import CS dnsmasq-2.85-14.el9
This commit is contained in:
parent
52e6077875
commit
ed88ae2205
106
SOURCES/dnsmasq-2.85-domain-blocklist-speedup.patch
Normal file
106
SOURCES/dnsmasq-2.85-domain-blocklist-speedup.patch
Normal file
@ -0,0 +1,106 @@
|
||||
From e046f32d882b6acf2090cbe8830c2dea6279aa8e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Fri, 9 Jun 2023 22:11:01 +0200
|
||||
Subject: [PATCH] Use serv_domain only for regular servers
|
||||
|
||||
Do not try to use it for --local=/x/ or --address=/x/#. Some users use
|
||||
quite long list of blocks, which slows down walking trough domain list
|
||||
considerably. But searching by server_domain_find_domain is needed only
|
||||
for normal servers, which may store there last used server and number
|
||||
of recent forwarded queries. Local addresses overrides store there no
|
||||
useful information, avoid searching and adding new domains for such
|
||||
records.
|
||||
|
||||
Would also speed up searching servers when blocklists are used, because
|
||||
only domains of servers are tested.
|
||||
|
||||
Resolves: rhbz#2209031
|
||||
---
|
||||
src/forward.c | 2 +-
|
||||
src/option.c | 15 +++++++++------
|
||||
2 files changed, 10 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/forward.c b/src/forward.c
|
||||
index fffab7a..3d1227b 100644
|
||||
--- a/src/forward.c
|
||||
+++ b/src/forward.c
|
||||
@@ -249,7 +249,7 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned
|
||||
*type = 0; /* use normal servers for this domain */
|
||||
*domain = NULL;
|
||||
}
|
||||
- if (serv_domain && !*serv_domain)
|
||||
+ if (serv_domain && !*serv_domain && (*type & SERV_HAS_DOMAIN)==0)
|
||||
*serv_domain = server_domain_find_domain(NULL);
|
||||
return flags;
|
||||
}
|
||||
diff --git a/src/option.c b/src/option.c
|
||||
index e4e3182..25680c0 100644
|
||||
--- a/src/option.c
|
||||
+++ b/src/option.c
|
||||
@@ -928,7 +928,7 @@ static struct server *add_rev4(struct in_addr addr, int msize)
|
||||
p += sprintf(p, "in-addr.arpa");
|
||||
|
||||
serv->flags = SERV_HAS_DOMAIN;
|
||||
- server_domain_new(serv);
|
||||
+ serv->serv_domain = NULL;
|
||||
serv->next = daemon->servers;
|
||||
daemon->servers = serv;
|
||||
|
||||
@@ -953,7 +953,7 @@ static struct server *add_rev6(struct in6_addr *addr, int msize)
|
||||
p += sprintf(p, "ip6.arpa");
|
||||
|
||||
serv->flags = SERV_HAS_DOMAIN;
|
||||
- server_domain_new(serv);
|
||||
+ serv->serv_domain = NULL;
|
||||
serv->next = daemon->servers;
|
||||
daemon->servers = serv;
|
||||
|
||||
@@ -2294,7 +2294,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
|
||||
memset(serv, 0, sizeof(struct server));
|
||||
serv->domain = d;
|
||||
serv->flags = SERV_HAS_DOMAIN | SERV_NO_ADDR;
|
||||
- server_domain_new(serv);
|
||||
+ serv->serv_domain = NULL;
|
||||
serv->next = daemon->servers;
|
||||
daemon->servers = serv;
|
||||
}
|
||||
@@ -2338,7 +2338,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
|
||||
memset(serv, 0, sizeof(struct server));
|
||||
serv->domain = d;
|
||||
serv->flags = SERV_HAS_DOMAIN | SERV_NO_ADDR;
|
||||
- server_domain_new(serv);
|
||||
+ serv->serv_domain = NULL;
|
||||
serv->next = daemon->servers;
|
||||
daemon->servers = serv;
|
||||
}
|
||||
@@ -2591,7 +2591,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
|
||||
newlist = serv;
|
||||
serv->domain = domain;
|
||||
serv->flags = domain ? SERV_HAS_DOMAIN : SERV_FOR_NODOTS;
|
||||
- server_domain_new(serv);
|
||||
+ serv->serv_domain = NULL;
|
||||
arg = end;
|
||||
if (rebind)
|
||||
break;
|
||||
@@ -2639,6 +2639,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
|
||||
server_list_free(newlist);
|
||||
ret_err(err);
|
||||
}
|
||||
+ if ((newlist->flags & SERV_LITERAL_ADDRESS)==0)
|
||||
+ server_domain_new(newlist);
|
||||
}
|
||||
|
||||
serv = newlist;
|
||||
@@ -2682,7 +2684,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
|
||||
serv = add_rev6(&addr6, size);
|
||||
else
|
||||
ret_err(gen_err);
|
||||
-
|
||||
+
|
||||
+ server_domain_new(serv);
|
||||
string = parse_server(comma, &serv->addr, &serv->source_addr, serv->interface, &serv->flags);
|
||||
|
||||
if (string)
|
||||
--
|
||||
2.40.1
|
||||
|
50
SOURCES/dnsmasq-2.85-search_servers-rhbz2182342.patch
Normal file
50
SOURCES/dnsmasq-2.85-search_servers-rhbz2182342.patch
Normal file
@ -0,0 +1,50 @@
|
||||
From d75a9691edaa2b2efd8b51f2de492c62cb57c629 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Fri, 5 May 2023 17:51:56 +0200
|
||||
Subject: [PATCH] Ensure search_servers domain is set on dnssec
|
||||
|
||||
When dnssec validation is enabled the domain variable used when fetching
|
||||
dnssec key or domain were not properly initialized always. It were read
|
||||
anyway inside search_servers. Because it is changed only sometime, do
|
||||
not use its value on the end of function. domain can be NULL only at
|
||||
that point, use that value right away.
|
||||
|
||||
Include also TCP.
|
||||
---
|
||||
src/forward.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/forward.c b/src/forward.c
|
||||
index b09dc96..fffab7a 100644
|
||||
--- a/src/forward.c
|
||||
+++ b/src/forward.c
|
||||
@@ -250,7 +250,7 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned
|
||||
*domain = NULL;
|
||||
}
|
||||
if (serv_domain && !*serv_domain)
|
||||
- *serv_domain = server_domain_find_domain(*domain);
|
||||
+ *serv_domain = server_domain_find_domain(NULL);
|
||||
return flags;
|
||||
}
|
||||
|
||||
@@ -1097,7 +1097,7 @@ void reply_query(int fd, time_t now)
|
||||
{
|
||||
int querytype, fd, type = SERV_DO_DNSSEC;
|
||||
struct frec *next = new->next;
|
||||
- char *domain;
|
||||
+ char *domain = NULL;
|
||||
|
||||
*new = *forward; /* copy everything, then overwrite */
|
||||
new->next = next;
|
||||
@@ -1633,7 +1633,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
|
||||
while (1)
|
||||
{
|
||||
int type = SERV_DO_DNSSEC;
|
||||
- char *domain;
|
||||
+ char *domain = NULL;
|
||||
size_t m;
|
||||
unsigned char c1, c2;
|
||||
struct server *firstsendto = NULL;
|
||||
--
|
||||
2.40.1
|
||||
|
83
SOURCES/dnsmasq-2.85-serv_domain-rh2186481-2.patch
Normal file
83
SOURCES/dnsmasq-2.85-serv_domain-rh2186481-2.patch
Normal file
@ -0,0 +1,83 @@
|
||||
From 4650d0aef20db4b7e129895ffcb93ca4609e6347 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Wed, 10 May 2023 12:57:17 +0200
|
||||
Subject: [PATCH] fixup! Correct releasing of serv_domain
|
||||
|
||||
---
|
||||
src/dnsmasq.h | 2 +-
|
||||
src/network.c | 20 +++++++++++---------
|
||||
2 files changed, 12 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
|
||||
index b6dcc50..c62c3d0 100644
|
||||
--- a/src/dnsmasq.h
|
||||
+++ b/src/dnsmasq.h
|
||||
@@ -1405,7 +1405,7 @@ int fix_fd(int fd);
|
||||
int tcp_interface(int fd, int af);
|
||||
int set_ipv6pktinfo(int fd);
|
||||
struct server_domain *server_domain_find_domain(const char *domain);
|
||||
-struct server_domain *server_domain_new(struct server *serv);
|
||||
+void server_domain_new(struct server *serv);
|
||||
#ifdef HAVE_DHCP6
|
||||
void join_multicast(int dienow);
|
||||
#endif
|
||||
diff --git a/src/network.c b/src/network.c
|
||||
index 8152cac..e42220c 100644
|
||||
--- a/src/network.c
|
||||
+++ b/src/network.c
|
||||
@@ -1653,6 +1653,7 @@ void add_update_server(int flags,
|
||||
serv->addr = *addr;
|
||||
if (source_addr)
|
||||
serv->source_addr = *source_addr;
|
||||
+ server_domain_new(serv);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1680,14 +1681,20 @@ struct server_domain *server_domain_find_domain(const char *domain)
|
||||
/**< Test structure has already set domain pointer.
|
||||
*
|
||||
* If not, create a new record. */
|
||||
-struct server_domain *server_domain_new(struct server *serv)
|
||||
+void server_domain_new(struct server *serv)
|
||||
{
|
||||
struct server_domain *sd;
|
||||
+ const char *domain = server_get_domain(serv);
|
||||
|
||||
- if ((sd = whine_malloc(sizeof(struct server_domain))))
|
||||
+ sd = server_domain_find_domain(domain);
|
||||
+ if (sd)
|
||||
{
|
||||
- const char *domain = server_get_domain(serv);
|
||||
+ serv->serv_domain = sd;
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
+ if ((sd = whine_malloc(sizeof(struct server_domain))))
|
||||
+ {
|
||||
/* Ensure all serv->domain values have own record in server_domain.
|
||||
* Add a new record. */
|
||||
if (domain)
|
||||
@@ -1701,7 +1708,6 @@ struct server_domain *server_domain_new(struct server *serv)
|
||||
serv->serv_domain = sd;
|
||||
daemon->server_domains = sd;
|
||||
}
|
||||
- return sd;
|
||||
}
|
||||
|
||||
/**< Test structure has already set domain pointer.
|
||||
@@ -1714,11 +1720,7 @@ static void server_domain_check(struct server *serv)
|
||||
if (sd)
|
||||
sd->flags &= (~SERV_MARK); /* found domain, mark active */
|
||||
else
|
||||
- {
|
||||
- sd = server_domain_find_domain(serv->domain);
|
||||
- if (!sd)
|
||||
- server_domain_new(serv);
|
||||
- }
|
||||
+ server_domain_new(serv);
|
||||
}
|
||||
|
||||
void check_servers(void)
|
||||
--
|
||||
2.40.1
|
||||
|
108
SOURCES/dnsmasq-2.85-serv_domain-rh2186481.patch
Normal file
108
SOURCES/dnsmasq-2.85-serv_domain-rh2186481.patch
Normal file
@ -0,0 +1,108 @@
|
||||
From c0e0202736f55195104dad9fec98c20d0d15df21 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Fri, 21 Apr 2023 17:04:53 +0200
|
||||
Subject: [PATCH] Correct releasing of serv_domain
|
||||
|
||||
In case the server->serv_domain points to domain also when it is not the
|
||||
last server used, ensure the reference to last_server is always reset.
|
||||
Some records might reference the server_domain, but cannot ever become
|
||||
last_server. Such as server=/example.com/#
|
||||
|
||||
Correct detection of used server_domains for standard resolvers case.
|
||||
Mark domain used even in that case, so it is not freed during
|
||||
resolv.conf reading or other nameservers change.
|
||||
---
|
||||
src/network.c | 40 +++++++++++++++++++++++++++++++---------
|
||||
1 file changed, 31 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/network.c b/src/network.c
|
||||
index cf2f2e2..8152cac 100644
|
||||
--- a/src/network.c
|
||||
+++ b/src/network.c
|
||||
@@ -1511,7 +1511,18 @@ void mark_servers(int flag)
|
||||
}
|
||||
}
|
||||
|
||||
-static void server_domains_cleanup(void)
|
||||
+static void server_domains_pre_cleanup(void)
|
||||
+{
|
||||
+ struct server_domain *sd;
|
||||
+
|
||||
+ /* reset removed last_server. */
|
||||
+ for (sd = daemon->server_domains; sd; sd = sd->next)
|
||||
+ if ((sd->flags & SERV_MARK) == 0 && sd->last_server &&
|
||||
+ (sd->last_server->flags & SERV_MARK) != 0)
|
||||
+ sd->last_server = NULL;
|
||||
+}
|
||||
+
|
||||
+static void server_domains_post_cleanup(void)
|
||||
{
|
||||
struct server_domain *sd, *tmp, **up;
|
||||
|
||||
@@ -1528,8 +1539,6 @@ static void server_domains_cleanup(void)
|
||||
}
|
||||
else {
|
||||
up = &sd->next;
|
||||
- if (sd->last_server && (sd->last_server->flags & SERV_MARK))
|
||||
- sd->last_server = NULL;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1538,7 +1547,7 @@ void cleanup_servers(void)
|
||||
{
|
||||
struct server *serv, *tmp, **up;
|
||||
|
||||
- server_domains_cleanup();
|
||||
+ server_domains_pre_cleanup();
|
||||
|
||||
/* unlink and free anything still marked. */
|
||||
for (serv = daemon->servers, up = &daemon->servers; serv; serv = tmp)
|
||||
@@ -1552,10 +1561,16 @@ void cleanup_servers(void)
|
||||
free(serv->domain);
|
||||
free(serv);
|
||||
}
|
||||
- else
|
||||
- up = &serv->next;
|
||||
+ else
|
||||
+ {
|
||||
+ up = &serv->next;
|
||||
+ if (serv->serv_domain && (serv->serv_domain->flags & SERV_MARK) != 0)
|
||||
+ serv->serv_domain = NULL;
|
||||
+ }
|
||||
}
|
||||
|
||||
+ server_domains_post_cleanup();
|
||||
+
|
||||
#ifdef HAVE_LOOP
|
||||
/* Now we have a new set of servers, test for loops. */
|
||||
loop_send_probes();
|
||||
@@ -1699,7 +1714,11 @@ static void server_domain_check(struct server *serv)
|
||||
if (sd)
|
||||
sd->flags &= (~SERV_MARK); /* found domain, mark active */
|
||||
else
|
||||
- server_domain_new(serv);
|
||||
+ {
|
||||
+ sd = server_domain_find_domain(serv->domain);
|
||||
+ if (!sd)
|
||||
+ server_domain_new(serv);
|
||||
+ }
|
||||
}
|
||||
|
||||
void check_servers(void)
|
||||
@@ -1808,8 +1827,11 @@ void check_servers(void)
|
||||
else if (strlen(serv->domain) == 0)
|
||||
s1 = _("default"), s2 = "";
|
||||
else
|
||||
- s1 = _("domain"), s2 = serv->domain;
|
||||
-
|
||||
+ {
|
||||
+ s1 = _("domain"), s2 = serv->domain;
|
||||
+ server_domain_check(serv);
|
||||
+ }
|
||||
+
|
||||
if (serv->flags & SERV_NO_ADDR)
|
||||
{
|
||||
count--;
|
||||
--
|
||||
2.39.2
|
||||
|
77
SOURCES/dnsmasq-2.87-coverity-forward-cache.patch
Normal file
77
SOURCES/dnsmasq-2.87-coverity-forward-cache.patch
Normal file
@ -0,0 +1,77 @@
|
||||
From 2f45670951d2159ebf588e1e4943c0bc9e1cd20b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Wed, 18 Aug 2021 14:59:23 +0200
|
||||
Subject: [PATCH] Add safety checks to places pointed by Coverity
|
||||
|
||||
GCC Analyzer (experimental)
|
||||
|
||||
1. dnsmasq-2.85/src/forward.c:0: scope_hint: In function 'allocate_rfd.part.0'
|
||||
2. dnsmasq-2.85/src/forward.c:2321:18: warning[-Wanalyzer-null-dereference]: dereference of NULL 'rfd'
|
||||
# 2319| *fdlp = rfl;
|
||||
# 2320|
|
||||
# 2321|-> return rfl->rfd->fd;
|
||||
# 2322| }
|
||||
# 2323|
|
||||
|
||||
1. dnsmasq-2.85/src/cache.c:0: scope_hint: In function 'log_query'
|
||||
2. dnsmasq-2.85/src/cache.c:1969:20: warning[-Wanalyzer-null-dereference]: dereference of NULL 'name'
|
||||
# 1967| source = "cached";
|
||||
# 1968|
|
||||
# 1969|-> if (strlen(name) == 0)
|
||||
# 1970| name = ".";
|
||||
# 1971|
|
||||
|
||||
1. dnsmasq-2.85/src/cache.c:0: scope_hint: In function 'cache_scan_free'
|
||||
2. dnsmasq-2.85/src/cache.c:436:20: warning[-Wanalyzer-null-argument]: use of NULL 'addr' where non-null expected
|
||||
40. /usr/include/sys/un.h:37: included_from: Included from here.
|
||||
41. dnsmasq-2.85/src/dnsmasq.h:101: included_from: Included from here.
|
||||
42. dnsmasq-2.85/src/cache.c:17: included_from: Included from here.
|
||||
43. /usr/include/string.h:64:12: note: argument 2 of 'memcmp' must be non-null
|
||||
# 434| (flags & crecp->flags & F_REVERSE) &&
|
||||
# 435| (flags & crecp->flags & (F_IPV4 | F_IPV6)) &&
|
||||
# 436|-> memcmp(&crecp->addr, addr, addrlen) == 0)
|
||||
# 437| {
|
||||
# 438| *up = crecp->hash_next;
|
||||
---
|
||||
src/cache.c | 4 ++--
|
||||
src/forward.c | 2 +-
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/cache.c b/src/cache.c
|
||||
index b3b3c7c..8f97947 100644
|
||||
--- a/src/cache.c
|
||||
+++ b/src/cache.c
|
||||
@@ -483,7 +483,7 @@ static struct crec *cache_scan_free(char *name, union all_addr *addr, unsigned s
|
||||
else if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) &&
|
||||
(flags & crecp->flags & F_REVERSE) &&
|
||||
(flags & crecp->flags & (F_IPV4 | F_IPV6)) &&
|
||||
- memcmp(&crecp->addr, addr, addrlen) == 0)
|
||||
+ addr && memcmp(&crecp->addr, addr, addrlen) == 0)
|
||||
{
|
||||
*up = crecp->hash_next;
|
||||
cache_unlink(crecp);
|
||||
@@ -2067,7 +2067,7 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
|
||||
else
|
||||
source = "cached";
|
||||
|
||||
- if (strlen(name) == 0)
|
||||
+ if (name && !name[0])
|
||||
name = ".";
|
||||
|
||||
if (option_bool(OPT_EXTRALOG))
|
||||
diff --git a/src/forward.c b/src/forward.c
|
||||
index 434ba77..f3c38d7 100644
|
||||
--- a/src/forward.c
|
||||
+++ b/src/forward.c
|
||||
@@ -2274,7 +2274,7 @@ int allocate_rfd(struct randfd_list **fdlp, struct server *serv)
|
||||
}
|
||||
}
|
||||
|
||||
- if (j == daemon->numrrand)
|
||||
+ if (!rfd) /* should be when j == daemon->numrrand */
|
||||
{
|
||||
struct randfd_list *rfl_poll;
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
64
SOURCES/dnsmasq-2.87-log-root-writeable.patch
Normal file
64
SOURCES/dnsmasq-2.87-log-root-writeable.patch
Normal file
@ -0,0 +1,64 @@
|
||||
From e342e4d5c3093d8dd9e2d622e46d36f67bfb4925 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Mon, 10 Jan 2022 12:34:42 +0100
|
||||
Subject: [PATCH] Add root group writeable flag to log file
|
||||
|
||||
Some systems strips even root process capability of writing to different
|
||||
users file. That include systemd under Fedora. When
|
||||
log-facility=/var/log/dnsmasq.log is used, log file with mode 0640
|
||||
is created. But restart then fails, because such log file can be used
|
||||
only when created new. Existing file cannot be opened by root when
|
||||
starting, causing fatal error. Avoid that by adding root group writeable flag.
|
||||
|
||||
Ensure group is always root when granting write access. If it is
|
||||
anything else, administrator has to configure correct rights.
|
||||
|
||||
(cherry picked from commit 1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c)
|
||||
---
|
||||
src/log.c | 23 ++++++++++++++++++-----
|
||||
1 file changed, 18 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/log.c b/src/log.c
|
||||
index 1ec3447..bcd6e52 100644
|
||||
--- a/src/log.c
|
||||
+++ b/src/log.c
|
||||
@@ -100,10 +100,23 @@ int log_start(struct passwd *ent_pw, int errfd)
|
||||
/* If we're running as root and going to change uid later,
|
||||
change the ownership here so that the file is always owned by
|
||||
the dnsmasq user. Then logrotate can just copy the owner.
|
||||
- Failure of the chown call is OK, (for instance when started as non-root) */
|
||||
- if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0 &&
|
||||
- fchown(log_fd, ent_pw->pw_uid, -1) != 0)
|
||||
- ret = errno;
|
||||
+ Failure of the chown call is OK, (for instance when started as non-root).
|
||||
+
|
||||
+ If we've created a file with group-id root, we also make
|
||||
+ the file group-writable. This gives processes in the root group
|
||||
+ write access to the file and avoids the problem that on some systems,
|
||||
+ once the file is owned by the dnsmasq user, it can't be written
|
||||
+ whilst dnsmasq is running as root during startup.
|
||||
+ */
|
||||
+ if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0)
|
||||
+ {
|
||||
+ struct stat ls;
|
||||
+ if (getgid() == 0 && fstat(log_fd, &ls) == 0 && ls.st_gid == 0 &&
|
||||
+ (ls.st_mode & S_IWGRP) == 0)
|
||||
+ (void)fchmod(log_fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP);
|
||||
+ if (fchown(log_fd, ent_pw->pw_uid, -1) != 0)
|
||||
+ ret = errno;
|
||||
+ }
|
||||
|
||||
return ret;
|
||||
}
|
||||
@@ -118,7 +131,7 @@ int log_reopen(char *log_file)
|
||||
/* NOTE: umask is set to 022 by the time this gets called */
|
||||
|
||||
if (log_file)
|
||||
- log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);
|
||||
+ log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);
|
||||
else
|
||||
{
|
||||
#if defined(HAVE_SOLARIS_NETWORK) || defined(__ANDROID__)
|
||||
--
|
||||
2.40.1
|
||||
|
45
SOURCES/dnsmasq-2.89-edns0-size.patch
Normal file
45
SOURCES/dnsmasq-2.89-edns0-size.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From 9d8270be2e2b31437684f2d87add9a28a41f0c75 Mon Sep 17 00:00:00 2001
|
||||
From: Simon Kelley <simon@thekelleys.org.uk>
|
||||
Date: Tue, 7 Mar 2023 22:07:46 +0000
|
||||
Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232.
|
||||
|
||||
http://www.dnsflagday.net/2020/ refers.
|
||||
|
||||
Thanks to Xiang Li for the prompt.
|
||||
|
||||
(cherry picked from commit eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5)
|
||||
---
|
||||
man/dnsmasq.8 | 3 ++-
|
||||
src/config.h | 2 +-
|
||||
2 files changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
|
||||
index fce580f..4b0b180 100644
|
||||
--- a/man/dnsmasq.8
|
||||
+++ b/man/dnsmasq.8
|
||||
@@ -171,7 +171,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
|
||||
.TP
|
||||
.B \-P, --edns-packet-max=<size>
|
||||
Specify the largest EDNS.0 UDP packet which is supported by the DNS
|
||||
-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
|
||||
+forwarder. Defaults to 1232, which is the recommended size following the
|
||||
+DNS flag day in 2020. Only increase if you know what you are doing.
