dnsmasq NULL Pointer Dereference Vulnerability in DHCP Option Parsing

A null pointer dereference vulnerability has been identified in dnsmasq versions through 2.73rc6. The issue arises in the function parse_dhcp_opt within the file src/option.c, specifically when the OPTION_SIP_SERVER is processed. If the input does not contain valid domain tokens, the temporary buffer used for building the option representation remains null. The code then attempts to write to this null buffer, causing a segmentation fault. This vulnerability can be exploited locally by providing a crafted configuration file that triggers the null pointer write, leading to a denial-of-service condition by crashing the dnsmasq service during startup.

Impact

Exploitation of this vulnerability causes dnsmasq to crash on startup, creating a denial-of-service condition by preventing the service from running. This can be particularly problematic if the attacker can influence the dnsmasq configuration file.

Reproduction

The vulnerability can be reproduced by replacing the default dnsmasq configuration file with a crafted one that includes an invalid OPTION_SIP_SERVER value. After replacing the configuration file, start the dnsmasq server. The service will crash during the initial configuration parsing, which is when the vulnerability is triggered.