Dnsmasq 2.72 Unchecked returned value Apr 23 2015 08:47AM
Nick Sampanis (n sampanis obrela com)
"Dnsmasq 2.72 Unchecked returned value"

Dnsmasq does not properly check the return value of the setup_reply()
function called during a tcp connection (by the tcp_request() function).
This return value is then used as a size argument in a function which writes
data on the client's connection. This may lead, upon successful
exploitation, to reading the heap memory of dnsmasq.

In more detail:
Function tcp_request() calls setup_reply() and the returned value is used as
a size argument in a write function.

m = setup_reply(header, (unsigned int)size, addrp, flags,
read_write(confd, packet, m + sizeof(u16), 0));

The m variable is determined by a subtraction between the
return of skip_questions() and header pointer.
The return value of skip_question doesn't checked for error(NULL).
As a result the negative value of pointer(-header), might returned.

size_t setup_reply(struct dns_header *header, size_t qlen,
struct all_addr *addrp, unsigned int flags, unsigned long ttl)
unsigned char *p = skip_questions(header, qlen)
return p - (unsigned char *)header

read_write checks if the size argument is positive. In case of a 32 bit
size_t m would be 4 bytes and read_write will automatically exit. In case of
bit system size_t m is 8 bytes and may turn to positive if the sign bit of
32 bit value is 0.

If m is less than 0xffffffff80000000, dnsmasq will be exploited by a
potential attacker who will remotely read dnsmasq heap. If the above
condition is not met, dnsmasq exits properly.

Nick Sampanis (n.sampanis[a t]obrela[do t]com)

Unchecked return value CVE-2015-3294

Identification date:
07/04/2015 - 09/04/2015

Solution - fix & patch
Please download dnsmasq-2.73rc4.tar.gz


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus