OpenWrt MDNS daemon https://git.openwrt.org/project/mdnsd/atom?h=master 2026-06-27T15:25:14Z 2026-06-27T15:25:14Z Carsten Schuette 2026-06-06T14:20:24Z urn:sha1:dbee55098c2e7a0a76feec414a11d76838572918 This fixes: ``` cache.c: In function 'cache_dump_records': cache.c:523:40: error: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] 523 | domain = strstr(r->record, "._udp."); | ^ cache.c:526:48: error: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] 526 | domain = strstr(r->record, "._tcp."); | ^ cc1: all warnings being treated as errors ninja: build stopped: subcommand failed. ``` This fixes #31 Signed-off-by: Carsten Schuette <schuettecarsten@googlemail.com> Link: https://github.com/openwrt/mdnsd/pull/32 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> 2026-06-16T00:00:27Z Hauke Mehrtens 2026-06-12T23:57:54Z urn:sha1:1b5e7bf1cec775b89f1a6068dc0b9df3593b5986 mDNS answers are unsolicited and unauthenticated, so any host on the local segment can spray responses for an unbounded number of unique names. cache_answer()/cache_service() cached every such record with no entry cap; the only eviction is the TTL-based GC, which an attacker defeats by sending a very large TTL. A sustained flood thus grows the heap without bound until the daemon OOMs or crashes. On top of that, the calloc_a() returns were dereferenced without a NULL check, so the failing allocation itself wrote through NULL and SIGSEGVd. Cap the number of cached records and services, clamp the stored TTL so the GC keeps reclaiming hostile records (and the cache recovers once a flood stops), and NULL-check both calloc_a() returns. Reported-by: Puru Kulkarni <puruk@proton.me> Link: https://github.com/openwrt/mdnsd/security/advisories/GHSA-jg8f-fhfw-jg46 Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> 2026-05-22T11:46:34Z Felix Fietkau 2026-05-22T11:46:33Z urn:sha1:bd7599d021571e785bd32a75469e7148eb1772e3 Use size_t instead of int to prevent bogus overflow Signed-off-by: Felix Fietkau <nbd@nbd.name> 2026-02-07T12:37:55Z Jonas Gorski 2026-02-06T20:16:49Z urn:sha1:a52cdb354d13c179150d2ba26f9f8a51d418b43d Ensure the IPv4 PTR address contains exactly four numbers, and no excess characters. This avoids leaving ip1 potentially uninitialized for shorter prefixes. Fixes: 2b28094 ("dns: add support for reverse address mapping queries") Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com> 2026-02-07T12:37:55Z Jonas Gorski 2026-02-06T20:14:56Z urn:sha1:b798c24205b5572cd8f2b79f3ef5857bb5de3180 IPv6 PTR record addresses always alternate dots and nibbles, so check that the request name follows that, and reject if not. This avoids overrunning temp_ip if the prefix contains more than 16 non-dot characters. Fixes: TOB-OWRT-2 Fixes: 2b28094 ("dns: add support for reverse address mapping queries") Reported-by: Trail of Bits Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com> 2026-02-07T10:03:18Z Jonas Gorski 2026-02-06T19:36:52Z urn:sha1:a3dcb4adc635132ded9b5e88a049dc784fac36d9 Validate reverse dns query names length to be able to be valid names: For IPv6 records there is a fixed name length of 72 (32 nibbles + 31 dots + ".ip6.arpa". For Ipv4 it's a bit more complicated since the decimal numbers have variable lenghts, so we need to check a range. Reject any names that do not fit within those bounds. This also ensures that the name fits into name_buf{,6}. Fixes: TOB-OWRT-1 Fixes: 2b28094 ("dns: add support for reverse address mapping queries") Reported-by: Trail of Bits Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com> 2025-10-04T11:29:11Z Hauke Mehrtens 2025-10-04T11:29:11Z urn:sha1:2f75344fd0cc848558bf2ea3a94c0bf8b903ff89 CMake version 4.0 and later require minimum version of 3.5 or later. Update to minimum version 3.10 which is the last not deprecated minimum version. CMake 3.10 was released in November 2017 and is included in Ubuntu 18.04. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> 2025-05-28T22:40:37Z Rahul Thakur 2024-02-20T07:30:17Z urn:sha1:2b28094d31caa75cd60ef86f0a27a793beaff968 The mdnsd currently does not have the capability of responding to reverse address mapping dns requests for either IPv4 or IPv6. This commit adds support to handle reverse address mapping and respond with hostname if the address matches that of the DUT. Signed-off-by: Rahul Thakur <rahul.thakur@iopsys.eu> Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup] 2025-05-28T22:28:57Z Avi 2025-03-11T02:18:19Z urn:sha1:cecbe1c0caaee3de70bea0413b9f90d4b5b5ca36 From [the RFC](https://github.com/openwrt/mdnsd/blob/master/rfc6762.txt#L2532-L2550): > The simple rules for case-insensitivity in Unicast DNS [RFC1034] [RFC1035] also apply in Multicast DNS; that is to say, in name comparisons, the lowercase letters "a" to "z" (0x61 to 0x7A) match their uppercase equivalents "A" to "Z" (0x41 to 0x5A). Hence, if a querier issues a query for an address record with the name "myprinter.local.", then a responder having an address record with the name "MyPrinter.local." should issue a response. No other automatic equivalences should be assumed. Fixes #15. Signed-off-by: Felix Fietkau <nbd@nbd.name> 2025-05-28T22:28:43Z Andrew Karpow 2025-05-25T04:02:39Z urn:sha1:695ac3708aa014aee9be77f91da2699eef1b4c66 The txt field of multicast dns is defined as an array of concatenated length-values, where length is encoded in the first byte and value is a non-NUL terminated string. The ubus announcements callback tokenized the txt buffer by dividing it between non-ASCII characters. This works fine for values with a length <32 characters, but not for longer strings. This patch correctly deserializes the txt values and removes the need for dynamic allocation. Signed-off-by: Andrew Karpow <andy@ndyk.de> Signed-off-by: Felix Fietkau <nbd@nbd.name> [minor cleanup]