0d87c1e)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github_action-dependencies
- dependency-name: github/codeql-action
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github_action-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-06 10:03:30 +00:00
yubiuser 4ec0e95f78 Merge pull request #2902 from pi-hole/dependabot-github_actions-development-github_action-dependencies-def28eadc9
chore(deps): Bump the github_action-dependencies group across 1 directory with 2 updates
2026-06-01 19:43:19 +02:00
Dominik 801ad81ae3 Merge pull request #2893 from darkexplosiveqwx/fedora-44-cmake
Fix build on Fedora 44
2026-05-31 14:44:23 +02:00
dependabot[bot] 822ab88863 chore(deps): Bump the github_action-dependencies group across 1 directory with 2 updates
Bumps the github_action-dependencies group with 2 updates in the / directory: [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) and [eps1lon/actions-label-merge-conflict](https://github.com/eps1lon/actions-label-merge-conflict).


Updates `docker/setup-qemu-action` from 4.0.0 to 4.1.0
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](https://github.com/docker/setup-qemu-action/compare/ce360397dd3f832beb865e1373c09c0e9f86d70a...06116385d9baf250c9f4dcb4858b16962ea869c3)

Updates `eps1lon/actions-label-merge-conflict` from 3.0.3 to 3.1.0
- [Release notes](https://github.com/eps1lon/actions-label-merge-conflict/releases)
- [Changelog](https://github.com/eps1lon/actions-label-merge-conflict/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eps1lon/actions-label-merge-conflict/compare/1df065ebe6e3310545d4f4c4e862e43bdca146f0...0273be72a0bbd58fcd71d0d6c02c209b50d1e5e1)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github_action-dependencies
- dependency-name: eps1lon/actions-label-merge-conflict
  dependency-version: 3.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github_action-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-30 10:03:30 +00:00
yubiuser 4c7665fe9a Merge pull request #2899 from pi-hole/dependabot-github_actions-development-github_action-dependencies-4834aef21e
chore(deps): Bump the github_action-dependencies group across 1 directory with 3 updates
2026-05-23 12:25:25 +02:00
dependabot[bot] dd89cdd9ec chore(deps): Bump the github_action-dependencies group across 1 directory with 3 updates
Bumps the github_action-dependencies group with 3 updates in the / directory: [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action), [github/codeql-action](https://github.com/github/codeql-action) and [actions/stale](https://github.com/actions/stale).


Updates `docker/setup-buildx-action` from 4.0.0 to 4.1.0
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd...d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5)

Updates `github/codeql-action` from 4.35.5 to 4.36.0
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/9e0d7b8d25671d64c341c19c0152d693099fb5ba...7211b7c8077ea37d8641b6271f6a365a22a5fbfa)

Updates `actions/stale` from 10.2.0 to 10.3.0
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/stale/compare/b5d41d4e1d5dceea10e7104786b73624c18a190f...eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github_action-dependencies
- dependency-name: github/codeql-action
  dependency-version: 4.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github_action-dependencies
- dependency-name: actions/stale
  dependency-version: 10.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github_action-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-23 10:03:45 +00:00
yubiuser 230eb78ee1 Merge pull request #2894 from pi-hole/dependabot-github_actions-development-github_action-dependencies-bcb0c4251a
chore(deps): Bump github/codeql-action from 4.35.4 to 4.35.5 in the github_action-dependencies group across 1 directory
2026-05-16 12:31:13 +02:00
dependabot[bot] 3636ae8aef chore(deps): Bump github/codeql-action
Bumps the github_action-dependencies group with 1 update in the / directory: [github/codeql-action](https://github.com/github/codeql-action).


Updates `github/codeql-action` from 4.35.4 to 4.35.5
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/68bde559dea0fdcac2102bfdf6230c5f70eb485e...9e0d7b8d25671d64c341c19c0152d693099fb5ba)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github_action-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-16 10:03:37 +00:00
darkexplosiveqwx c92e52c8d3 Fix build with Fedora 44 %cmake
Signed-off-by: darkexplosiveqwx <101737077+darkexplosiveqwx@users.noreply.github.com>
2026-05-15 20:36:39 +02:00
Dominik 245c1a9698 Merge pull request #2891 from pi-hole/update/sqlite3_53_1
Update embedded SQLite3 to v3.53.1
2026-05-12 20:26:19 +02:00
Dominik 5ce1aca4d1 Update embedded SQLite3 to v3.53.1
Signed-off-by: Dominik <dl6er@dl6er.de>
2026-05-12 19:54:47 +02:00
Dominik 5f95f7b63f Merge pull request #2881 from pi-hole/fix/civet-crash
Harden API/database races in civetweb and DB threads
2026-05-11 22:35:17 +02:00
Dominik cc57ce82dd Also fix this in the CodeQL step
Signed-off-by: Dominik <dl6er@dl6er.de>
2026-05-11 22:13:16 +02:00
Dominik 351c5ad6d1 Merge branch 'development' into update/dnsmasq
# Conflicts:
#	CMakeLists.txt
#	src/dnsmasq/dnsmasq.h
#	src/dnsmasq/dnssec.c
2026-05-11 21:58:18 +02:00
Dominik 093fc03a67 Merge branch 'development' into fix/civet-crash 2026-05-11 21:55:42 +02:00
Dominik 6608a12078 Merge pull request #2889 from pi-hole/master
Sync master back into development
2026-05-11 21:52:31 +02:00
Dominik 82c58cc454 Merge pull request #2888 from pi-hole/fix/dnsmasq_cve_may_2026
Fix dnsmasq CVE publications
v6.6.2
2026-05-11 21:37:56 +02:00
Dominik 68ab6545be Update dnsmasq version and ftl-build container
Signed-off-by: Dominik <dl6er@dl6er.de>
2026-05-11 20:04:50 +02:00
Simon Kelley 71e4ae997e Fix buffer overflow vulnerability in extract_addresses() CVE-2026-5172
Thanks to Hugo Martinez Ray for spotting this.

