Handle locally-routed DNS Queries (#904940)
Signed-off-by: Tomas Hozza <thozza@redhat.com>
This commit is contained in:
parent
f6006969c4
commit
261955a53f
@ -0,0 +1,178 @@
|
||||
diff -up dnsmasq-2.65/src/dnsmasq.c.local_queries dnsmasq-2.65/src/dnsmasq.c
|
||||
--- dnsmasq-2.65/src/dnsmasq.c.local_queries 2013-01-31 09:07:45.603092125 +0100
|
||||
+++ dnsmasq-2.65/src/dnsmasq.c 2013-01-31 09:07:45.606092127 +0100
|
||||
@@ -1401,20 +1401,29 @@ static void check_dns_listeners(fd_set *
|
||||
else
|
||||
{
|
||||
int if_index;
|
||||
-
|
||||
+ char intr_name[IF_NAMESIZE];
|
||||
+
|
||||
/* In full wildcard mode, need to refresh interface list.
|
||||
This happens automagically in CLEVERBIND */
|
||||
- if (!option_bool(OPT_CLEVERBIND))
|
||||
- enumerate_interfaces();
|
||||
-
|
||||
- /* if we can find the arrival interface, check it's one that's allowed */
|
||||
- if ((if_index = tcp_interface(confd, tcp_addr.sa.sa_family)) != 0)
|
||||
+ if (!option_bool(OPT_CLEVERBIND))
|
||||
+ enumerate_interfaces();
|
||||
+
|
||||
+ /* if we can find the arrival interface, check it's one that's allowed */
|
||||
+ if ((if_index = tcp_interface(confd, tcp_addr.sa.sa_family)) != 0 &&
|
||||
+ indextoname(listener->tcpfd, if_index, intr_name))
|
||||
{
|
||||
+ struct all_addr addr;
|
||||
+ addr.addr.addr4 = tcp_addr.in.sin_addr;
|
||||
+#ifdef HAVE_IPV6
|
||||
+ if (tcp_addr.sa.sa_family == AF_INET6)
|
||||
+ addr.addr.addr6 = tcp_addr.in6.sin6_addr;
|
||||
+#endif
|
||||
+
|
||||
for (iface = daemon->interfaces; iface; iface = iface->next)
|
||||
if (iface->index == if_index)
|
||||
break;
|
||||
|
||||
- if (!iface)
|
||||
+ if (!iface && !loopback_exception(listener->tcpfd, tcp_addr.sa.sa_family, &addr, intr_name))
|
||||
client_ok = 0;
|
||||
}
|
||||
|
||||
@@ -1422,10 +1431,10 @@ static void check_dns_listeners(fd_set *
|
||||
iface = listener->iface; /* May be NULL */
|
||||
else
|
||||
{
|
||||
- /* Check for allowed interfaces when binding the wildcard address:
|
||||
- we do this by looking for an interface with the same address as
|
||||
- the local address of the TCP connection, then looking to see if that's
|
||||
- an allowed interface. As a side effect, we get the netmask of the
|
||||
+ /* Check for allowed interfaces when binding the wildcard address:
|
||||
+ we do this by looking for an interface with the same address as
|
||||
+ the local address of the TCP connection, then looking to see if that's
|
||||
+ an allowed interface. As a side effect, we get the netmask of the
|
||||
interface too, for localisation. */
|
||||
|
||||
for (iface = daemon->interfaces; iface; iface = iface->next)
|
||||
diff -up dnsmasq-2.65/src/dnsmasq.h.local_queries dnsmasq-2.65/src/dnsmasq.h
|
||||
--- dnsmasq-2.65/src/dnsmasq.h.local_queries 2013-01-31 09:07:45.000000000 +0100
|
||||
+++ dnsmasq-2.65/src/dnsmasq.h 2013-01-31 09:10:36.091202196 +0100
|
||||
@@ -954,6 +954,7 @@ void create_wildcard_listeners(void);
|
||||
void create_bound_listeners(int die);
|
||||
int is_dad_listeners(void);
|
||||
int iface_check(int family, struct all_addr *addr, char *name);
|
||||
+int loopback_exception(int fd, int family, struct all_addr *addr, char *name);
|
||||
int fix_fd(int fd);
|
||||
int tcp_interface(int fd, int af);
|
||||
struct in_addr get_ifaddr(char *intr);
|
||||
diff -up dnsmasq-2.65/src/forward.c.local_queries dnsmasq-2.65/src/forward.c
|
||||
--- dnsmasq-2.65/src/forward.c.local_queries 2012-12-14 12:48:26.000000000 +0100
|
||||
+++ dnsmasq-2.65/src/forward.c 2013-01-31 09:19:58.087573008 +0100
|
||||
@@ -759,10 +759,17 @@ void receive_query(struct listener *list
|
||||
|
||||
/* enforce available interface configuration */
|
||||
|
||||
- if (!indextoname(listen->fd, if_index, ifr.ifr_name) ||
|
||||
- !iface_check(listen->family, &dst_addr, ifr.ifr_name))
|
||||
+ if (!indextoname(listen->fd, if_index, ifr.ifr_name))
|
||||
return;
|
||||
|
||||
+ if (!iface_check(listen->family, &dst_addr, ifr.ifr_name))
|
||||
+ {
|
||||
+ if (!option_bool(OPT_CLEVERBIND))
|
||||
+ enumerate_interfaces();
|
||||
+ if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name))
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
|
||||
{
|
||||
struct irec *iface;
|
||||
@@ -776,7 +783,7 @@ void receive_query(struct listener *list
|
||||
break;
|
||||
|
||||
/* interface may be new */
|
||||
- if (!iface)
|
||||
+ if (!iface && !option_bool(OPT_CLEVERBIND))
|
||||
enumerate_interfaces();
|
||||
|
||||
for (iface = daemon->interfaces; iface; iface = iface->next)
|
||||
diff -up dnsmasq-2.65/src/network.c.local_queries dnsmasq-2.65/src/network.c
|
||||
--- dnsmasq-2.65/src/network.c.local_queries 2013-01-31 09:07:45.000000000 +0100
|
||||
+++ dnsmasq-2.65/src/network.c 2013-01-31 09:25:28.669822969 +0100
|
||||
@@ -144,7 +144,39 @@ int iface_check(int family, struct all_a
|
||||
|
||||
return ret;
|
||||
}
|
||||
-
|
||||
+
|
||||
+/* Fix for problem that the kernel sometimes reports the loopback inerface as the
|
||||
+ arrival interface when a packet originates locally, even when sent to address of
|
||||
+ an interface other than the loopback. Accept packet if it arrived via a loopback
|
||||
+ interface, even when we're not accepting packets that way, as long as the destination
|
||||
+ address is one we're believing. Interface list must be up-to-date before calling. */
|
||||
+int loopback_exception(int fd, int family, struct all_addr *addr, char *name)
|
||||
+{
|
||||
+ struct ifreq ifr;
|
||||
+ struct irec *iface;
|
||||
+
|
||||
+ strncpy(ifr.ifr_name, name, IF_NAMESIZE);
|
||||
+ if (ioctl(fd, SIOCGIFFLAGS, &ifr) != -1 &&
|
||||
+ ifr.ifr_flags & IFF_LOOPBACK)
|
||||
+ {
|
||||
+ for (iface = daemon->interfaces; iface; iface = iface->next)
|
||||
+ if (iface->addr.sa.sa_family == family)
|
||||
+ {
|
||||
+ if (family == AF_INET)
|
||||
+ {
|
||||
+ if (iface->addr.in.sin_addr.s_addr == addr->addr.addr4.s_addr)
|
||||
+ return 1;
|
||||
+ }
|
||||
+#ifdef HAVE_IPV6
|
||||
+ else if (IN6_ARE_ADDR_EQUAL(&iface->addr.in6.sin6_addr, &addr->addr.addr6))
|
||||
+ return 1;
|
||||
+#endif
|
||||
+
|
||||
