Re: [Dnsmasq-discuss] [PATCH] A segmentation fault occurred in dnsmasq

[renmingshuai via Dnsmasq-discuss]

DHCPv6 has the same problem.

>From 9c03568ab6e35408e7833b0621246b1e91812503 Mon Sep 17 00:00:00 2001
From: renmingshuai <renmingsh...@huawei.com>
Date: Fri, 2 Aug 2024 17:08:59 +0800
Subject: [PATCH] DCHPv6:Fix a coredump and UAF caused by trying to free
non-heap objects as DHCPv4 did.

---
src/rfc3315.c | 22 +++++++---------------
1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/src/rfc3315.c b/src/rfc3315.c
index 400d939..770e4ff 100644
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -266,7 +266,7 @@ static int dhcp6_no_relay(struct state *state, int 
msg_type, unsigned char *inbu
   struct dhcp_opt *opt_cfg;
   struct dhcp_netid *tagif;
   struct dhcp_config *config = NULL;
-  struct dhcp_netid known_id, iface_id, v6_id;
+  struct dhcp_netid known_id;
   unsigned char outmsgtype;
   struct dhcp_vendor *vendor;
   struct dhcp_context *context_tmp;
@@ -287,14 +287,10 @@ static int dhcp6_no_relay(struct state *state, int 
msg_type, unsigned char *inbu
   state->fqdn_flags = 0x01; /* default to send if we receive no FQDN option */

   /* set tag with name == interface */
-  iface_id.net = state->iface_name;
-  iface_id.next = state->tags;
-  state->tags = &iface_id;
+  state->tags = dhcp_netid_create(state->iface_name, state->tags);

   /* set tag "dhcpv6" */
-  v6_id.net = "dhcpv6";
-  v6_id.next = state->tags;
-  state->tags = &v6_id;
+  state->tags = dhcp_netid_create("dhcpv6", state->tags);

   start_msg = save_counter(-1);
   /* copy over transaction-id */
@@ -406,8 +402,7 @@ static int dhcp6_no_relay(struct state *state, int 
msg_type, unsigned char *inbu
            for (i = 0; i <= (opt6_user_vendor_len(enc_opt) - vendor->len); i++)
              if (memcmp(vendor->data, opt6_user_vendor_ptr(enc_opt, i), 
vendor->len) == 0)
                {
-                 vendor->netid.next = state->tags;
-                 state->tags = &vendor->netid;
+                 state->tags = dhcp_netid_create(vendor->netid.net, 
state->tags);
                  break;
                }
        }
@@ -452,8 +447,7 @@ static int dhcp6_no_relay(struct state *state, int 
msg_type, unsigned char *inbu

       if (match)
        {
-         opt_cfg->netid->next = state->tags;
-         state->tags = opt_cfg->netid;
+         state->tags = dhcp_netid_create(opt_cfg->netid->net, state->tags);
        }
     }

@@ -470,8 +464,7 @@ static int dhcp6_no_relay(struct state *state, int 
msg_type, unsigned char *inbu
            ((unsigned)mac_opt->hwaddr_type == state->mac_type || 
mac_opt->hwaddr_type == 0) &&
            memcmp_masked(mac_opt->hwaddr, state->mac, state->mac_len, 
mac_opt->mask))
          {
-           mac_opt->netid.next = state->tags;
-           state->tags = &mac_opt->netid;
+           state->tags = dhcp_netid_create(mac_opt->netid.net, state->tags);
          }
     }
   else if (option_bool(OPT_LOG_OPTS))
@@ -534,8 +527,7 @@ static int dhcp6_no_relay(struct state *state, int 
msg_type, unsigned char *inbu
                   if (hostname_isequal(state->client_hostname, m->name) &&
                       (save == 0 || m->wildcard))
                     {
-                      m->netid->next = state->tags;
-                      state->tags = m->netid;
+                      state->tags = dhcp_netid_create(m->netid->net, 
state->tags);
                     }

                   if (save != 0)
--
2.33.0

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss