Update to dnsmasq 2.80
Fix underflow patch
This commit is contained in:
parent
8a0901a90e
commit
d63c7d423a
1
.gitignore
vendored
1
.gitignore
vendored
@ -27,3 +27,4 @@ dnsmasq-2.52.tar.lzma
|
|||||||
/dnsmasq-2.77.tar.xz
|
/dnsmasq-2.77.tar.xz
|
||||||
/dnsmasq-2.78.tar.xz
|
/dnsmasq-2.78.tar.xz
|
||||||
/dnsmasq-2.79.tar.xz
|
/dnsmasq-2.79.tar.xz
|
||||||
|
/dnsmasq-2.80.tar.xz
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From c82a594d95431e8615126621397ea595eb037a6b Mon Sep 17 00:00:00 2001
|
From 0ef799244732871e043d848f2f845c797f5a0745 Mon Sep 17 00:00:00 2001
|
||||||
From: Doran Moppert <dmoppert@redhat.com>
|
From: Doran Moppert <dmoppert@redhat.com>
|
||||||
Date: Tue, 26 Sep 2017 14:48:20 +0930
|
Date: Tue, 26 Sep 2017 14:48:20 +0930
|
||||||
Subject: [PATCH] google patch hand-applied
|
Subject: [PATCH] google patch hand-applied
|
||||||
@ -31,10 +31,10 @@ index af33877..ba6ff0c 100644
|
|||||||
free(buff);
|
free(buff);
|
||||||
p += rdlen;
|
p += rdlen;
|
||||||
diff --git a/src/forward.c b/src/forward.c
|
diff --git a/src/forward.c b/src/forward.c
|
||||||
index cdd11d3..3078f64 100644
|
index 3dd8633..64af66f 100644
|
||||||
--- a/src/forward.c
|
--- a/src/forward.c
|
||||||
+++ b/src/forward.c
|
+++ b/src/forward.c
|
||||||
@@ -1438,6 +1438,10 @@ void receive_query(struct listener *listen, time_t now)
|
@@ -1577,6 +1577,10 @@ void receive_query(struct listener *listen, time_t now)
|
||||||
udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */
|
udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -46,18 +46,18 @@ index cdd11d3..3078f64 100644
|
|||||||
if (auth_dns)
|
if (auth_dns)
|
||||||
{
|
{
|
||||||
diff --git a/src/rfc1035.c b/src/rfc1035.c
|
diff --git a/src/rfc1035.c b/src/rfc1035.c
|
||||||
index b078b59..777911b 100644
|
index 6290f22..a943ecb 100644
|
||||||
--- a/src/rfc1035.c
|
--- a/src/rfc1035.c
|
||||||
+++ b/src/rfc1035.c
|
+++ b/src/rfc1035.c
|
||||||
@@ -1281,6 +1281,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
@@ -1292,6 +1292,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
||||||
int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1;
|
int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1;
|
||||||
struct mx_srv_record *rec;
|
struct mx_srv_record *rec;
|
||||||
size_t len;
|
size_t len;
|
||||||
+ // Make sure we do not underflow here too.
|
+ // Make sure we do not underflow here too.
