Comment 9 for bug 47438

This issue has security implications, you could exploit it to (at least) crash the dnsmasq server.
I backported the fix from dnsmasq 2.26 and tested it OK.

I could not build an easy reproducer, spent a few hours around it but I guess I did not get the broadcast/martian right. Here is how I reproduce it and tested the fix :

Have one machine/VM as a DHCP client, another as DHCP server.
Make sure nobody else (including libvirt-bin !) provides DHCP service on the network the test machines are connected to.
Configure DHCP server on a network A (192.168.123.0/24 for example) to serve addresses there , with small DHCP leases
Start DHCP client so that it gets an address lease on network A (let's say 192.168.123.51)
Reconfigure network and dnsmasq on server so that it now serves a network B (192.168.122.0/24 for example)
Wait for client to try to renew its lease.
Starting at around half lease life it will try several times (and fail) to renew its lease.
At the end of the lease it will broadcast a martian DHCPREQUEST from 192.168.123.51, triggering the crash in dnsmasq :

Jun 24 10:20:28 dapper-test dnsmasq[3482]: DHCPREQUEST(eth0) 192.168.123.51 52:54:00:1a:49:e4
Jun 24 10:20:28 dapper-test dnsmasq[3482]: DHCPNAK(eth0) 192.168.123.51 52:54:00:1a:49:e4 wrong network
Jun 24 10:20:28 dapper-test kernel: [ 1766.784923] dnsmasq[3482]: segfault at 0000000000000010 rip 00000000004139d9 rsp 00007fffffb627c0 error 4

With the fixed version, we get :
Jun 24 10:25:44 dapper-test dnsmasq[3643]: DHCPREQUEST(eth0) 192.168.123.51 52:54:00:1a:49:e4
Jun 24 10:25:44 dapper-test dnsmasq[3643]: DHCPNAK(eth0) 192.168.123.51 52:54:00:1a:49:e4 wrong network
Jun 24 10:25:48 dapper-test dnsmasq[3643]: DHCPDISCOVER(eth0) 52:54:00:1a:49:e4
Jun 24 10:25:48 dapper-test dnsmasq[3643]: DHCPOFFER(eth0) 192.168.122.51 52:54:00:1a:49:e4
Jun 24 10:25:48 dapper-test dnsmasq[3643]: DHCPREQUEST(eth0) 192.168.122.51 52:54:00:1a:49:e4
Jun 24 10:25:48 dapper-test dnsmasq[3643]: DHCPACK(eth0) 192.168.122.51 52:54:00:1a:49:e4 hardy-test