Ubuntu

Dnsmasq crashes when renewing non-existent lease

Reported by Izak Burger on 2006-05-30
274
Affects Status Importance Assigned to Milestone
dnsmasq (Ubuntu)
Medium
Unassigned
Dapper
Undecided
Unassigned

Bug Description

Binary package hint: dnsmasq

Refer to freshmeat page:

http://freshmeat.net/projects/dnsmasq/?branch_id=1991&release_id=217681

Dapper ships with version 2.25 of dnsmasq which has the above bug. Debian testing already ships 2.31, which compiles out of the box once you dial back the the dbus-1-2 build-depends to 0.60. Suggested fix: upgrade dnsmasq to 2.31 in dapper.

CVE References

Simon Schmidig (schmidig) wrote :

I can confirm this :
Jun 4 14:47:01 localhost dnsmasq[5542]: DHCPREQUEST(eth0) 192.168.10.104 00:11:24:35:99:a0
Jun 4 14:47:01 localhost dnsmasq[5542]: DHCPNAK(eth0) 192.168.10.104 00:11:24:35:99:a0 wrong network
Jun 4 14:47:01 localhost kernel: [46803.837739] dnsmasq[5542]: segfault at 0000000000000010 rip 00000000004139d9 rsp 00007fffff

Nuno Carvalho (rekconk) wrote :

I confirm to:

Starting DNS forwarder and DHCP server: dnsmasqdnsmasq: started, version 2.25 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt RTNetlink ISC-leasefile no-DBus I18N
dnsmasq: DHCP, IP range 192.168.1.129 -- 192.168.1.190, lease time 12h
dnsmasq: using local addresses only for domain XXX.XXX
dnsmasq: read /etc/hosts - 13 addresses
dnsmasq: reading /etc/ppp/resolv.conf
dnsmasq: using nameserver X.X.X.X#53
dnsmasq: using nameserver X.X.X.X#53
dnsmasq: using local addresses only for domain XXX.XXX

dnsmasq: DHCPREQUEST(eth0) 192.168.82.148 00:11:24:72:44:d2
dnsmasq: DHCPNAK(eth0) 192.168.82.148 00:11:24:72:44:d2 wrong network
/etc/init.d/dnsmasq: line 49: 11669 Segmentation fault start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid --exec $DAEMON -- ${MAILHOSTNAME:+ -m $MAILHOSTNAME} ${MAILTARGET:+ -t $MAILTARGET} ${DNSMASQ_USER:+ -u $DNSMASQ_USER} ${DNSMASQ_INTERFACE:+ $DNSMASQ_INTERFACES} ${DHCP_LEASE:+ -l $DHCP_LEASE} ${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} ${RESOLV_CONF:+ -r $RESOLV_CONF} ${CACHESIZE:+ -c $CACHESIZE} ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS}
 (failed).

René Fleschenberg (rene.f) wrote :

I can confirm this bug, too. And IMHO, it is a rather severe one. Caused me quite some trouble after moving an important DHCP server to Ubuntu :-/

Hi René

I just took the latest version from packages.debian.org and compiled
it on the box. It has been working fine for several months now.

regards,
Izak

Ps. Korteklippe, interesting domain name, it means short stones? In
dutch it probably would, but I know short is "kurz auf Deutsch" so I'm
probably wrong there.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

> I just took the latest version from packages.debian.org and compiled
> it on the box. It has been working fine for several months now.

Thanks for the hint. I did something similiar and downloaded the sources
from upstream and compiled and installed them. Works well so far. I wonder
about the Ubuntu package though. The maintainer seems to be inactive (bug
still not confirmed after several months). Do you know what would be the
right route to take to get the fix backported to Dapper?

> Ps. Korteklippe, interesting domain name, it means short stones? In
> dutch it probably would, but I know short is "kurz auf Deutsch" so I'm
> probably wrong there.

Klippe means "cliff". "Korteklippe" is the name of a certain cliff in my
home city which is a somewhat popular meeting point.
"Korte" itself is not a modern German word. It may relate to a Middle High
German word meaning "herd", but I don't know for sure. A point of view
look from the place is shown on the JPEG image at
http://www.korteklippe.de

- --
René
OpenPGP key id: 0x63B1F5DB
JID: <email address hidden>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE/dghUVK8U2Ox9dsRAp1xAKCqOIZ1VsQiWPdTwMJPb2kOX7hjgQCfZ5ym
6DlQE4zo76qsjmu8Rw5QL/U=
=PrOO
-----END PGP SIGNATURE-----

On 9/5/06, René Fleschenberg <email address hidden> wrote:
> Do you know what would be the
> right route to take to get the fix backported to Dapper?

Did a bit of research. Seems like we need to talk to the Masters of
the Universe:

https://wiki.ubuntu.com/MOTU

I can confirm the same problem. It is such an annoying bug, and seeing that edgy has a newer and more stable version is not cool either.

Mar 18 20:06:36 [hostname] dnsmasq[20837]: DHCPREQUEST(eth0) 10.0.0.5 00:02:3f:6a:c1:26
Mar 18 20:06:36 [hostname] dnsmasq[20837]: DHCPNAK(eth0) 10.0.0.5 00:02:3f:6a:c1:26 wrong network

Anyone knows if it's planned to put a new version up?

David Tomaschik (matir) wrote :

This bug still occurs... could we please get an update?

Thierry Carrez (ttx) on 2008-06-18
Changed in dnsmasq:
assignee: nobody → tcarrez
status: New → Confirmed
Thierry Carrez (ttx) wrote :

This issue has security implications, you could exploit it to (at least) crash the dnsmasq server.
I backported the fix from dnsmasq 2.26 and tested it OK.

I could not build an easy reproducer, spent a few hours around it but I guess I did not get the broadcast/martian right. Here is how I reproduce it and tested the fix :

Have one machine/VM as a DHCP client, another as DHCP server.
Make sure nobody else (including libvirt-bin !) provides DHCP service on the network the test machines are connected to.
Configure DHCP server on a network A (192.168.123.0/24 for example) to serve addresses there , with small DHCP leases
Start DHCP client so that it gets an address lease on network A (let's say 192.168.123.51)
Reconfigure network and dnsmasq on server so that it now serves a network B (192.168.122.0/24 for example)
Wait for client to try to renew its lease.
Starting at around half lease life it will try several times (and fail) to renew its lease.
At the end of the lease it will broadcast a martian DHCPREQUEST from 192.168.123.51, triggering the crash in dnsmasq :

Jun 24 10:20:28 dapper-test dnsmasq[3482]: DHCPREQUEST(eth0) 192.168.123.51 52:54:00:1a:49:e4
Jun 24 10:20:28 dapper-test dnsmasq[3482]: DHCPNAK(eth0) 192.168.123.51 52:54:00:1a:49:e4 wrong network
Jun 24 10:20:28 dapper-test kernel: [ 1766.784923] dnsmasq[3482]: segfault at 0000000000000010 rip 00000000004139d9 rsp 00007fffffb627c0 error 4

With the fixed version, we get :
Jun 24 10:25:44 dapper-test dnsmasq[3643]: DHCPREQUEST(eth0) 192.168.123.51 52:54:00:1a:49:e4
Jun 24 10:25:44 dapper-test dnsmasq[3643]: DHCPNAK(eth0) 192.168.123.51 52:54:00:1a:49:e4 wrong network
Jun 24 10:25:48 dapper-test dnsmasq[3643]: DHCPDISCOVER(eth0) 52:54:00:1a:49:e4
Jun 24 10:25:48 dapper-test dnsmasq[3643]: DHCPOFFER(eth0) 192.168.122.51 52:54:00:1a:49:e4
Jun 24 10:25:48 dapper-test dnsmasq[3643]: DHCPREQUEST(eth0) 192.168.122.51 52:54:00:1a:49:e4
Jun 24 10:25:48 dapper-test dnsmasq[3643]: DHCPACK(eth0) 192.168.122.51 52:54:00:1a:49:e4 hardy-test

Changed in dnsmasq:
status: Confirmed → In Progress
Thierry Carrez (ttx) on 2008-09-01
Changed in dnsmasq:
assignee: tcarrez → nobody
status: In Progress → Triaged
Thierry Carrez (ttx) wrote :

Fixed in current development version (and in all versions since Edgy). Opening a dapper task

Changed in dnsmasq:
status: Triaged → Fix Released
Changed in dnsmasq:
status: New → In Progress
Jamie Strandboge (jdstrand) wrote :

dnsmasq (2.25-1ubuntu0.1) dapper-security; urgency=low

  * SECURITY UPDATE: crash when renewing a lease from clients that think
    they are on another network can be used as a denial of service attack.
  * src/rfc2131.c: backport of the dnsmasq 2.26 fix (Fixes LP: #47438)
  * References
    CVE-2008-3214

Changed in dnsmasq:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers