Security context

What an agent needs to avoid regressing past fixes and find the next vuln in this repo.

imp/dnsmasq
master @ cf08eee
86
Fixes
0
CVEs
CRITICAL
Peak severity
Highlights
Denial of Service: 38 prior fixes. Scrutinize any change in this area.
src/dnssec.c: most-fixed (20 issues). Treat as high-risk during review.
39 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns

The bug types that recur here, drawn from past fixes, not open vulnerabilities.

Heap Buffer Overflow: A critical vulnerability in the DNSSEC sorting logic (`sort_rrset` / `get_rdata`) allows remote attackers to trigger a heap-based buffer overflow and overwrite arbitrary memory via crafted DNS responses. Tight bounds enforcement is required when navigating resource records.
Stack-based Buffer Overflow: A stack-based buffer overflow in the DHCPv6 relay code allows remote attackers to execute arbitrary code or crash the daemon by sending a client MAC option that exceeds the size of the destination stack buffer without adequate length validation.
Denial of Service: The DNSSEC engine has historically been vulnerable to remote CPU and memory exhaustion attacks. Attackers can leverage broken or malicious validation chains, sub-queries, and complex signature validations to trigger infinite loops or extreme CPU load.