|
||||||
+ if (qlen > (limit - ((char *)header))) return 0;
|
+ if (qlen > (limit - ((char *)header))) return 0;
|
||||||
|
|
||||||
if (ntohs(header->ancount) != 0 ||
|
/* never answer queries with RD unset, to avoid cache snooping. */
|
||||||
ntohs(header->nscount) != 0 ||
|
if (!(header->hb3 & HB3_RD) ||
|
||||||
--
|
--
|
||||||
2.14.3
|
2.14.4
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 89f57e39b69f92beacb6bad9c68d61f9c4fb0e77 Mon Sep 17 00:00:00 2001
|
From 7b1cce1d0bdb61c09946978d4bdeb05a3cd4202a Mon Sep 17 00:00:00 2001
|
||||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
Date: Fri, 2 Mar 2018 13:17:04 +0100
|
Date: Fri, 2 Mar 2018 13:17:04 +0100
|
||||||
Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
|
Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
|
||||||
@ -9,7 +9,7 @@ Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
|
|||||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
|
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
|
||||||
index ce44809..9f6c020 100644
|
index 480c5f9..5fd229e 100644
|
||||||
--- a/src/dnsmasq.c
|
--- a/src/dnsmasq.c
|
||||||
+++ b/src/dnsmasq.c
|
+++ b/src/dnsmasq.c
|
||||||
@@ -187,6 +187,7 @@ int main (int argc, char **argv)
|
@@ -187,6 +187,7 @@ int main (int argc, char **argv)
|
||||||
@ -20,9 +20,9 @@ index ce44809..9f6c020 100644
|
|||||||
#else
|
#else
|
||||||
die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF);
|
die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF);
|
||||||
#endif
|
#endif
|
||||||
@@ -769,7 +770,10 @@ int main (int argc, char **argv)
|
@@ -786,7 +787,10 @@ int main (int argc, char **argv)
|
||||||
}
|
my_syslog(LOG_INFO, _("DNSSEC validation enabled but all unsigned answers are trusted"));
|
||||||
|
else
|
||||||
my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
|
my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
|
||||||
-
|
-
|
||||||
+
|
+
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 6899c5c5b9a32aa2ce0513b5e69356844988c64e Mon Sep 17 00:00:00 2001
|
From 8455bcbe5311ee0d15bcebe494580fec8868a93a Mon Sep 17 00:00:00 2001
|
||||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
Date: Thu, 9 Aug 2018 18:17:26 +0200
|
Date: Thu, 9 Aug 2018 18:17:26 +0200
|
||||||
Subject: [PATCH] Use OS random ports by default
|
Subject: [PATCH] Use OS random ports by default
|
||||||
@ -13,11 +13,11 @@ separately. Would use port according to system policy.
|
|||||||
3 files changed, 16 insertions(+), 5 deletions(-)
|
3 files changed, 16 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
|
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
|
||||||
index 9f6c020..4cd478e 100644
|
index ac5d8aa..6d51d3b 100644
|
||||||
--- a/src/dnsmasq.c
|
--- a/src/dnsmasq.c
|
||||||
+++ b/src/dnsmasq.c
|
+++ b/src/dnsmasq.c
|
||||||
@@ -226,7 +226,7 @@ int main (int argc, char **argv)
|
@@ -230,7 +230,7 @@ int main (int argc, char **argv)
|
||||||
die(_("loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF);
|
die(_("Ubus not available: set HAVE_UBUS in src/config.h"), NULL, EC_BADCONF);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
- if (daemon->max_port < daemon->min_port)
|
- if (daemon->max_port < daemon->min_port)
|
||||||
@ -26,7 +26,7 @@ index 9f6c020..4cd478e 100644
|
|||||||
|
|
||||||
now = dnsmasq_time();
|
now = dnsmasq_time();
|
||||||
diff --git a/src/network.c b/src/network.c
|
diff --git a/src/network.c b/src/network.c
|
||||||
index 0381513..9747d26 100644
|
index 8ae7a70..58a2819 100644
|
||||||
--- a/src/network.c
|
--- a/src/network.c
|
||||||
+++ b/src/network.c
|
+++ b/src/network.c
|
||||||
@@ -1138,18 +1138,27 @@ int random_sock(int family)
|
@@ -1138,18 +1138,27 @@ int random_sock(int family)
|
||||||
@ -61,10 +61,10 @@ index 0381513..9747d26 100644
|
|||||||
if (family == AF_INET)
|
if (family == AF_INET)
|
||||||
{
|
{
|
||||||
diff --git a/src/option.c b/src/option.c
|
diff --git a/src/option.c b/src/option.c
|
||||||
index d358d99..b7eaff0 100644
|
index 7ccbdea..477dd52 100644
|
||||||
--- a/src/option.c
|
--- a/src/option.c
|
||||||
+++ b/src/option.c
|
+++ b/src/option.c
|
||||||
@@ -2602,6 +2602,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
|
@@ -2619,6 +2619,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
|
||||||
case LOPT_MINPORT: /* --min-port */
|
case LOPT_MINPORT: /* --min-port */
|
||||||
if (!atoi_check16(arg, &daemon->min_port))
|
if (!atoi_check16(arg, &daemon->min_port))
|
||||||
ret_err(gen_err);
|
ret_err(gen_err);
|
||||||
@ -73,7 +73,7 @@ index d358d99..b7eaff0 100644
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case LOPT_MAXPORT: /* --max-port */
|
case LOPT_MAXPORT: /* --max-port */
|
||||||
@@ -4678,7 +4680,7 @@ void read_opts(int argc, char **argv, char *compile_opts)
|
@@ -4754,7 +4756,7 @@ void read_opts(int argc, char **argv, char *compile_opts)
|
||||||
daemon->soa_refresh = SOA_REFRESH;
|
daemon->soa_refresh = SOA_REFRESH;
|
||||||
daemon->soa_retry = SOA_RETRY;
|
daemon->soa_retry = SOA_RETRY;
|
||||||
daemon->soa_expiry = SOA_EXPIRY;
|
daemon->soa_expiry = SOA_EXPIRY;
|
||||||
|
@ -1,73 +0,0 @@
|
|||||||
From a997ca0da044719a0ce8a232d14da8b30022592b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simon Kelley <simon@thekelleys.org.uk>
|
|
||||||
Date: Fri, 29 Jun 2018 14:39:41 +0100
|
|
||||||
Subject: [PATCH] Fix sometimes missing DNSSEC RRs when DNSSEC validation not
|
|
||||||
enabled.
|
|
||||||
|
|
||||||
Dnsmasq does pass on the do-bit, and return DNSSEC RRs, irrespective
|
|
||||||
of of having DNSSEC validation compiled in or enabled.
|
|
||||||
|
|
||||||
The thing to understand here is that the cache does not store all the
|
|
||||||
DNSSEC RRs, and dnsmasq doesn't have the (very complex) logic required
|
|
||||||
to determine the set of DNSSEC RRs required in an answer. Therefore if
|
|
||||||
the client wants the DNSSEC RRs, the query can not be answered from
|
|
||||||
the cache. When DNSSEC validation is enabled, any query with the
|
|
||||||
do-bit set is never answered from the cache, unless the domain is
|
|
||||||
known not to be signed: the query is always forwarded. This ensures
|
|
||||||
that the DNSEC RRs are included.
|
|
||||||
|
|
||||||
The same thing should be true when DNSSEC validation is not enabled,
|
|
||||||
but there's a bug in the logic.
|
|
||||||
|
|
||||||
line 1666 of src/rfc1035.c looks like this
|
|
||||||
|
|
||||||
if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK))
|
|
||||||
|
|
||||||
{ ...answer from cache ... }
|
|
||||||
|
|
||||||
So local stuff (hosts, DHCP, ) get answered. If the do_bit is not set
|
|
||||||
then the query is answered, and if the domain is known not to be
|
|
||||||
signed, the query is answered.
|
|
||||||
|
|
||||||
Unfortunately, if DNSSEC validation is not turned on then the
|
|
||||||
F_DNSSECOK bit is not valid, and it's always zero, so the question
|
|
||||||
always gets answered from the cache, even when the do-bit is set.
|
|
||||||
|
|
||||||
This code should look like that at line 1468, dealing with PTR queries
|
|
||||||
|
|
||||||
if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
|
|
||||||
!do_bit ||
|
|
||||||
(option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
|
|
||||||
|
|
||||||
where the F_DNSSECOK bit is only used when validation is enabled.
