From 83658efbf4ba0d313e8e9628fa6f8e7d4f0944cf Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Fri, 4 Apr 2025 22:01:51 +0100 Subject: [PATCH] Fix occasional crashes with DNSSEC and large nunbers of --address configs. Commit 3e659bd4ec6525ebe4518fd10b8e183997f46351 removed the concept of an usptream DNS server which is capable of DNSSEC: they are all (at least in theory) now usable. As a very unfortunate side-effect, this removed the filter that ensured that dnssec_server() ONLY returns servers, and not domains with literal addresses. If we try and do DNSSEC queries for a domain, and there's a --address line which matches the domain, then dnssec_server() will return that. This would break DNSSEC validation, but that's turns out not to matter, because under these circumstances dnssec_server() will probably return an out-of-bounds index into the servers[] array, and the process dies with SIGSEGV. Many thanks to the hard workers at the Tomato project who found this bug and provided enough information to diagnose it. --- src/domain-match.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/domain-match.c b/src/domain-match.c index 663b3c9..491aefd 100644 --- a/src/domain-match.c +++ b/src/domain-match.c @@ -467,7 +467,7 @@ int dnssec_server(struct server *server, char *keyname, int *firstp, int *lastp) /* Find server to send DNSSEC query to. This will normally be the same as for the original query, but may be another if servers for domains are involved. */ - if (!lookup_domain(keyname, F_DNSSECOK, &first, &last)) + if (!lookup_domain(keyname, F_SERVER | F_DNSSECOK, &first, &last)) return -1; for (index = first; index != last; index++)