rpms/dnsmasq
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to latest dnsmasq-2.66rc1

Browse Source 
- Dropping unneeded patches

Signed-off-by: Tomas Hozza <thozza@redhat.com>
This commit is contained in:
Tomas Hozza 2013-03-22 12:50:43 +01:00
parent bebbe6c7d0
commit b0df409e18
6 changed files with 9 additions and 420 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -4,3 +4,4 @@ dnsmasq-2.52.tar.lzma
/dnsmasq-2.63.tar.gz
/dnsmasq-2.64.tar.gz
/dnsmasq-2.65.tar.gz
/dnsmasq-2.66rc1.tar.gz

37
dnsmasq-2.65-Allocate-dhcp_buff-ers-also-if-deamon-ra_contexts.patch
View File

@ -1,37 +0,0 @@
From c2845b1f4047c7441bae46c8651ab6a6df9d832c Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Fri, 15 Mar 2013 10:55:55 +0100
Subject: [PATCH] Allocate dhcp_buff-ers also if deamon->ra_contexts
Allocate dhcp_buff and prevent SIGSEGV.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
dnsmasq-2.65/src/dnsmasq.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/dnsmasq-2.65/src/dnsmasq.c b/dnsmasq-2.65/src/dnsmasq.c
index 02055e9..d61810b 100644
--- a/dnsmasq-2.65/src/dnsmasq.c
+++ b/dnsmasq-2.65/src/dnsmasq.c
@@ -152,13 +152,16 @@ int main (int argc, char **argv)
now = dnsmasq_time();
#ifdef HAVE_DHCP
- if (daemon->dhcp || daemon->dhcp6)
+ if (daemon->dhcp || daemon->dhcp6 || daemon->ra_contexts)
{
/* Note that order matters here, we must call lease_init before
creating any file descriptors which shouldn't be leaked
to the lease-script init process. We need to call common_init
before lease_init to allocate buffers it uses.*/
dhcp_common_init();
+ }
+ if (daemon->dhcp || daemon->dhcp6)
+ {
lease_init(now);
if (daemon->dhcp)
--
1.8.1.4

189
dnsmasq-2.65-Correct-behaviour-for-TCP-queries-to-allowed-address.patch
View File

@ -1,189 +0,0 @@
diff -up dnsmasq-2.65/src/dnsmasq.c.CVE-2013-0198 dnsmasq-2.65/src/dnsmasq.c
--- dnsmasq-2.65/src/dnsmasq.c.CVE-2013-0198 2012-12-14 12:48:26.000000000 +0100
+++ dnsmasq-2.65/src/dnsmasq.c 2013-01-22 16:32:30.387640907 +0100
@@ -1384,7 +1384,7 @@ static void check_dns_listeners(fd_set *
if (listener->tcpfd != -1 && FD_ISSET(listener->tcpfd, set))
{
- int confd;
+ int confd, client_ok = 1;
struct irec *iface = NULL;
pid_t p;
union mysockaddr tcp_addr;
@@ -1395,25 +1395,49 @@ static void check_dns_listeners(fd_set *
if (confd == -1 ||
getsockname(confd, (struct sockaddr *)&tcp_addr, &tcp_len) == -1)
continue;
-
- if (option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND))
+
+ if (option_bool(OPT_NOWILD))
iface = listener->iface; /* May be NULL */
- else
- {
- /* Check for allowed interfaces when binding the wildcard address:
- we do this by looking for an interface with the same address as
- the local address of the TCP connection, then looking to see if that's
- an allowed interface. As a side effect, we get the netmask of the
- interface too, for localisation. */
-
- /* interface may be new since startup */
- if (enumerate_interfaces())
- for (iface = daemon->interfaces; iface; iface = iface->next)
- if (sockaddr_isequal(&iface->addr, &tcp_addr))
- break;
- }
-
- if (!iface && !(option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND)))
+ else
+ {
+ int if_index;
+
+ /* In full wildcard mode, need to refresh interface list.
+ This happens automagically in CLEVERBIND */
+ if (!option_bool(OPT_CLEVERBIND))
+ enumerate_interfaces();
+
+ /* if we can find the arrival interface, check it's one that's allowed */
+ if ((if_index = tcp_interface(confd, tcp_addr.sa.sa_family)) != 0)
+ {
+ for (iface = daemon->interfaces; iface; iface = iface->next)
+ if (iface->index == if_index)
+ break;
+
+ if (!iface)
+ client_ok = 0;
+ }
+
+ if (option_bool(OPT_CLEVERBIND))
+ iface = listener->iface; /* May be NULL */
+ else
+ {
+ /* Check for allowed interfaces when binding the wildcard address:
+ we do this by looking for an interface with the same address as
+ the local address of the TCP connection, then looking to see if that's
+ an allowed interface. As a side effect, we get the netmask of the
+ interface too, for localisation. */
+
+ for (iface = daemon->interfaces; iface; iface = iface->next)
+ if (sockaddr_isequal(&iface->addr, &tcp_addr))
+ break;
+
+ if (!iface)
+ client_ok = 0;
+ }
+ }
+
+ if (!client_ok)
{
shutdown(confd, SHUT_RDWR);
close(confd);
diff -up dnsmasq-2.65/src/dnsmasq.h.CVE-2013-0198 dnsmasq-2.65/src/dnsmasq.h
--- dnsmasq-2.65/src/dnsmasq.h.CVE-2013-0198 2012-12-14 12:48:26.000000000 +0100
+++ dnsmasq-2.65/src/dnsmasq.h 2013-01-22 16:32:30.387640907 +0100
@@ -412,7 +412,7 @@ struct server {
struct irec {
union mysockaddr addr;
struct in_addr netmask; /* only valid for IPv4 */
- int tftp_ok, dhcp_ok, mtu, done, dad;
+ int tftp_ok, dhcp_ok, mtu, done, dad, index;
char *name;
struct irec *next;
};
@@ -955,6 +955,7 @@ void create_bound_listeners(int die);
int is_dad_listeners(void);
int iface_check(int family, struct all_addr *addr, char *name);
int fix_fd(int fd);
+int tcp_interface(int fd, int af);
struct in_addr get_ifaddr(char *intr);
#ifdef HAVE_IPV6
int set_ipv6pktinfo(int fd);
diff -up dnsmasq-2.65/src/network.c.CVE-2013-0198 dnsmasq-2.65/src/network.c
--- dnsmasq-2.65/src/network.c.CVE-2013-0198 2012-12-14 12:48:26.000000000 +0100
+++ dnsmasq-2.65/src/network.c 2013-01-22 17:33:00.349128334 +0100
@@ -239,6 +239,7 @@ static int iface_allowed(struct irec **i
iface->mtu = mtu;
iface->dad = dad;
iface->done = 0;
+ iface->index = if_index;
if ((iface->name = whine_malloc(strlen(ifr.ifr_name)+1)))
{
strcpy(iface->name, ifr.ifr_name);
@@ -420,6 +421,77 @@ int set_ipv6pktinfo(int fd)
return 0;
}
#endif
+
+
+/* Find the interface on which a TCP connection arrived, if possible, or zero otherwise. */
+int tcp_interface(int fd, int af)
+{
+ int if_index = 0;
+
+#ifdef HAVE_LINUX_NETWORK
+ int opt = 1;
+ struct cmsghdr *cmptr;
+ struct msghdr msg;
+
+ /* use mshdr do that the CMSDG_* macros are available */
+ msg.msg_control = daemon->packet;
+ msg.msg_controllen = daemon->packet_buff_sz;
+
+ /* we overwrote the buffer... */
+ daemon->srv_save = NULL;
+
+ if (af == AF_INET)
+ {
+ if (setsockopt(fd, IPPROTO_IP, IP_PKTINFO, &opt, sizeof(opt)) != -1 &&
+ getsockopt(fd, IPPROTO_IP, IP_PKTOPTIONS, msg.msg_control, (socklen_t *)&msg.msg_controllen) != -1)
+ for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
+ if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
+ {
+ union {
+ unsigned char *c;
+ struct in_pktinfo *p;
+ } p;
+
+ p.c = CMSG_DATA(cmptr);
+ if_index = p.p->ipi_ifindex;
+ }
+ }
+#ifdef HAVE_IPV6
+ else
+ {
+ /* Only the RFC-2292 API has the ability to find the interface for TCP connections,
+ it was removed in RFC-3542 !!!!
+
+ Fortunately, Linux kept the 2292 ABI when it moved to 3542. The following code always
+ uses the old ABI, and should work with pre- and post-3542 kernel headers */
+
+#ifdef IPV6_2292PKTOPTIONS
+# define PKTOPTIONS IPV6_2292PKTOPTIONS
+#else
+# define PKTOPTIONS IPV6_PKTOPTIONS
+#endif
+
+ if (set_ipv6pktinfo(fd) &&
+ getsockopt(fd, IPPROTO_IPV6, PKTOPTIONS, msg.msg_control, (socklen_t *)&msg.msg_controllen) != -1)
+ {
+ for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
+ if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
+ {
+ union {
+ unsigned char *c;
+ struct in6_pktinfo *p;
+ } p;
+ p.c = CMSG_DATA(cmptr);
+
+ if_index = p.p->ipi6_ifindex;
+ }
+ }
+ }
+#endif /* IPV6 */
+#endif /* Linux */
+
+ return if_index;
+}
static struct listener *create_listeners(union mysockaddr *addr, int do_tftp, int dienow)
{

178
dnsmasq-2.65-Handle-wrong-interface-for-locally-routed-packets.patch
View File

@ -1,178 +0,0 @@
diff -up dnsmasq-2.65/src/dnsmasq.c.local_queries dnsmasq-2.65/src/dnsmasq.c
--- dnsmasq-2.65/src/dnsmasq.c.local_queries 2013-01-31 09:07:45.603092125 +0100
+++ dnsmasq-2.65/src/dnsmasq.c 2013-01-31 09:07:45.606092127 +0100
@@ -1401,20 +1401,29 @@ static void check_dns_listeners(fd_set *
else
{
int if_index;
-
+ char intr_name[IF_NAMESIZE];
+
/* In full wildcard mode, need to refresh interface list.
This happens automagically in CLEVERBIND */
- if (!option_bool(OPT_CLEVERBIND))
- enumerate_interfaces();
-
- /* if we can find the arrival interface, check it's one that's allowed */
- if ((if_index = tcp_interface(confd, tcp_addr.sa.sa_family)) != 0)
+ if (!option_bool(OPT_CLEVERBIND))
+ enumerate_interfaces();
+
+ /* if we can find the arrival interface, check it's one that's allowed */
+ if ((if_index = tcp_interface(confd, tcp_addr.sa.sa_family)) != 0 &&
+ indextoname(listener->tcpfd, if_index, intr_name))
{
+ struct all_addr addr;
+ addr.addr.addr4 = tcp_addr.in.sin_addr;
+#ifdef HAVE_IPV6
+ if (tcp_addr.sa.sa_family == AF_INET6)
+ addr.addr.addr6 = tcp_addr.in6.sin6_addr;
+#endif
+
for (iface = daemon->interfaces; iface; iface = iface->next)
if (iface->index == if_index)
break;
- if (!iface)
+ if (!iface && !loopback_exception(listener->tcpfd, tcp_addr.sa.sa_family, &addr, intr_name))
client_ok = 0;
}
@@ -1422,10 +1431,10 @@ static void check_dns_listeners(fd_set *
iface = listener->iface; /* May be NULL */
else
{
- /* Check for allowed interfaces when binding the wildcard address:
- we do this by looking for an interface with the same address as
- the local address of the TCP connection, then looking to see if that's
- an allowed interface. As a side effect, we get the netmask of the
+ /* Check for allowed interfaces when binding the wildcard address:
+ we do this by looking for an interface with the same address as
+ the local address of the TCP connection, then looking to see if that's
+ an allowed interface. As a side effect, we get the netmask of the
interface too, for localisation. */
for (iface = daemon->interfaces; iface; iface = iface->next)
diff -up dnsmasq-2.65/src/dnsmasq.h.local_queries dnsmasq-2.65/src/dnsmasq.h
--- dnsmasq-2.65/src/dnsmasq.h.local_queries 2013-01-31 09:07:45.000000000 +0100
+++ dnsmasq-2.65/src/dnsmasq.h 2013-01-31 09:10:36.091202196 +0100
@@ -954,6 +954,7 @@ void create_wildcard_listeners(void);
void create_bound_listeners(int die);
int is_dad_listeners(void);
int iface_check(int family, struct all_addr *addr, char *name);
+int loopback_exception(int fd, int family, struct all_addr *addr, char *name);
int fix_fd(int fd);
int tcp_interface(int fd, int af);
struct in_addr get_ifaddr(char *intr);
diff -up dnsmasq-2.65/src/forward.c.local_queries dnsmasq-2.65/src/forward.c
--- dnsmasq-2.65/src/forward.c.local_queries 2012-12-14 12:48:26.000000000 +0100
+++ dnsmasq-2.65/src/forward.c 2013-01-31 09:19:58.087573008 +0100
@@ -759,10 +759,17 @@ void receive_query(struct listener *list
/* enforce available interface configuration */
- if (!indextoname(listen->fd, if_index, ifr.ifr_name) ||
- !iface_check(listen->family, &dst_addr, ifr.ifr_name))
+ if (!indextoname(listen->fd, if_index, ifr.ifr_name))
return;
+ if (!iface_check(listen->family, &dst_addr, ifr.ifr_name))
+ {
+ if (!option_bool(OPT_CLEVERBIND))
+ enumerate_interfaces();
+ if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name))
+ return;
+ }
+
if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
{
struct irec *iface;
@@ -776,7 +783,7 @@ void receive_query(struct listener *list
break;
/* interface may be new */
- if (!iface)
+ if (!iface && !option_bool(OPT_CLEVERBIND))
enumerate_interfaces();
for (iface = daemon->interfaces; iface; iface = iface->next)
diff -up dnsmasq-2.65/src/network.c.local_queries dnsmasq-2.65/src/network.c
--- dnsmasq-2.65/src/network.c.local_queries 2013-01-31 09:07:45.000000000 +0100
+++ dnsmasq-2.65/src/network.c 2013-01-31 09:25:28.669822969 +0100
@@ -144,7 +144,39 @@ int iface_check(int family, struct all_a
return ret;
}
-
+
+/* Fix for problem that the kernel sometimes reports the loopback inerface as the
+ arrival interface when a packet originates locally, even when sent to address of
+ an interface other than the loopback. Accept packet if it arrived via a loopback
+ interface, even when we're not accepting packets that way, as long as the destination
+ address is one we're believing. Interface list must be up-to-date before calling. */
+int loopback_exception(int fd, int family, struct all_addr *addr, char *name)
+{
+ struct ifreq ifr;
+ struct irec *iface;
+
+ strncpy(ifr.ifr_name, name, IF_NAMESIZE);
+ if (ioctl(fd, SIOCGIFFLAGS, &ifr) != -1 &&
+ ifr.ifr_flags & IFF_LOOPBACK)
+ {
+ for (iface = daemon->interfaces; iface; iface = iface->next)
+ if (iface->addr.sa.sa_family == family)
+ {
+ if (family == AF_INET)
+ {
+ if (iface->addr.in.sin_addr.s_addr == addr->addr.addr4.s_addr)
+ return 1;
+ }
+#ifdef HAVE_IPV6
+ else if (IN6_ARE_ADDR_EQUAL(&iface->addr.in6.sin6_addr, &addr->addr.addr6))
+ return 1;
+#endif
+
+ }
+ }
+ return 0;
+}
+
static int iface_allowed(struct irec **irecp, int if_index,
union mysockaddr *addr, struct in_addr netmask, int dad)
{
diff -up dnsmasq-2.65/src/tftp.c.local_queries dnsmasq-2.65/src/tftp.c
--- dnsmasq-2.65/src/tftp.c.local_queries 2012-12-14 12:48:26.000000000 +0100
+++ dnsmasq-2.65/src/tftp.c 2013-01-31 09:49:44.478008214 +0100
@@ -61,6 +61,7 @@ void tftp_request(struct listener *liste
char *name = NULL;
char *prefix = daemon->tftp_prefix;
struct tftp_prefix *pref;
+ struct all_addr addra;
union {
struct cmsghdr align; /* this ensures alignment */
@@ -190,16 +191,19 @@ void tftp_request(struct listener *liste
name = namebuff;
+ addra.addr.addr4 = addr.in.sin_addr;
+
#ifdef HAVE_IPV6
if (listen->family == AF_INET6)
+ addra.addr.addr6 = addr.in6.sin6_addr;
+#endif
+ if (!iface_check(listen->family, &addra, name))
{
- if (!iface_check(AF_INET6, (struct all_addr *)&addr.in6.sin6_addr, name))
+ if (!option_bool(OPT_CLEVERBIND))
+ enumerate_interfaces();
+ if (!loopback_exception(listen->tftpfd, listen->family, &addra, name))
return;
}
- else
-#endif
- if (!iface_check(AF_INET, (struct all_addr *)&addr.in.sin_addr, name))
- return;
#ifdef HAVE_DHCP
/* allowed interfaces are the same as for DHCP */

