From 747c33859b10388e0eb1d37ff2a58ee7837a6f7a Mon Sep 17 00:00:00 2001 From: Steven Barth Date: Fri, 10 Apr 2015 10:19:17 +0000 Subject: [PATCH] dnsmasq: bump to 2.73rc4 Fix crash caused by malformed DNS requests Improved DNSSEC handling Signed-off-by: Steven Barth SVN-Revision: 45354 --- package/network/services/dnsmasq/Makefile | 10 +- .../services/dnsmasq/files/dnsmasq.init | 7 +- .../patches/001-fix-dnssec-crash.patch | 83 -------- .../002-fix-dnssec-edns0-handling.patch | 27 --- ...-no-fail-to-ignore-missing-tftp-root.patch | 193 ------------------ .../200-fix-dhcpv6-solicit-handling.patch | 38 ++++ ...-makefile-be-aware-of-config-changes.patch | 42 ---- 7 files changed, 49 insertions(+), 351 deletions(-) delete mode 100644 package/network/services/dnsmasq/patches/001-fix-dnssec-crash.patch delete mode 100644 package/network/services/dnsmasq/patches/002-fix-dnssec-edns0-handling.patch delete mode 100644 package/network/services/dnsmasq/patches/120-add-tftp-no-fail-to-ignore-missing-tftp-root.patch create mode 100644 package/network/services/dnsmasq/patches/200-fix-dhcpv6-solicit-handling.patch delete mode 100644 package/network/services/dnsmasq/patches/200-let-makefile-be-aware-of-config-changes.patch diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index dcbb63a0f3..dc94d341bd 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq -PKG_VERSION:=2.72 -PKG_RELEASE:=4 +PKG_VERSION:=2.73rc4 +PKG_RELEASE:=1 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq -PKG_MD5SUM:=cf82f81cf09ad3d47612985012240483 +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/release-candidates +PKG_MD5SUM:=24569c7605059aee175b1776201afa93 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index 20333c810a..b2dfb979bc 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -205,6 +205,7 @@ dnsmasq() { [ "$dnssec" -gt 0 ] && { xappend "--conf-file=$TRUSTANCHORSFILE" xappend "--dnssec" + xappend "--dnssec-timestamp=/etc/dnsmasq.time" append_bool "$cfg" dnsseccheckunsigned "--dnssec-check-unsigned" } @@ -555,7 +556,7 @@ start_service() { procd_add_jail dnsmasq ubus log procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE /etc/passwd /dev/urandom /etc/dnsmasq.conf /tmp/dnsmasq.d /tmp/resolv.conf.auto /etc/hosts /etc/ethers - procd_add_jail_mount_rw /var/run/dnsmasq/ /tmp/dhcp.leases + procd_add_jail_mount_rw /var/run/dnsmasq/ /tmp/dhcp.leases /etc/dnsmasq.time procd_close_instance @@ -565,6 +566,10 @@ start_service() { mkdir -p /var/lib/misc touch /tmp/dhcp.leases + if [ ! -f /etc/dnsmasq.time ]; then + touch -t 197001010000 /etc/dnsmasq.time + chmod 0777 /etc/dnsmasq.time + fi echo "# auto-generated config file from /etc/config/dhcp" > $CONFIGFILE echo "# auto-generated config file from /etc/config/dhcp" > $HOSTFILE diff --git a/package/network/services/dnsmasq/patches/001-fix-dnssec-crash.patch b/package/network/services/dnsmasq/patches/001-fix-dnssec-crash.patch deleted file mode 100644 index e41f295772..0000000000 --- a/package/network/services/dnsmasq/patches/001-fix-dnssec-crash.