Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix memory corruption on EAGAIN return from pipe during TCP requests.

Browse Source 
This patch fixes a buffer overflow in TCP requests. Since the read is not
actually being retried, the byte written by the child can be left
in the pipe. When that happens, cache_recv_insert() reads the length of the
name, which is now multiplied by 256 due to the extra 0 byte (8 bit shift)
and results in daemon->namebuff being overflowed.

Namebuff is immediately before the daemon struct in memory so it
ends up corrupting the beginning of the daemon struct.
This commit is contained in:
Frank
2020-06-20 15:17:56 +01:00
committed by Simon Kelley
parent 619000a3c5
commit 8270648da1
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/dnsmasq.c
View File

@@ -1887,7 +1887,7 @@ static void check_dns_listeners(time_t now)
single byte comes back up the pipe, which
is sent by the child after it has closed the
netlink socket. */
retry_send(read(pipefd[0], &a, 1));
while(retry_send(read(pipefd[0], &a, 1)));
#endif
break;
}
@@ -1928,7 +1928,7 @@ static void check_dns_listeners(time_t now)
#ifdef HAVE_LINUX_NETWORK
/* See comment above re netlink socket. */
close(daemon->netlinkfd);
retry_send(write(pipefd[1], &a, 1));
while(retry_send(write(pipefd[1], &a, 1)));
#endif
}