|
|
||||||
---
|
|
||||||
src/rfc1035.c | 6 ++++--
|
|
||||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/rfc1035.c b/src/rfc1035.c
|
|
||||||
index ebb1f36..580f5ef 100644
|
|
||||||
--- a/src/rfc1035.c
|
|
||||||
+++ b/src/rfc1035.c
|
|
||||||
@@ -1663,7 +1663,9 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* If the client asked for DNSSEC don't use cached data. */
|
|
||||||
- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK))
|
|
||||||
+ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
|
|
||||||
+ !do_bit ||
|
|
||||||
+ (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
|
|
||||||
do
|
|
||||||
{
|
|
||||||
/* don't answer wildcard queries with data not from /etc/hosts
|
|
||||||
@@ -1747,7 +1749,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
|
||||||
{
|
|
||||||
if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) &&
|
|
||||||
(qtype == T_CNAME || (crecp->flags & F_CONFIG)) &&
|
|
||||||
- ((crecp->flags & F_CONFIG) || !do_bit || !(crecp->flags & F_DNSSECOK)))
|
|
||||||
+ ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))
|
|
||||||
{
|
|
||||||
if (!(crecp->flags & F_DNSSECOK))
|
|
||||||
sec_data = 0;
|
|
||||||
--
|
|
||||||
2.14.4
|
|
||||||
|
|
@ -12,8 +12,8 @@
|
|||||||
%define _hardened_build 1
|
%define _hardened_build 1
|
||||||
|
|
||||||
Name: dnsmasq
|
Name: dnsmasq
|
||||||
Version: 2.79
|
Version: 2.80
|
||||||
Release: 8%{?extraversion:.%{extraversion}}%{?dist}
|
Release: 1%{?extraversion:.%{extraversion}}%{?dist}
|
||||||
Summary: A lightweight DHCP/caching DNS server
|
Summary: A lightweight DHCP/caching DNS server
|
||||||
|
|
||||||
License: GPLv2 or GPLv3
|
License: GPLv2 or GPLv3
|
||||||
@ -25,7 +25,6 @@ Source2: dnsmasq-systemd-sysusers.conf
|
|||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1495409
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1495409
|
||||||
Patch1: dnsmasq-2.77-underflow.patch
|
Patch1: dnsmasq-2.77-underflow.patch
|
||||||
Patch3: dnsmasq-2.78-fips.patch
|
Patch3: dnsmasq-2.78-fips.patch
|
||||||
Patch4: dnsmasq-2.80-dnssec.patch
|
|
||||||
Patch5: dnsmasq-2.79-randomize-ports.patch
|
Patch5: dnsmasq-2.79-randomize-ports.patch
|
||||||
|
|
||||||
# This is workaround to nettle bug #1549190
|
# This is workaround to nettle bug #1549190
|
||||||
@ -63,7 +62,6 @@ server's leases.
|
|||||||
%setup -q -n %{name}-%{version}%{?extraversion}
|
%setup -q -n %{name}-%{version}%{?extraversion}
|
||||||
%patch1 -p1 -b .underflow
|
%patch1 -p1 -b .underflow
|
||||||
%patch3 -p1 -b .fips
|
%patch3 -p1 -b .fips
|
||||||
%patch4 -p1 -b .dnssec
|
|
||||||
%patch5 -p1 -b .ports
|
%patch5 -p1 -b .ports
|
||||||
|
|
||||||
# use /var/lib/dnsmasq instead of /var/lib/misc
|
# use /var/lib/dnsmasq instead of /var/lib/misc
|
||||||
@ -165,6 +163,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf
|
|||||||
%{_mandir}/man1/dhcp_*
|
%{_mandir}/man1/dhcp_*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Aug 20 2018 Petr Menšík <pemensik@redhat.com> - 2.80-1
|
||||||
|
- Update to 2.80
|
||||||
|
|
||||||
* Thu Aug 09 2018 Petr Menšík <pemensik@redhat.com> - 2.79-8
|
* Thu Aug 09 2018 Petr Menšík <pemensik@redhat.com> - 2.79-8
|
||||||
- Better randomize ports
|
- Better randomize ports
|
||||||
|
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (dnsmasq-2.79.tar.xz) = 2c06212696ab55e1584f6133872f5b196013509e4b1822d0457787b456e14341afdde887749e370a2e512124cb4138f012f4601b08690707be4acc7cf2f2876f
|
SHA512 (dnsmasq-2.80.tar.xz) = 58e56beb553fc41311e5dc16d8b0eb3b6801e2bdfbcd0e7a6659703f08960b6ad10d48b0b14a4d727636faf35483e01597cff2ae49e7fe9fa9e214f437b1c068
|
||||||
|
Loading…
Reference in New Issue
Block a user