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 094b5c3d904bae9aeb3206d9f3b8348926b84975 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Sun, 21 Dec 2014 16:11:52 +0000 -Subject: [PATCH] Fix crash in DNSSEC code when attempting to verify large RRs. - ---- - src/dnssec.c | 27 +++++++++++++++++++-------- - -diff --git a/src/dnssec.c b/src/dnssec.c -index 69bfc29..3208ac7 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -456,16 +456,27 @@ static u16 *get_desc(int type) - - /* Return bytes of canonicalised rdata, when the return value is zero, the remaining - data, pointed to by *p, should be used raw. */ --static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, char *buff, -+static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, char *buff, int bufflen, - unsigned char **p, u16 **desc) - { - int d = **desc; - -- (*desc)++; -- - /* No more data needs mangling */ - if (d == (u16)-1) -- return 0; -+ { -+ /* If there's more data than we have space for, just return what fits, -+ we'll get called again for more chunks */ -+ if (end - *p > bufflen) -+ { -+ memcpy(buff, *p, bufflen); -+ *p += bufflen; -+ return bufflen; -+ } -+ -+ return 0; -+ } -+ -+ (*desc)++; - - if (d == 0 && extract_name(header, plen, p, buff, 1, 0)) - /* domain-name, canonicalise */ -@@ -560,7 +571,7 @@ static void sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int - if (left1 != 0) - memmove(buff1, buff1 + len1 - left1, left1); - -- if ((len1 = get_rdata(header, plen, end1, buff1 + left1, &p1, &dp1)) == 0) -+ if ((len1 = get_rdata(header, plen, end1, buff1 + left1, MAXDNAME - left1, &p1, &dp1)) == 0) - { - quit = 1; - len1 = end1 - p1; -@@ -571,7 +582,7 @@ static void sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int - if (left2 != 0) - memmove(buff2, buff2 + len2 - left2, left2); - -- if ((len2 = get_rdata(header, plen, end2, buff2 + left2, &p2, &dp2)) == 0) -+ if ((len2 = get_rdata(header, plen, end2, buff2 + left2, MAXDNAME - left2, &p2, &dp2)) == 0) - { - quit = 1; - len2 = end2 - p2; -@@ -808,7 +819,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in - /* canonicalise rdata and calculate length of same, use name buffer as workspace */ - cp = p; - dp = rr_desc; -- for (len = 0; (seg = get_rdata(header, plen, end, name, &cp, &dp)) != 0; len += seg); -+ for (len = 0; (seg = get_rdata(header, plen, end, name, MAXDNAME, &cp, &dp)) != 0; len += seg); - len += end - cp; - len = htons(len); - hash->update(ctx, 2, (unsigned char *)&len); -@@ -816,7 +827,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in - /* Now canonicalise again and digest. */ - cp = p; - dp = rr_desc; -- while ((seg = get_rdata(header, plen, end, name, &cp, &dp))) -+ while ((seg = get_rdata(header, plen, end, name, MAXDNAME, &cp, &dp))) - hash->update(ctx, seg, (unsigned char *)name); - if (cp != end) - hash->update(ctx, end - cp, cp); --- -2.1.3 - diff --git a/package/network/services/dnsmasq/patches/002-fix-dnssec-edns0-handling.patch b/package/network/services/dnsmasq/patches/002-fix-dnssec-edns0-handling.patch deleted file mode 100644 index 9133c62d92..0000000000 --- a/package/network/services/dnsmasq/patches/002-fix-dnssec-edns0-handling.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 800c5cc1e7438818fd80f08c2d472df249a6942d Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Mon, 15 Dec 2014 17:50:15 +0000 -Subject: [PATCH] Remove floor on EDNS0 packet size with DNSSEC. - ---- - src/dnsmasq.c | 5 ----- - -diff --git a/src/dnsmasq.c b/src/dnsmasq.c -index bf2e25a..5c7750d 100644 ---- a/src/dnsmasq.c -+++ b/src/dnsmasq.c -@@ -87,11 +87,6 @@ int main (int argc, char **argv) - - if (daemon->edns_pktsz < PACKETSZ) - daemon->edns_pktsz = PACKETSZ; --#ifdef HAVE_DNSSEC -- /* Enforce min packet big enough for DNSSEC */ -- if (option_bool(OPT_DNSSEC_VALID) && daemon->edns_pktsz < EDNS_PKTSZ) -- daemon->edns_pktsz = EDNS_PKTSZ; --#endif - - daemon->packet_buff_sz = daemon->edns_pktsz > DNSMASQ_PACKETSZ ? - daemon->edns_pktsz : DNSMASQ_PACKETSZ; --- -2.1.3 - diff --git a/package/network/services/dnsmasq/patches/120-add-tftp-no-fail-to-ignore-missing-tftp-root.patch b/package/network/services/dnsmasq/patches/120-add-tftp-no-fail-to-ignore-missing-tftp-root.patch deleted file mode 100644 index c85e4e6513..0000000000 --- a/package/network/services/dnsmasq/patches/120-add-tftp-no-fail-to-ignore-missing-tftp-root.patch +++ /dev/null @@ -1,193 +0,0 @@ -From 56920681eaf2c5eb08fc75baee4939d15d03b0ea Mon Sep 17 00:00:00 2001 -From: Stefan Tomanek -Date: Tue, 31 Mar 2015 22:32:11 +0100 -Subject: [PATCH] add --tftp-no-fail to ignore missing tftp root - -(cherry picked from commit 30d0879ed55cb67b1b735beab3d93f3bb3ef1dd2) - -Conflicts: - CHANGELOG - src/dnsmasq.c - src/dnsmasq.h - src/option.c ---- - dnsmasq.conf.example | 3 +++ - man/dnsmasq.8 | 3 +++ - src/dnsmasq.c | 42 +++++++++++++++++++++++++++++++----------- - src/dnsmasq.h | 4 +++- - src/option.c | 3 +++ - 5 files changed, 43 insertions(+), 12 deletions(-) - -diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example -index 1bd305d..67be99a 100644 ---- a/dnsmasq.conf.example -+++ b/dnsmasq.conf.example -@@ -486,6 +486,9 @@ - # Set the root directory for files available via FTP. - #tftp-root=/var/ftpd - -+# Do not abort if the tftp-root is unavailable -+#tftp-no-fail -+ - # Make the TFTP server more secure: with this set, only files owned by - # the user dnsmasq is running as will be send over the net. - #tftp-secure -diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 -index 0b8e04f..2ff4b96 100644 ---- a/man/dnsmasq.8 -+++ b/man/dnsmasq.8 -@@ -1670,6 +1670,9 @@ Absolute paths (starting with /) are allowed, but they must be within - the tftp-root. If the optional interface argument is given, the - directory is only used for TFTP requests via that interface. - .TP -+.B --tftp-no-fail -+Do not abort startup if specified tftp root directories are inaccessible. -+.TP - .B --tftp-unique-root - Add the IP address of the TFTP client as a path component on the end - of the TFTP-root (in standard dotted-quad format). Only valid if a -diff --git a/src/dnsmasq.c b/src/dnsmasq.c -index 5c7750d..b6fa285 100644 ---- a/src/dnsmasq.c -+++ b/src/dnsmasq.c -@@ -58,6 +58,9 @@ int main (int argc, char **argv) - struct dhcp_context *context; - struct dhcp_relay *relay; - #endif -+#ifdef HAVE_TFTP -+ int tftp_prefix_missing = 0; -+#endif - - #ifdef LOCALEDIR - setlocale(LC_ALL, ""); -@@ -623,7 +626,7 @@ int main (int argc, char **argv) - #endif - - #ifdef HAVE_TFTP -- if (option_bool(OPT_TFTP)) -+ if (option_bool(OPT_TFTP)) - { - DIR *dir; - struct tftp_prefix *p; -@@ -632,24 +635,33 @@ int main (int argc, char **argv) - { - if (!((dir = opendir(daemon->tftp_prefix)))) - { -- send_event(err_pipe[1], EVENT_TFTP_ERR, errno, daemon->tftp_prefix); -- _exit(0); -+ tftp_prefix_missing = 1; -+ if (!option_bool(OPT_TFTP_NO_FAIL)) -+ { -+ send_event(err_pipe[1], EVENT_TFTP_ERR, errno, daemon->tftp_prefix); -+ _exit(0); -+ } - } - closedir(dir); - } -- -+ - for (p = daemon->if_prefix; p; p = p->next) - { -+ p->missing = 0; - if (!((dir = opendir(p->prefix)))) -- { -- send_event(err_pipe[1], EVENT_TFTP_ERR, errno, p->prefix); -- _exit(0); -- } -+ { -+ p->missing = 1; -+ if (!option_bool(OPT_TFTP_NO_FAIL)) -+ { -+ send_event(err_pipe[1], EVENT_TFTP_ERR, errno, p->prefix); -+ _exit(0); -+ } -+ } - closedir(dir); - } - } - #endif -- -+ - if (daemon->port == 0) - my_syslog(LOG_INFO, _("started, version %s DNS disabled"), VERSION); - else if (daemon->cachesize != 0) -@@ -743,8 +755,9 @@ int main (int argc, char **argv) - #endif - - #ifdef HAVE_TFTP -- if (option_bool(OPT_TFTP)) -- { -+ if (option_bool(OPT_TFTP)) -+ { -+ struct tftp_prefix *p; - #ifdef FD_SETSIZE - if (FD_SETSIZE < (unsigned)max_fd) - max_fd = FD_SETSIZE; -@@ -754,7 +767,14 @@ int main (int argc, char **argv) - daemon->tftp_prefix ? _("root is ") : _("enabled"), - daemon->tftp_prefix ? daemon->tftp_prefix: "", - option_bool(OPT_TFTP_SECURE) ? _("secure mode") : ""); -+ -+ if (tftp_prefix_missing) -+ my_syslog(MS_TFTP | LOG_WARNING, _("warning: %s inaccessible"), daemon->tftp_prefix); - -+ for (p = daemon->if_prefix; p; p = p->next) -+ if (p->missing) -+ my_syslog(MS_TFTP | LOG_WARNING, _("warning: TFTP directory %s inaccessible"), p->prefix); -+ - /* This is a guess, it assumes that for small limits, - disjoint files might be served, but for large limits, - a single file will be sent to may clients (the file only needs -diff --git a/src/dnsmasq.h b/src/dnsmasq.h -index 1dd61c5..086cb67 100644 ---- a/src/dnsmasq.h -+++ b/src/dnsmasq.h -@@ -238,7 +238,8 @@ struct event_desc { - #define OPT_DNSSEC_NO_SIGN 48 - #define OPT_LOCAL_SERVICE 49 - #define OPT_LOOP_DETECT 50 --#define OPT_LAST 51 -+#define OPT_TFTP_NO_FAIL 51 -+#define OPT_LAST 52 - - /* extra flags for my_syslog, we use a couple of facilities since they are known - not to occupy the same bits as priorities, no matter how syslog.h is set up. */ -@@ -888,6 +889,7 @@ struct addr_list { - struct tftp_prefix { - char *interface; - char *prefix; -+ int missing; - struct tftp_prefix *next; - }; - -diff --git a/src/option.c b/src/option.c -index 209fa69..fa5e4d3 100644 ---- a/src/option.c -+++ b/src/option.c -@@ -147,6 +147,7 @@ struct myoption { - #define LOPT_LOCAL_SERVICE 335 - #define LOPT_DNSSEC_TIME 336 - #define LOPT_LOOP_DETECT 337 -+#define LOPT_TFTP_NO_FAIL 338 - - #ifdef HAVE_GETOPT_LONG - static const struct option opts[] = -@@ -227,6 +228,7 @@ static const struct myoption opts[] = - { "dhcp-ignore-names", 2, 0, LOPT_NO_NAMES }, - { "enable-tftp", 2, 0, LOPT_TFTP }, - { "tftp-secure", 0, 0, LOPT_SECURE }, -+ { "tftp-no-fail", 0, 0, LOPT_TFTP_NO_FAIL }, - { "tftp-unique-root", 0, 0, LOPT_APREF }, - { "tftp-root", 1, 0, LOPT_PREFIX }, - { "tftp-max", 1, 0, LOPT_TFTP_MAX }, -@@ -402,6 +404,7 @@ static struct { - { LOPT_PREFIX, ARG_DUP, "[,]", gettext_noop("Export files by TFTP only from the specified subtree."), NULL }, - { LOPT_APREF, OPT_TFTP_APREF, NULL, gettext_noop("Add client IP address to tftp-root."), NULL }, - { LOPT_SECURE, OPT_TFTP_SECURE, NULL, gettext_noop("Allow access only to files owned by the user running dnsmasq."), NULL }, -+ { LOPT_TFTP_NO_FAIL, OPT_TFTP_NO_FAIL, NULL, gettext_noop("Do not terminate the service if TFTP directories are inaccessible."), NULL }, - { LOPT_TFTP_MAX, ARG_ONE, "", gettext_noop("Maximum number of conncurrent TFTP transfers (defaults to %s)."), "#" }, - { LOPT_NOBLOCK, OPT_TFTP_NOBLOCK, NULL, gettext_noop("Disable the TFTP blocksize