Bug 920300

Summary: [abrt] dnsmasq-2.65-4.fc18: strcpy: Process /usr/sbin/dnsmasq was killed by signal 11 (SIGSEGV)
Product: [Fedora] Fedora Reporter: Gene Czarcinski <gczarcinski>
Component: dnsmasqAssignee: Tomáš Hozza <thozza>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: aquini, itamar, laine, thozza, veillard
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:01a8ff3d531955a11f55a3dd25cfb66383d8111e
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-04 23:54:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: build_ids
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: limits
none
File: maps
none
File: open_fds
none
File: proc_pid_status
none
quick fix for 2.65 per Simon Kelly
none
Fix for segfault none

Description Gene Czarcinski 2013-03-11 18:26:33 UTC 
Description of problem:
dsnmasq segfaults when the configuration file contains:

interface=eth2
dhcp-range=fd00:ff:11:1::2,ra-only,64

Version-Release number of selected component:
dnsmasq-2.65-4.fc18

Additional info:
backtrace_rating: 4
cmdline:        /usr/sbin/dnsmasq -k -d
crash_function: strcpy
executable:     /usr/sbin/dnsmasq
kernel:         3.7.9-205.fc18.x86_64
uid:            0

Truncated backtrace:
Thread no. 1 (3 frames)
 #0 strcpy at ../sysdeps/x86_64/strcpy.S:73
 #1 inet_ntop6 at inet_ntop.c:202
 #2 inet_ntop at inet_ntop.c:69
Comment 1 Gene Czarcinski 2013-03-11 18:26:36 UTC 
Created attachment 708559 [details]
File: backtrace
Comment 2 Gene Czarcinski 2013-03-11 18:26:38 UTC 
Created attachment 708560 [details]
File: build_ids
Comment 3 Gene Czarcinski 2013-03-11 18:26:39 UTC 
Created attachment 708561 [details]
File: cgroup
Comment 4 Gene Czarcinski 2013-03-11 18:26:41 UTC 
Created attachment 708562 [details]
File: core_backtrace
Comment 5 Gene Czarcinski 2013-03-11 18:26:43 UTC 
Created attachment 708563 [details]
File: dso_list
Comment 6 Gene Czarcinski 2013-03-11 18:26:44 UTC 
Created attachment 708564 [details]
File: environ
Comment 7 Gene Czarcinski 2013-03-11 18:26:46 UTC 
Created attachment 708565 [details]
File: limits
Comment 8 Gene Czarcinski 2013-03-11 18:26:47 UTC 
Created attachment 708566 [details]
File: maps
Comment 9 Gene Czarcinski 2013-03-11 18:26:49 UTC 
Created attachment 708567 [details]
File: open_fds
Comment 10 Gene Czarcinski 2013-03-11 18:26:51 UTC 
Created attachment 708568 [details]
File: proc_pid_status
Comment 11 Gene Czarcinski 2013-03-13 15:28:01 UTC 
From Simon Kelly:

Ok,  this bug is long gone in the 2.66 releases, as the code has been completely re-written. The problem is that line 643 of src/dnsmasq.c uses   daemon->dhcp_buff2 which is not allocated unless some DHCP service is configured. A minimal patch for RH would be something like

daemon->dhcp_buff2=malloc(256);

just before that line, workaround is to configure DHCP service as well as RA

Since 2.6.6 is not coming out "Real Soon Now", a patch is suggested.
Comment 12 Tomáš Hozza 2013-03-13 15:43:23 UTC 
Thank you for the comment. I noticed Simon's reply on dnsmasq mailing-list
today. I kind of don't like just adding malloc() before that line. I'll
try to come up with something better ASAP and push an update in Fedora.
Comment 13 Gene Czarcinski 2013-03-13 15:51:30 UTC 
Created attachment 709670 [details]
quick fix for 2.65 per Simon Kelly
Comment 14 Tomáš Hozza 2013-03-13 16:11:06 UTC 
(In reply to comment #13)
> Created attachment 709670 [details]
> quick fix for 2.65 per Simon Kelly

I will not use this patch because if dhcp_buff2 was allocated before the 
memory would be leaked. Better solution is to fix IF condition where
dhcp_common_init() is called to be called also if daemon->ra_contexts.

I will test the fix and push an update.
Comment 15 Gene Czarcinski 2013-03-13 18:32:12 UTC 
Personally, I am going to give one of the 2.66 test releases a try.  I agree that a correct patch is the right thing to do and not my "quick and dirty" which might have unpleasant side effects.
Comment 16 Tomáš Hozza 2013-03-15 11:29:37 UTC 
Created attachment 710598 [details]
Fix for segfault
Comment 17 Tomáš Hozza 2013-03-15 11:31:00 UTC 
Fixed in:
dnsmasq-2.65-5.fc20
dnsmasq-2.65-5.fc19
dnsmasq-2.65-5.fc18
dnsmasq-2.65-5.fc17
Comment 18 Fedora Update System 2013-03-18 15:52:20 UTC 
dnsmasq-2.65-5.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/dnsmasq-2.65-5.fc18
Comment 19 Fedora Update System 2013-03-18 15:53:16 UTC 
dnsmasq-2.65-5.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/dnsmasq-2.65-5.fc17
Comment 20 Tomáš Hozza 2013-03-19 08:25:00 UTC 
Gene, can you please test dnsmasq-2.65-5.fc18 from updates testing if it
works for you? And also add the karma if possible. Thank you.
Comment 21 Fedora Update System 2013-04-04 23:54:26 UTC 
dnsmasq-2.65-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2013-04-04 23:59:41 UTC 
dnsmasq-2.65-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.