Sync master back into development#2889
Merged
Merged
Conversation
All buffers capable of holding a domain name should be at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum size of a domain name. The accounts for the trailing zero and the fact that some characters are escaped in the internal representation of a domain name in dnsmasq. The declaration of struct bigname get this wrong, with the effect that a remote attacker capable of asking DNS queries or answering DNS queries can cause a large OOB write in the heap. This was first spotted by Andrew S. Fasano.
Report from Royce M <royce@xchglabs.com>. Location: dnssec.c:1290-1306, dnssec.c:1450-1463 The bitmap window iteration advances by p[1] instead of p[1]+2 (missing the 2-byte window header). With bitmap_length=0, both rdlen and p are unchanged, causing an infinite loop and dnsmasq stops responding to all queries. Reachable before RRSIG validation (confirmed by the source comment at line 2125), so no valid DNSSEC signatures are needed.
Bug report from Royce M <royce@xchglabs.com> This avoids crafted packets which give a value for rdlen _less_ then the space taken up by the fixed data and the signer's name and engender a negative calculated length for the signature.
Bug reported bt Royce M <royce@xchglabs.com>
Location: helper.c:265-270
DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
Bug report from Royce M <royce@xchglabs.com> Location: forward.c:713, edns0.c:421 With --add-subnet enabled, process_reply() passes the OPT record length (~23 bytes) instead of the packet length to check_source(). All internal bounds checks fail, and the function always returns 1. ECS source validation per RFC 7871 Section 9.2 is completely bypassed.
Thanks to Hugo Martinez Ray for spotting this. The value of rdlen for an RR can be a lie, allowing the call to extract_name() at rfc1025.c:952 to advance the value of p1 past the calculated end of the record. The makes the calculation of bytes remaining in the RR underflow to a huge number and results in a massive heap OOB read and certain crash.
Signed-off-by: Dominik <dl6er@dl6er.de>
Fix dnsmasq CVE publications
DL6ER
approved these changes
May 11, 2026
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Created by Github action