OpenWrt mdns Daemon Stack-Based Buffer Overflow Vulnerability in PTR Query Handling

A stack-based buffer overflow vulnerability has been identified in the mdns daemon of OpenWrt Project versions prior to 24.10.6 and 25.12.1. The issue arises in the parse_question function when processing PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). The vulnerability is triggered by DNS packets received on UDP port 5353, which are expanded by the dn_expand function into an 8096-byte global buffer. This expanded data is then copied into a fixed 256-byte stack buffer without proper bounds checking, allowing for a buffer overflow. The vulnerability takes advantage of dn_expand's handling of non-printable ASCII bytes, which are converted into multi-character octal representations, inflating the data beyond the stack buffer's capacity. As a result, a crafted DNS packet can exploit this behavior, leading to a stack buffer overflow during normal multicast DNS packet processing.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to arbitrary code execution or the corruption of memory, potentially allowing an attacker to manipulate the execution flow of the program.

Remediation

Users can upgrade to OpenWrt versions 24.10.6 or 25.12.1 to address this vulnerability.