RootSSV:12173Dnsmasq TFTP服务远程空指针引用漏洞
0.036 Low
EPSS
Percentile
90.6%
BUGTRAQ ID: 36120
CVE(CAN) ID: CVE-2009-2958
Dnsmasq是可方便配置的轻型DNS转发器和DHCP服务器。
dnsmasq在启用了TFTP服务的时候存在空指针引用漏洞,可能允许恶意的TFTP服务端导致dnsmasq服务崩溃。
漏洞的起因是以下循环中的第一个if:
/-----------
while ((opt = next(&p, end)))
{
if (strcasecmp(opt, "blksize") == 0 &&
(opt = next(&p, end)) &&
!(daemon->options & OPT_TFTP_NOBLOCK))
{
transfer->blocksize = atoi(opt);
if (transfer->blocksize < 1)
transfer->blocksize = 1;
if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
transfer->opt_blocksize = 1;
transfer->block = 0;
}
if (strcasecmp(opt, "tsize") == 0 && next(&p, end) &&
!transfer->netascii)
{
transfer->opt_transize = 1;
transfer->block = 0;
}
}
- -----------/
由于第一个if的guard包含有opt = next(&p, end)的结果,如果返回了NULL,guard就会失败,在下一个if 'strcasecmp(opt, "tsize")'中会引用空指针。
Simon Kelley Dnsmasq 2.4x
厂商补丁:
RedHat
RedHat已经为此发布了一个安全公告(RHSA-2009:1238-01)以及相应补丁:
RHSA-2009:1238-01:Important: dnsmasq security update
链接:https://www.redhat.com/support/errata/RHSA-2009-1238.html
Simon Kelley
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Related
