Dnsmasq does not properly check the return value of the setup_reply() function called during a tcp connection (by the tcp_request() function). This return value is then used as a size argument in a function which writes data on the client’s connection. This may lead, upon successful exploitation, to reading the heap memory of dnsmasq which will result to information disclosure such as performed DNS queries, encryption keys etc.
In more detail:
Function tcp_request() calls setup_reply() and the returned value is used as a size argument in a write function.
m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
read_write(confd, packet, m + sizeof(u16), 0));
The m variable is determined by a subtraction between the return of skip_questions() and header pointer.
The return value of skip_question doesn’t checked for error(NULL).
As a result the negative value of pointer(-header), might returned.
size_t setup_reply(struct dns_header *header, size_t qlen,
struct all_addr *addrp, unsigned int flags, unsigned long ttl)
unsigned char *p = skip_questions(header, qlen)
return p – (unsigned char *)header
read_write checks if the size argument is positive. In case of a 32 bit system size_t m would be 4 bytes and read_write will automatically exit. In case of 64 bit system size_t m is 8 bytes and may turn to positive if the sign bit of the 32 bit value is 0.
If m is less than 0xffffffff80000000, dnsmasq will be exploited by a potential attacker who will remotely read dnsmasq heap. If the above condition is not met, dnsmasq exits properly.
Nick Sampanis (n.sampanis[a t]obrela[do t]com)
Unchecked return value CVE-2015-3294
07/04/2015 – 09/04/2015
Solution – fix & patch:
Please download dnsmasq-2.73rc4.tar.gz