From 8270648da1eae77db381b848a47d79b85c206e29 Mon Sep 17 00:00:00 2001
From: Frank <fhriley@gmail.com>
Date: Sat, 20 Jun 2020 15:17:56 +0100
Subject: [PATCH] Fix memory corruption on EAGAIN return from pipe during TCP
 requests.

This patch fixes a buffer overflow in TCP requests. Since the read is not
actually being retried, the byte written by the child can be left
in the pipe. When that happens, cache_recv_insert() reads the length of the
name, which is now multiplied by 256 due to the extra 0 byte (8 bit shift)
and results in daemon->namebuff being overflowed.

Namebuff is immediately before the daemon struct in memory so it
ends up corrupting the beginning of the daemon struct.
---
 src/dnsmasq.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 6481de8..e0197af 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -1887,7 +1887,7 @@ static void check_dns_listeners(time_t now)
 			   single byte comes back up the pipe, which
 			   is sent by the child after it has closed the
 			   netlink socket. */
-			retry_send(read(pipefd[0], &a, 1));
+			while(retry_send(read(pipefd[0], &a, 1)));
 #endif
 			break;
 		      }
@@ -1928,7 +1928,7 @@ static void check_dns_listeners(time_t now)
 #ifdef HAVE_LINUX_NETWORK
 		  /* See comment above re netlink socket. */
 		  close(daemon->netlinkfd);
-		  retry_send(write(pipefd[1], &a, 1));
+		  while(retry_send(write(pipefd[1], &a, 1)));
 #endif
 		}