extension."), NULL }, - { LOPT_TFTP_LC, OPT_TFTP_LC, NULL, gettext_noop("Convert TFTP filenames to lowercase"), NULL }, --- -2.1.4 - diff --git a/package/network/services/dnsmasq/patches/200-fix-dhcpv6-solicit-handling.patch b/package/network/services/dnsmasq/patches/200-fix-dhcpv6-solicit-handling.patch new file mode 100644 index 0000000000..7c900287e4 --- /dev/null +++ b/package/network/services/dnsmasq/patches/200-fix-dhcpv6-solicit-handling.patch @@ -0,0 +1,38 @@ +From 35042c3ef61b3bc07f0f9418dff6be6ed78f4aa1 Mon Sep 17 00:00:00 2001 +From: Steven Barth +Date: Fri, 10 Apr 2015 10:46:57 +0200 +Subject: [PATCH] Revert "Don't reply to DHCPv6 SOLICIT messages when not + configured for statefull DHCPv6." + +This reverts commit 61b838dd574c51d96fef100285a0d225824534f9. +--- + src/rfc3315.c | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/src/rfc3315.c b/src/rfc3315.c +index c1ddc80..50131d8 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -824,19 +824,6 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + } + else + { +- /* Windows 8 always requests an address even if the Managed bit +- in RA is 0 and it keeps retrying if it receives a reply +- stating that no addresses are available. We solve this +- by not replying at all if we're not configured to give any +- addresses by DHCPv6. RFC 3315 17.2.1. appears to allow this. */ +- +- for (c = state->context; c; c = c->current) +- if (!(c->flags & CONTEXT_RA_STATELESS)) +- break; +- +- if (!c) +- return 0; +- + /* no address, return error */ + o1 = new_opt6(OPTION6_STATUS_CODE); + put_opt6_short(DHCP6NOADDRS); +-- +2.1.4 + diff --git a/package/network/services/dnsmasq/patches/200-let-makefile-be-aware-of-config-changes.patch b/package/network/services/dnsmasq/patches/200-let-makefile-be-aware-of-config-changes.patch deleted file mode 100644 index 663f0e9ed3..0000000000 --- a/package/network/services/dnsmasq/patches/200-let-makefile-be-aware-of-config-changes.patch +++ /dev/null @@ -1,42 +0,0 @@ -Index: dnsmasq-2.72/Makefile -=================================================================== ---- dnsmasq-2.72.orig/Makefile 2014-12-30 19:46:10.484921940 +0800 -+++ dnsmasq-2.72/Makefile 2014-12-30 19:56:39.712926794 +0800 -@@ -74,6 +74,10 @@ - hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ - dns-protocol.h radv-protocol.h ip6addr.h - -+COPT_CONF = $(top)/.copt_$(shell $(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/config.h | \ -+ ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' ') -+COPT_CONF_WILD = $(top)/.copt_* -+ - all : $(BUILDDIR) - @cd $(BUILDDIR) && $(MAKE) \ - top="$(top)" \ -@@ -83,7 +87,7 @@ - - mostly_clean : - rm -f $(BUILDDIR)/*.mo $(BUILDDIR)/*.pot -- rm -f $(BUILDDIR)/.configured $(BUILDDIR)/*.o $(BUILDDIR)/dnsmasq.a $(BUILDDIR)/dnsmasq -+ rm -f $(BUILDDIR)/$(COPT_CONF_WILD) $(BUILDDIR)/*.o $(BUILDDIR)/dnsmasq.a $(BUILDDIR)/dnsmasq - - clean : mostly_clean - rm -f $(BUILDDIR)/dnsmasq_baseline -@@ -139,7 +143,7 @@ - - # rules below are targets in recusive makes with cwd=$(BUILDDIR) - --.configured: $(hdrs) -+$(COPT_CONF): $(hdrs) - @rm -f *.o - @touch $@ - -@@ -149,7 +153,7 @@ - .c.o: - $(CC) $(CFLAGS) $(COPTS) $(i18n) $(build_cflags) $(RPM_OPT_FLAGS) -c $< - --dnsmasq : .configured $(hdrs) $(objs) -+dnsmasq : $(COPT_CONF) $(hdrs) $(objs) - $(CC) $(LDFLAGS) -o $@ $(objs) $(build_libs) $(LIBS) - - dnsmasq.pot : $(objs:.o=.c) $(hdrs) -- 2.30.2