The value of rdlen for an RR can be a lie, allowing the
call to extract_name() at rfc1025.c:952 to advance the value of p1
past the calculated end of the record. The makes the calculation
of bytes remaining in the RR underflow to a huge number and results
in a massive heap OOB read and certain crash.
2026-05-11 20:03:31 +02:00
Simon Kelley 6e90deaa6a Fix broken client subnet validation. CVE-2026-4893
Bug report from Royce M <royce@xchglabs.com>

Location: forward.c:713, edns0.c:421

With --add-subnet enabled, process_reply() passes the OPT record
length (~23 bytes) instead of the packet length to check_source().
All internal bounds checks fail, and the function always returns 1.
ECS source validation per RFC 7871 Section 9.2 is completely bypassed.
2026-05-11 20:03:30 +02:00
Simon Kelley c5ad2a03fe Fix buffer overflow in helper.c with large CLIDs. CVE-2026-4892
Bug reported bt Royce M <royce@xchglabs.com>

Location: helper.c:265-270
DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.

Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
2026-05-11 20:03:30 +02:00
Simon Kelley cda3baf476 Verify rdlen field in RRSIG packets. CVE-2026-4891
Bug report from Royce M <royce@xchglabs.com>

This avoids crafted packets which give a value for rdlen _less_
then the space taken up by the fixed data and the signer's name
and engender a negative calculated length for the signature.
2026-05-11 20:03:30 +02:00
Simon Kelley 2a67e28575 Fix NSEC bitmap parsing infinite loop. CVE-2026-4890
Report from Royce M <royce@xchglabs.com>.

 Location: dnssec.c:1290-1306, dnssec.c:1450-1463

The bitmap window iteration advances by p[1] instead of p[1]+2
(missing the 2-byte window header). With bitmap_length=0, both rdlen and p are
unchanged, causing an infinite loop and dnsmasq stops responding to all queries.

Reachable before RRSIG validation
(confirmed by the source comment at line 2125), so no valid
DNSSEC signatures are needed.
2026-05-11 20:03:29 +02:00
Simon Kelley ee35f95f11 Fix buffer overflow in struct bigname. CVE-2026-2291
All buffers capable of holding a domain name should be
at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum
size of a domain name. The accounts for the trailing zero and the
fact that some characters are escaped in the internal representation
of a domain name in dnsmasq.

The declaration of struct bigname get this wrong, with the effect
that a remote attacker capable of asking DNS queries or answering DNS
queries can cause a large OOB write in the heap.

This was first spotted by Andrew S. Fasano.
2026-05-11 20:03:29 +02:00
Dominik 02ce7d7369 Update ftl-build container and dnsmasq tag
Signed-off-by: Dominik <dl6er@dl6er.de>
2026-05-11 19:59:05 +02:00
do litli c63a09bcdf Fix buffer OOB read in find_soa()
In find_soa() extract_name() is called with extrabytes=0 when parsing NS
record names, which means it only validates that the DNS name fits
within the packet but does not check that 10 additional bytes exist for
the type/class/TTL/rdlen fixed fields. Lines 546-549 then
unconditionally read these 10 bytes via GETSHORT/GETLONG macros. An
attacker controlling a DNS zone can craft a NXDOMAIN response where the
NS record name extends to the packet boundary, causing a 10-byte
out-of-bounds read past the valid packet data (CWE-125, CVSS 5.3
Medium). The read stays within the over-allocated packet buffer in
default configurations, limiting crash risk, but accesses data outside
the logical packet boundary. Under certain conditions, the overread may
access stale heap data from prior transactions.

The fix is straightforward: change the extrabytes
argument from 0 to 10, consistent with other call sites in
the same file.

Credit is due to do litli for finding this problem.
2026-05-11 19:50:31 +02:00