[Bug 47438] Re: Dnsmasq crashes when renewing non-existent lease
Thierry Carrez
thierry.carrez at canonical.com
Tue Jun 24 10:04:21 BST 2008
This issue has security implications, you could exploit it to (at least) crash the dnsmasq server.
I backported the fix from dnsmasq 2.26 and tested it OK.
I could not build an easy reproducer, spent a few hours around it but I
guess I did not get the broadcast/martian right. Here is how I reproduce
it and tested the fix :
Have one machine/VM as a DHCP client, another as DHCP server.
Make sure nobody else (including libvirt-bin !) provides DHCP service on the network the test machines are connected to.
Configure DHCP server on a network A (192.168.123.0/24 for example) to serve addresses there , with small DHCP leases
Start DHCP client so that it gets an address lease on network A (let's say 192.168.123.51)
Reconfigure network and dnsmasq on server so that it now serves a network B (192.168.122.0/24 for example)
Wait for client to try to renew its lease.
Starting at around half lease life it will try several times (and fail) to renew its lease.
At the end of the lease it will broadcast a martian DHCPREQUEST from 192.168.123.51, triggering the crash in dnsmasq :
Jun 24 10:20:28 dapper-test dnsmasq[3482]: DHCPREQUEST(eth0) 192.168.123.51 52:54:00:1a:49:e4
Jun 24 10:20:28 dapper-test dnsmasq[3482]: DHCPNAK(eth0) 192.168.123.51 52:54:00:1a:49:e4 wrong network
Jun 24 10:20:28 dapper-test kernel: [ 1766.784923] dnsmasq[3482]: segfault at 0000000000000010 rip 00000000004139d9 rsp 00007fffffb627c0 error 4
With the fixed version, we get :
Jun 24 10:25:44 dapper-test dnsmasq[3643]: DHCPREQUEST(eth0) 192.168.123.51 52:54:00:1a:49:e4
Jun 24 10:25:44 dapper-test dnsmasq[3643]: DHCPNAK(eth0) 192.168.123.51 52:54:00:1a:49:e4 wrong network
Jun 24 10:25:48 dapper-test dnsmasq[3643]: DHCPDISCOVER(eth0) 52:54:00:1a:49:e4
Jun 24 10:25:48 dapper-test dnsmasq[3643]: DHCPOFFER(eth0) 192.168.122.51 52:54:00:1a:49:e4
Jun 24 10:25:48 dapper-test dnsmasq[3643]: DHCPREQUEST(eth0) 192.168.122.51 52:54:00:1a:49:e4
Jun 24 10:25:48 dapper-test dnsmasq[3643]: DHCPACK(eth0) 192.168.122.51 52:54:00:1a:49:e4 hardy-test
** Attachment added: "dnsmasq_2.25-1ubuntu0.1.debdiff"
http://launchpadlibrarian.net/15555007/dnsmasq_2.25-1ubuntu0.1.debdiff
** This bug has been flagged as a security issue
--
Dnsmasq crashes when renewing non-existent lease
https://bugs.launchpad.net/bugs/47438
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dnsmasq in ubuntu.
More information about the Ubuntu-server-bugs
mailing list