dnsmasq segfaults on cnames referring to themselves

This was fixed upstream, in release 2.77.

Simon.

On 18/07/18 14:59, Frank Klaassen wrote:
> Public bug reported:
>
> If one would add a CNAME-record that would point to itself like so:
> CNAME=test.example.com,test.example.com
>
> This will result in a segfault and crash of the dnsmasq process.
>
> Segfault on 14.04 / dnsmasq 2.68:
> dnsmasq[22762]: segfault at 7ffe1727dff8 ip 00007f7c60cde755 sp 00007ffe1727dff0 error 6 in libc-2.19.so[7f7c60c5e000+1be000]
>
> Segfault on 16.04 / dnsmasq 2.75:
> dnsmasq[21097]: segfault at 7ffc4bf90ff8 ip 00007f268bf7ebbc sp 00007ffc4bf90ff0 error 6 in libc-2.23.so[7f268befd000+1c0000]
>
>
> Ubuntu versions affected: Ubuntu 14.04.5 LTS & Ubuntu 16.04.4 LTS
>
> dnsmasq version (14.04) 2.68-1ubuntu0.2
> dnsmasq version (16.04): 2.75-1ubuntu0.16.04.5
>
> ** Affects: dnsmasq (Ubuntu)
> Importance: Undecided
> Status: New
>

With 2.77 and later being good marking bug tasks for affected releases accordingly.

@Simon - that should be http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=903df07bcb53f175851a7c2891d60fcf64a1f6bc right?

@Frank - for the SRU processing [1] later on if th patches are somewhat applicable to 2.75 / 2.68 in the affected releases it might be helpful having a set of minimal steps to set up the CNAME-loop.

[1]: https://wiki.ubuntu.com/StableReleaseUpdates

FYI the code does not apply as-is to the older versions.
The changelog/header entries can easily be matched, but the options.c code essentially needs a rewrite to match the older versions - the ttl handling was different and also the code was in other places.

At least it would be one backport as 2.68 and 2.75 seem to have more or less the same code for this section. But I wonder how much risk we should go potentially making a bad backport or if we should consider this being a bad configuration.

At those more experienced, while a crash is always bad - is this "just" a case happing in a bad config?
It seems to violate this from the man page "--cname=<cname>,[<cname>,]<target>[,<TTL>] [...] The cname must be unique," but isn't all to clear there and obviously a fault isn't the best response even to a misconfig.
Or can there be external influences that make it affect you - like people redefining their DNS to cause you to have a loop - not sure how real that would be?

Steps to reproduce are as easy as:
  $ dnsmasq --cname localhost,localhost

bad = segfault
good = exit with "dnsmasq: CNAME loop involving localhost"

Xenial and trusty have reached end of standard support