Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix memory corruption on EAGAIN return from pipe during TCP requests.

Browse Source 
This patch fixes a buffer overflow in TCP requests. Since the read is not
actually being retried, the byte written by the child can be left
in the pipe. When that happens, cache_recv_insert() reads the length of the
name, which is now multiplied by 256 due to the extra 0 byte (8 bit shift)
and results in daemon->namebuff being overflowed.

Namebuff is immediately before the daemon struct in memory so it
ends up corrupting the beginning of the daemon struct.
This commit is contained in:
Frank
2020-06-20 15:17:56 +01:00
committed by Simon Kelley
parent 619000a3c5
commit 8270648da1
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/dnsmasq.c
View File

@@ -1887,7 +1887,7 @@ static void check_dns_listeners(time_t now)
single byte comes back up the pipe, which single byte comes back up the pipe, which
is sent by the child after it has closed the is sent by the child after it has closed the
netlink socket. */ netlink socket. */
retry_send(read(pipefd[0], &a, 1)); while(retry_send(read(pipefd[0], &a, 1)));
#endif #endif
break; break;
} }
@@ -1928,7 +1928,7 @@ static void check_dns_listeners(time_t now)
#ifdef HAVE_LINUX_NETWORK #ifdef HAVE_LINUX_NETWORK
/* See comment above re netlink socket. */ /* See comment above re netlink socket. */
close(daemon->netlinkfd); close(daemon->netlinkfd);
retry_send(write(pipefd[1], &a, 1)); while(retry_send(write(pipefd[1], &a, 1)));
#endif #endif
} }