22
dnsmasq.spec
View File

@ -1,5 +1,5 @@
%define testrelease 0
%define releasecandidate 0
%define releasecandidate 1
%if 0%{testrelease}
%define extrapath test-releases/
%define extraversion test30
@ -10,8 +10,8 @@
%endif
Name: dnsmasq
Version: 2.65
Release: 5%{?extraversion}%{?dist}
Version: 2.66
Release: 1%{?extraversion}%{?dist}
Summary: A lightweight DHCP/caching DNS server
Group: System Environment/Daemons
@ -20,14 +20,6 @@ URL: http://www.thekelleys.org.uk/dnsmasq/
Source0: http://www.thekelleys.org.uk/dnsmasq/%{?extrapath}%{name}-%{version}%{?extraversion}.tar.gz
Source1: %{name}.service
# http://www.thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=22ce550e5346947a12a781ed0959a7b1165d0dc6
Patch0: %{name}-2.65-Correct-behaviour-for-TCP-queries-to-allowed-address.patch
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=e25db1f273920d58c5d2e7569cd087e5bd73dd73
Patch1: %{name}-2.65-Handle-wrong-interface-for-locally-routed-packets.patch
# Code has been completely rewritten in new version
# http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q1/006967.html
Patch2: %{name}-2.65-Allocate-dhcp_buff-ers-also-if-deamon-ra_contexts.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: dbus-devel
@ -61,10 +53,6 @@ query/remove a DHCP server's leases.
%prep
%setup -q -n %{name}-%{version}%{?extraversion}
%patch0 -p1 -b .CVE-2013-0198
%patch1 -p1 -b .local_queries
%patch2 -p2 -b .SIGSEGV
# use /var/lib/dnsmasq instead of /var/lib/misc
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
sed -i 's|/var/lib/misc/dnsmasq.leases|/var/lib/dnsmasq/dnsmasq.leases|g' "$file"
@ -141,6 +129,10 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/dhcp_*
%changelog
* Fri Mar 22 2013 Tomas Hozza <thozza@redhat.com> - 2.66-1.rc1
- Update to latest dnsmasq-2.66rc1
- Dropping unneeded patches
* Fri Mar 15 2013 Tomas Hozza <thozza@redhat.com> - 2.65-5
- Allocate dhcp_buff-ers also if daemon->ra_contexts to prevent SIGSEGV (#920300)

2
sources
View File

@ -1 +1 @@
a91534a5d6f053d5c80f67ef502afa34 dnsmasq-2.65.tar.gz
f1461f0f1c29cce8f92a4534a57003cd dnsmasq-2.66rc1.tar.gz