Update to dnsmasq 2.80

Fix underflow patch
This commit is contained in:
Petr Menšík 2018-10-24 19:26:46 +02:00
parent 8a0901a90e
commit d63c7d423a
7 changed files with 31 additions and 102 deletions

1
.gitignore vendored
View File

@ -27,3 +27,4 @@ dnsmasq-2.52.tar.lzma
/dnsmasq-2.77.tar.xz /dnsmasq-2.77.tar.xz
/dnsmasq-2.78.tar.xz /dnsmasq-2.78.tar.xz
/dnsmasq-2.79.tar.xz /dnsmasq-2.79.tar.xz
/dnsmasq-2.80.tar.xz

View File

@ -1,4 +1,4 @@
From c82a594d95431e8615126621397ea595eb037a6b Mon Sep 17 00:00:00 2001 From 0ef799244732871e043d848f2f845c797f5a0745 Mon Sep 17 00:00:00 2001
From: Doran Moppert <dmoppert@redhat.com> From: Doran Moppert <dmoppert@redhat.com>
Date: Tue, 26 Sep 2017 14:48:20 +0930 Date: Tue, 26 Sep 2017 14:48:20 +0930
Subject: [PATCH] google patch hand-applied Subject: [PATCH] google patch hand-applied
@ -31,10 +31,10 @@ index af33877..ba6ff0c 100644
free(buff); free(buff);
p += rdlen; p += rdlen;
diff --git a/src/forward.c b/src/forward.c diff --git a/src/forward.c b/src/forward.c
index cdd11d3..3078f64 100644 index 3dd8633..64af66f 100644
--- a/src/forward.c --- a/src/forward.c
+++ b/src/forward.c +++ b/src/forward.c
@@ -1438,6 +1438,10 @@ void receive_query(struct listener *listen, time_t now) @@ -1577,6 +1577,10 @@ void receive_query(struct listener *listen, time_t now)
udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */ udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */
} }
@ -46,18 +46,18 @@ index cdd11d3..3078f64 100644
if (auth_dns) if (auth_dns)
{ {
diff --git a/src/rfc1035.c b/src/rfc1035.c diff --git a/src/rfc1035.c b/src/rfc1035.c
index b078b59..777911b 100644 index 6290f22..a943ecb 100644
--- a/src/rfc1035.c --- a/src/rfc1035.c
+++ b/src/rfc1035.c +++ b/src/rfc1035.c
@@ -1281,6 +1281,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, @@ -1292,6 +1292,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1; int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1;
struct mx_srv_record *rec; struct mx_srv_record *rec;
size_t len; size_t len;
+ // Make sure we do not underflow here too. + // Make sure we do not underflow here too.
+ if (qlen > (limit - ((char *)header))) return 0; + if (qlen > (limit - ((char *)header))) return 0;
if (ntohs(header->ancount) != 0 || /* never answer queries with RD unset, to avoid cache snooping. */
ntohs(header->nscount) != 0 || if (!(header->hb3 & HB3_RD) ||
-- --
2.14.3 2.14.4

View File

@ -1,4 +1,4 @@
From 89f57e39b69f92beacb6bad9c68d61f9c4fb0e77 Mon Sep 17 00:00:00 2001 From 7b1cce1d0bdb61c09946978d4bdeb05a3cd4202a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Fri, 2 Mar 2018 13:17:04 +0100 Date: Fri, 2 Mar 2018 13:17:04 +0100
Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
@ -9,7 +9,7 @@ Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
1 file changed, 5 insertions(+), 1 deletion(-) 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/dnsmasq.c b/src/dnsmasq.c diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index ce44809..9f6c020 100644 index 480c5f9..5fd229e 100644
--- a/src/dnsmasq.c --- a/src/dnsmasq.c
+++ b/src/dnsmasq.c +++ b/src/dnsmasq.c
@@ -187,6 +187,7 @@ int main (int argc, char **argv) @@ -187,6 +187,7 @@ int main (int argc, char **argv)
@ -20,9 +20,9 @@ index ce44809..9f6c020 100644
#else #else
die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF); die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF);
#endif #endif
@@ -769,7 +770,10 @@ int main (int argc, char **argv) @@ -786,7 +787,10 @@ int main (int argc, char **argv)
} my_syslog(LOG_INFO, _("DNSSEC validation enabled but all unsigned answers are trusted"));
else
my_syslog(LOG_INFO, _("DNSSEC validation enabled")); my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
- -
+ +

View File

@ -1,4 +1,4 @@
From 6899c5c5b9a32aa2ce0513b5e69356844988c64e Mon Sep 17 00:00:00 2001 From 8455bcbe5311ee0d15bcebe494580fec8868a93a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 9 Aug 2018 18:17:26 +0200 Date: Thu, 9 Aug 2018 18:17:26 +0200
Subject: [PATCH] Use OS random ports by default Subject: [PATCH] Use OS random ports by default
@ -13,11 +13,11 @@ separately. Would use port according to system policy.
3 files changed, 16 insertions(+), 5 deletions(-) 3 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/src/dnsmasq.c b/src/dnsmasq.c diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 9f6c020..4cd478e 100644 index ac5d8aa..6d51d3b 100644
--- a/src/dnsmasq.c --- a/src/dnsmasq.c
+++ b/src/dnsmasq.c +++ b/src/dnsmasq.c
@@ -226,7 +226,7 @@ int main (int argc, char **argv) @@ -230,7 +230,7 @@ int main (int argc, char **argv)
die(_("loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF); die(_("Ubus not available: set HAVE_UBUS in src/config.h"), NULL, EC_BADCONF);
#endif #endif
- if (daemon->max_port < daemon->min_port) - if (daemon->max_port < daemon->min_port)
@ -26,7 +26,7 @@ index 9f6c020..4cd478e 100644
now = dnsmasq_time(); now = dnsmasq_time();
diff --git a/src/network.c b/src/network.c diff --git a/src/network.c b/src/network.c
index 0381513..9747d26 100644 index 8ae7a70..58a2819 100644
--- a/src/network.c --- a/src/network.c
+++ b/src/network.c +++ b/src/network.c
@@ -1138,18 +1138,27 @@ int random_sock(int family) @@ -1138,18 +1138,27 @@ int random_sock(int family)
@ -61,10 +61,10 @@ index 0381513..9747d26 100644
if (family == AF_INET) if (family == AF_INET)
{ {
diff --git a/src/option.c b/src/option.c diff --git a/src/option.c b/src/option.c
index d358d99..b7eaff0 100644 index 7ccbdea..477dd52 100644
--- a/src/option.c --- a/src/option.c
+++ b/src/option.c +++ b/src/option.c
@@ -2602,6 +2602,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma @@ -2619,6 +2619,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
case LOPT_MINPORT: /* --min-port */ case LOPT_MINPORT: /* --min-port */
if (!atoi_check16(arg, &daemon->min_port)) if (!atoi_check16(arg, &daemon->min_port))
ret_err(gen_err); ret_err(gen_err);
@ -73,7 +73,7 @@ index d358d99..b7eaff0 100644
break; break;
case LOPT_MAXPORT: /* --max-port */ case LOPT_MAXPORT: /* --max-port */
@@ -4678,7 +4680,7 @@ void read_opts(int argc, char **argv, char *compile_opts) @@ -4754,7 +4756,7 @@ void read_opts(int argc, char **argv, char *compile_opts)
daemon->soa_refresh = SOA_REFRESH; daemon->soa_refresh = SOA_REFRESH;
daemon->soa_retry = SOA_RETRY; daemon->soa_retry = SOA_RETRY;
daemon->soa_expiry = SOA_EXPIRY; daemon->soa_expiry = SOA_EXPIRY;

View File

@ -1,73 +0,0 @@
From a997ca0da044719a0ce8a232d14da8b30022592b Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 29 Jun 2018 14:39:41 +0100
Subject: [PATCH] Fix sometimes missing DNSSEC RRs when DNSSEC validation not
enabled.
Dnsmasq does pass on the do-bit, and return DNSSEC RRs, irrespective
of of having DNSSEC validation compiled in or enabled.
The thing to understand here is that the cache does not store all the
DNSSEC RRs, and dnsmasq doesn't have the (very complex) logic required
to determine the set of DNSSEC RRs required in an answer. Therefore if
the client wants the DNSSEC RRs, the query can not be answered from
the cache. When DNSSEC validation is enabled, any query with the
do-bit set is never answered from the cache, unless the domain is
known not to be signed: the query is always forwarded. This ensures
that the DNSEC RRs are included.
The same thing should be true when DNSSEC validation is not enabled,
but there's a bug in the logic.
line 1666 of src/rfc1035.c looks like this
if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK))
{ ...answer from cache ... }
So local stuff (hosts, DHCP, ) get answered. If the do_bit is not set
then the query is answered, and if the domain is known not to be
signed, the query is answered.
Unfortunately, if DNSSEC validation is not turned on then the
F_DNSSECOK bit is not valid, and it's always zero, so the question
always gets answered from the cache, even when the do-bit is set.
This code should look like that at line 1468, dealing with PTR queries
if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
!do_bit ||
(option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
where the F_DNSSECOK bit is only used when validation is enabled.
---
src/rfc1035.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/rfc1035.c b/src/rfc1035.c
index ebb1f36..580f5ef 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1663,7 +1663,9 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
}
/* If the client asked for DNSSEC don't use cached data. */
- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK))
+ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
+ !do_bit ||
+ (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
do
{
/* don't answer wildcard queries with data not from /etc/hosts
@@ -1747,7 +1749,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
{
if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) &&
(qtype == T_CNAME || (crecp->flags & F_CONFIG)) &&
- ((crecp->flags & F_CONFIG) || !do_bit || !(crecp->flags & F_DNSSECOK)))
+ ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))
{
if (!(crecp->flags & F_DNSSECOK))
sec_data = 0;
--
2.14.4

View File

@ -12,8 +12,8 @@
%define _hardened_build 1 %define _hardened_build 1
Name: dnsmasq Name: dnsmasq
Version: 2.79 Version: 2.80
Release: 8%{?extraversion:.%{extraversion}}%{?dist} Release: 1%{?extraversion:.%{extraversion}}%{?dist}
Summary: A lightweight DHCP/caching DNS server Summary: A lightweight DHCP/caching DNS server
License: GPLv2 or GPLv3 License: GPLv2 or GPLv3
@ -25,7 +25,6 @@ Source2: dnsmasq-systemd-sysusers.conf
# https://bugzilla.redhat.com/show_bug.cgi?id=1495409 # https://bugzilla.redhat.com/show_bug.cgi?id=1495409
Patch1: dnsmasq-2.77-underflow.patch Patch1: dnsmasq-2.77-underflow.patch
Patch3: dnsmasq-2.78-fips.patch Patch3: dnsmasq-2.78-fips.patch
Patch4: dnsmasq-2.80-dnssec.patch
Patch5: dnsmasq-2.79-randomize-ports.patch Patch5: dnsmasq-2.79-randomize-ports.patch
# This is workaround to nettle bug #1549190 # This is workaround to nettle bug #1549190
@ -63,7 +62,6 @@ server's leases.
%setup -q -n %{name}-%{version}%{?extraversion} %setup -q -n %{name}-%{version}%{?extraversion}
%patch1 -p1 -b .underflow %patch1 -p1 -b .underflow
%patch3 -p1 -b .fips %patch3 -p1 -b .fips
%patch4 -p1 -b .dnssec
%patch5 -p1 -b .ports %patch5 -p1 -b .ports
# use /var/lib/dnsmasq instead of /var/lib/misc # use /var/lib/dnsmasq instead of /var/lib/misc
@ -165,6 +163,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf
%{_mandir}/man1/dhcp_* %{_mandir}/man1/dhcp_*
%changelog %changelog
* Mon Aug 20 2018 Petr Menšík <pemensik@redhat.com> - 2.80-1
- Update to 2.80
* Thu Aug 09 2018 Petr Menšík <pemensik@redhat.com> - 2.79-8 * Thu Aug 09 2018 Petr Menšík <pemensik@redhat.com> - 2.79-8
- Better randomize ports - Better randomize ports

View File

@ -1 +1 @@
SHA512 (dnsmasq-2.79.tar.xz) = 2c06212696ab55e1584f6133872f5b196013509e4b1822d0457787b456e14341afdde887749e370a2e512124cb4138f012f4601b08690707be4acc7cf2f2876f SHA512 (dnsmasq-2.80.tar.xz) = 58e56beb553fc41311e5dc16d8b0eb3b6801e2bdfbcd0e7a6659703f08960b6ad10d48b0b14a4d727636faf35483e01597cff2ae49e7fe9fa9e214f437b1c068