Fedora Account System
Red Hat Associate
Red Hat Customer
A heap buffer overflow exists in dnsmasq's log_query() function (src/cache.c). When query logging is enabled and dnsmasq logs DS or DNSKEY replies containing unsupported algorithm or digest types, the "(not supported)" suffix causes sprintf() to write past the end of daemon->addrbuff, a 46-byte heap buffer. Trigger example: a DS record with key_tag=65535, algorithm=255, digest_type=255 (both algorithm 255 and digest_type 255 are IANA-unassigned), causing the "(not supported)" branch in dnssec.c to fire during logging. Prerequisites: - DNSSEC validation enabled - Query logging enabled (e.g. --log-queries) Impact: bounded heap write overflow (~12 bytes). Upstream maintainer Simon Kelley notes the overwrite is of bounded length, the bytes written are not attacker-controlled, and this is not considered a likely remote-execution vector. Practical impact is denial of service via process crash or heap corruption. Fixed upstream in commit 36d081e37477027fd721fea498f3760f529034ad (dnsmasq 2.92rel2).