dnsmasq: fix dnssec timestamp logic, backport crashfix
[openwrt/staging/chunkeey.git] / package / network / services / dnsmasq / patches / 001-fix-crash-in-auth-code.patch
1 From 38440b204db65f9be16c4c3daa7e991e4356f6ed Mon Sep 17 00:00:00 2001
2 From: Simon Kelley <simon@thekelleys.org.uk>
3 Date: Sun, 12 Apr 2015 21:52:47 +0100
4 Subject: [PATCH] Fix crash in auth code with odd configuration.
5
6 ---
7 CHANGELOG | 32 +++++++++++++++++++++-----------
8 src/auth.c | 13 ++++++++-----
9 2 files changed, 29 insertions(+), 16 deletions(-)
10
11 diff --git a/CHANGELOG b/CHANGELOG
12 index 9af6170..f2142c7 100644
13 --- a/CHANGELOG
14 +++ b/CHANGELOG
15 @@ -68,18 +68,31 @@ version 2.73
16 Fix broken DNSSEC validation of ECDSA signatures.
17
18 Add --dnssec-timestamp option, which provides an automatic
19 - way to detect when the system time becomes valid after boot
20 - on systems without an RTC, whilst allowing DNS queries before the
21 - clock is valid so that NTP can run. Thanks to
22 - Kevin Darbyshire-Bryant for developing this idea.
23 + way to detect when the system time becomes valid after
24 + boot on systems without an RTC, whilst allowing DNS
25 + queries before the clock is valid so that NTP can run.
26 + Thanks to Kevin Darbyshire-Bryant for developing this idea.
27
28 Add --tftp-no-fail option. Thanks to Stefan Tomanek for
29 the patch.
30
31 - Fix crash caused by looking up servers.bind, CHAOS text record,
32 - when more than about five --servers= lines are in the dnsmasq
33 - config. This causes memory corruption which causes a crash later.
34 - Thanks to Matt Coddington for sterling work chasing this down.
35 + Fix crash caused by looking up servers.bind, CHAOS text
36 + record, when more than about five --servers= lines are
37 + in the dnsmasq config. This causes memory corruption
38 + which causes a crash later. Thanks to Matt Coddington for
39 + sterling work chasing this down.
40 +
41 + Fix crash on receipt of certain malformed DNS requests.
42 + Thanks to Nick Sampanis for spotting the problem.
43 +
44 + Fix crash in authoritative DNS code, if a .arpa zone
45 + is declared as authoritative, and then a PTR query which
46 + is not to be treated as authoritative arrived. Normally,
47 + directly declaring .arpa zone as authoritative is not
48 + done, so this crash wouldn't be seen. Instead the
49 + relevant .arpa zone should be specified as a subnet
50 + in the auth-zone declaration. Thanks to Johnny S. Lee
51 + for the bugreport and initial patch.
52
53
54 version 2.72
55 @@ -125,10 +138,7 @@ version 2.72
56 Fix problem with --local-service option on big-endian platforms
57 Thanks to Richard Genoud for the patch.
58
59 - Fix crash on receipt of certain malformed DNS requests. Thanks
60 - to Nick Sampanis for spotting the problem.
61
62 -
63 version 2.71
64 Subtle change to error handling to help DNSSEC validation
65 when servers fail to provide NODATA answers for
66 diff --git a/src/auth.c b/src/auth.c
67 index 15721e5..4a5c39f 100644
68 --- a/src/auth.c
69 +++ b/src/auth.c
70 @@ -141,7 +141,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
71 for (zone = daemon->auth_zones; zone; zone = zone->next)
72 if ((subnet = find_subnet(zone, flag, &addr)))
73 break;
74 -
75 +
76 if (!zone)
77 {
78 auth = 0;
79 @@ -186,7 +186,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
80
81 if (intr)
82 {
83 - if (in_zone(zone, intr->name, NULL))
84 + if (local_query || in_zone(zone, intr->name, NULL))
85 {
86 found = 1;
87 log_query(flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL);
88 @@ -208,8 +208,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
89 *p = 0; /* must be bare name */
90
91 /* add external domain */
92 - strcat(name, ".");
93 - strcat(name, zone->domain);
94 + if (zone)
95 + {
96 + strcat(name, ".");
97 + strcat(name, zone->domain);
98 + }
99 log_query(flag | F_DHCP | F_REVERSE, name, &addr, record_source(crecp->uid));
100 found = 1;
101 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
102 @@ -217,7 +220,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
103 T_PTR, C_IN, "d", name))
104 anscount++;
105 }
106 - else if (crecp->flags & (F_DHCP | F_HOSTS) && in_zone(zone, name, NULL))
107 + else if (crecp->flags & (F_DHCP | F_HOSTS) && (local_query || in_zone(zone, name, NULL)))
108 {
109 log_query(crecp->flags & ~F_FORWARD, name, &addr, record_source(crecp->uid));
110 found = 1;
111 --
112 2.1.4
113