+ }
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static int iface_allowed(struct irec **irecp, int if_index,
|
||||
union mysockaddr *addr, struct in_addr netmask, int dad)
|
||||
{
|
||||
diff -up dnsmasq-2.65/src/tftp.c.local_queries dnsmasq-2.65/src/tftp.c
|
||||
--- dnsmasq-2.65/src/tftp.c.local_queries 2012-12-14 12:48:26.000000000 +0100
|
||||
+++ dnsmasq-2.65/src/tftp.c 2013-01-31 09:49:44.478008214 +0100
|
||||
@@ -61,6 +61,7 @@ void tftp_request(struct listener *liste
|
||||
char *name = NULL;
|
||||
char *prefix = daemon->tftp_prefix;
|
||||
struct tftp_prefix *pref;
|
||||
+ struct all_addr addra;
|
||||
|
||||
union {
|
||||
struct cmsghdr align; /* this ensures alignment */
|
||||
@@ -190,16 +191,19 @@ void tftp_request(struct listener *liste
|
||||
|
||||
name = namebuff;
|
||||
|
||||
+ addra.addr.addr4 = addr.in.sin_addr;
|
||||
+
|
||||
#ifdef HAVE_IPV6
|
||||
if (listen->family == AF_INET6)
|
||||
+ addra.addr.addr6 = addr.in6.sin6_addr;
|
||||
+#endif
|
||||
+ if (!iface_check(listen->family, &addra, name))
|
||||
{
|
||||
- if (!iface_check(AF_INET6, (struct all_addr *)&addr.in6.sin6_addr, name))
|
||||
+ if (!option_bool(OPT_CLEVERBIND))
|
||||
+ enumerate_interfaces();
|
||||
+ if (!loopback_exception(listen->tftpfd, listen->family, &addra, name))
|
||||
return;
|
||||
}
|
||||
- else
|
||||
-#endif
|
||||
- if (!iface_check(AF_INET, (struct all_addr *)&addr.in.sin_addr, name))
|
||||
- return;
|
||||
|
||||
#ifdef HAVE_DHCP
|
||||
/* allowed interfaces are the same as for DHCP */
|
@ -11,7 +11,7 @@
|
||||
|
||||
Name: dnsmasq
|
||||
Version: 2.65
|
||||
Release: 3%{?extraversion}%{?dist}
|
||||
Release: 4%{?extraversion}%{?dist}
|
||||
Summary: A lightweight DHCP/caching DNS server
|
||||
|
||||
Group: System Environment/Daemons
|
||||
@ -22,6 +22,8 @@ Source1: %{name}.service
|
||||
|
||||
# http://www.thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=22ce550e5346947a12a781ed0959a7b1165d0dc6
|
||||
Patch0: %{name}-2.65-Correct-behaviour-for-TCP-queries-to-allowed-address.patch
|
||||
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=e25db1f273920d58c5d2e7569cd087e5bd73dd73
|
||||
Patch1: %{name}-2.65-Handle-wrong-interface-for-locally-routed-packets.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
|
||||
@ -57,6 +59,7 @@ query/remove a DHCP server's leases.
|
||||
%setup -q -n %{name}-%{version}%{?extraversion}
|
||||
|
||||
%patch0 -p1 -b .CVE-2013-0198
|
||||
%patch1 -p1 -b .local_queries
|
||||
|
||||
# use /var/lib/dnsmasq instead of /var/lib/misc
|
||||
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
|
||||
@ -134,6 +137,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_mandir}/man1/dhcp_*
|
||||
|
||||
%changelog
|
||||
* Thu Jan 31 2013 Tomas Hozza <thozza@redhat.com> - 2.65-4
|
||||
- Handle locally-routed DNS Queries (#904940)
|
||||
|
||||
* Thu Jan 24 2013 Tomas Hozza <thozza@redhat.com> - 2.65-3
|
||||
- build dnsmasq with $RPM_OPT_FLAGS, $RPM_LD_FLAGS explicitly (#903362)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user