|
||||
.TP
|
||||
.B \-Q, --query-port=<query_port>
|
||||
Send outbound DNS queries from, and listen for their replies on, the
|
||||
diff --git a/src/config.h b/src/config.h
|
||||
index 8c41943..62b7fa1 100644
|
||||
--- a/src/config.h
|
||||
+++ b/src/config.h
|
||||
@@ -19,7 +19,7 @@
|
||||
#define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
|
||||
#define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
|
||||
#define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */
|
||||
-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
|
||||
+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */
|
||||
#define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */
|
||||
#define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
|
||||
#define DNSSEC_WORK 50 /* Max number of queries to validate one question */
|
||||
--
|
||||
2.39.2
|
||||
|
@ -20,7 +20,7 @@
|
||||
|
||||
Name: dnsmasq
|
||||
Version: 2.85
|
||||
Release: 6%{?extraversion:.%{extraversion}}%{?dist}
|
||||
Release: 14%{?extraversion:.%{extraversion}}%{?dist}
|
||||
Summary: A lightweight DHCP/caching DNS server
|
||||
|
||||
License: GPLv2 or GPLv3
|
||||
@ -51,6 +51,24 @@ Patch6: dnsmasq-2.86-dhcpv6-client-arch.patch
|
||||
Patch7: dnsmasq-2.87-CVE-2022-0934.patch
|
||||
# Downstream only patch; fixes Patch4 change
|
||||
Patch8: dnsmasq-2.79-server-domain-fixup.patch
|
||||
# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5
|
||||
Patch9: dnsmasq-2.89-edns0-size.patch
|
||||
# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2186481
|
||||
# Fixes issue in Patch4
|
||||
Patch10: dnsmasq-2.85-serv_domain-rh2186481.patch
|
||||
# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2182342
|
||||
# Another issue in Patch4
|
||||
Patch11: dnsmasq-2.85-search_servers-rhbz2182342.patch
|
||||
# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2186481
|
||||
# complements patch10
|
||||
Patch12: dnsmasq-2.85-serv_domain-rh2186481-2.patch
|
||||
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c
|
||||
Patch13: dnsmasq-2.87-log-root-writeable.patch
|
||||
# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2209031
|
||||
# complements patch12
|
||||
Patch14: dnsmasq-2.85-domain-blocklist-speedup.patch
|
||||
# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;h=9bbf098a970c9e5fa251939208e25fb21064d1be
|
||||
Patch15: dnsmasq-2.87-coverity-forward-cache.patch
|
||||
|
||||
# This is workaround to nettle bug #1549190
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
|
||||
@ -194,6 +212,30 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
|
||||
%{_mandir}/man1/dhcp_*
|
||||
|
||||
%changelog
|
||||
* Fri Jul 28 2023 Petr Menšík <pemensik@redhat.com> - 2.85-14
|
||||
- Backport Coverity fix to hide detected issue (#2156789)
|
||||
|
||||
* Thu Jul 20 2023 Petr Menšík <pemensik@redhat.com> - 2.85-13
|
||||
- Rebuild with modified gating settings
|
||||
|
||||
* Wed Jun 14 2023 Petr Menšík <pemensik@redhat.com> - 2.85-12
|
||||
- Make create logfile writeable by root (#2156789)
|
||||
|
||||
* Fri Jun 09 2023 Petr Menšík <pemensik@redhat.com> - 2.85-11
|
||||
- Do not create and search --local and --address=/x/# domains (#2209031)
|
||||
|
||||
* Wed May 10 2023 Petr Menšík <pemensik@redhat.com> - 2.85-10
|
||||
- Fix also dynamically set resolvers over dbus (#2186481)
|
||||
|
||||
* Fri May 05 2023 Petr Menšík <pemensik@redhat.com> - 2.85-9
|
||||
- Properly initialize domain parameter in dnssec mode (#2182342)
|
||||
|
||||
* Fri Apr 21 2023 Petr Menšík <pemensik@redhat.com> - 2.85-8
|
||||
- Correct possible crashes when server=/example.net/# is used (#2188712)
|
||||
|
||||
* Mon Apr 03 2023 Petr Menšík <pemensik@redhat.com> - 2.85-7
|
||||
- Limit offered EDNS0 size 1232 (CVE-2023-28450)
|
||||
|
||||
* Thu Jan 26 2023 Petr Menšík <pemensik@redhat.com> - 2.85-6
|
||||
- Use upstream change for CVE-2022-0934 (#2126586)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user