Update to 2.90 (#2264049)

https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html

Resolves: RHEL-39607 RHEL-39608
This commit is contained in:
Petr Menšík 2024-02-14 00:06:36 +01:00
parent 3488577874
commit fb809b9034
7 changed files with 21 additions and 337 deletions

2
.gitignore vendored
View File

@ -50,3 +50,5 @@ dnsmasq-2.52.tar.lzma
/dnsmasq-2.88.tar.xz.asc
/dnsmasq-2.89.tar.xz
/dnsmasq-2.89.tar.xz.asc
/dnsmasq-2.90.tar.xz
/dnsmasq-2.90.tar.xz.asc

View File

@ -1,18 +1,18 @@
From 0e581ae7b2d3b181f22f71d5a0b7ace0bf90089f Mon Sep 17 00:00:00 2001
From 6fda9cd7cba519a8aa96b43ebc34cb6c46b3bfe7 Mon Sep 17 00:00:00 2001
From: Doran Moppert <dmoppert@redhat.com>
Date: Tue, 26 Sep 2017 14:48:20 +0930
Subject: [PATCH] google patch hand-applied
---
src/edns0.c | 10 +++++-----
src/rfc1035.c | 3 +++
2 files changed, 8 insertions(+), 5 deletions(-)
src/rfc1035.c | 5 ++++-
2 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/src/edns0.c b/src/edns0.c
index c498eb1..0eb3873 100644
index 598478f..72127e5 100644
--- a/src/edns0.c
+++ b/src/edns0.c
@@ -212,11 +212,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
@@ -209,11 +209,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
/* Copy back any options */
if (buff)
{
@ -30,19 +30,21 @@ index c498eb1..0eb3873 100644
free(buff);
p += rdlen;
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 5c0df56..7e01459 100644
index 387d894..7fb1468 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1425,6 +1425,9 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
@@ -1581,7 +1581,10 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
size_t len;
int rd_bit = (header->hb3 & HB3_RD);
int count = 255; /* catch loops */
-
+
+ // Make sure we do not underflow here too.
+ if (qlen > (limit - ((char *)header))) return 0;
+
if (stale)
*stale = 0;
--
2.38.1
2.43.0

View File

@ -1,45 +0,0 @@
From 559357d267197602d591a8a075146ab35146dbc6 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 7 Mar 2023 22:07:46 +0000
Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232.
http://www.dnsflagday.net/2020/ refers.
Thanks to Xiang Li for the prompt.
(cherry picked from commit eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5)
---
man/dnsmasq.8 | 3 ++-
src/config.h | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 9dd5430..8956f6d 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -183,7 +183,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
.TP
.B \-P, --edns-packet-max=<size>
Specify the largest EDNS.0 UDP packet which is supported by the DNS
-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
+forwarder. Defaults to 1232, which is the recommended size following the
+DNS flag day in 2020. Only increase if you know what you are doing.
.TP
.B \-Q, --query-port=<query_port>
Send outbound DNS queries from, and listen for their replies on, the
diff --git a/src/config.h b/src/config.h
index 492c02f..f6d96db 100644
--- a/src/config.h
+++ b/src/config.h
@@ -19,7 +19,7 @@
#define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
#define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
#define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */
-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */
#define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see https://dnsflagday.net/2020/ */
#define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
#define DNSSEC_WORK 50 /* Max number of queries to validate one question */
--
2.39.2

View File

@ -1,93 +0,0 @@
From 33635d8564f96cedcef9bf9826cbbca76f28aa81 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 17 Apr 2023 20:55:31 +0100
Subject: [PATCH] Fix crash in dbus code.
If I configure dnsmasq to use dbus and then restart dbus.service with watchers present,
it crashes dnsmasq. The reason is simple, it uses loop to walk over watchers to call
dbus handling code. But from that code the same list can be modified and watchers removed.
But the list iteration continues anyway.
Restart the loop if list were modified.
---
src/dbus.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/src/dbus.c b/src/dbus.c
index 24efcb8..34cf2f6 100644
--- a/src/dbus.c
+++ b/src/dbus.c
@@ -106,6 +106,7 @@ const char* introspection_xml_template =
"</node>\n";
static char *introspection_xml = NULL;
+static int watches_modified = 0;
struct watch {
DBusWatch *watch;
@@ -127,6 +128,7 @@ static dbus_bool_t add_watch(DBusWatch *watch, void *data)
w->watch = watch;
w->next = daemon->watches;
daemon->watches = w;
+ watches_modified++;
(void)data; /* no warning */
return TRUE;
@@ -134,7 +136,7 @@ static dbus_bool_t add_watch(DBusWatch *watch, void *data)
static void remove_watch(DBusWatch *watch, void *data)
{
- struct watch **up, *w, *tmp;
+ struct watch **up, *w, *tmp;
for (up = &(daemon->watches), w = daemon->watches; w; w = tmp)
{
@@ -143,6 +145,7 @@ static void remove_watch(DBusWatch *watch, void *data)
{
*up = tmp;
free(w);
+ watches_modified++;
}
else
up = &(w->next);
@@ -966,11 +969,11 @@ void set_dbus_listeners(void)
}
}
-void check_dbus_listeners()
+static int check_dbus_watches()
{
- DBusConnection *connection = (DBusConnection *)daemon->dbus;
struct watch *w;
+ watches_modified = 0;
for (w = daemon->watches; w; w = w->next)
if (dbus_watch_get_enabled(w->watch))
{
@@ -987,9 +990,22 @@ void check_dbus_listeners()
flags |= DBUS_WATCH_ERROR;
if (flags != 0)
- dbus_watch_handle(w->watch, flags);
+ {
+ dbus_watch_handle(w->watch, flags);
+ if (watches_modified)
+ return 0;
+ }
}
+ return 1;
+}
+
+void check_dbus_listeners()
+{
+ DBusConnection *connection = (DBusConnection *)daemon->dbus;
+
+ while (!check_dbus_watches()) ;
+
if (connection)
{
dbus_connection_ref (connection);
--
2.40.0

View File

@ -1,179 +0,0 @@
From 68e9ba58d39a442c1f0f55cd35de6f0e69345950 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 5 Oct 2021 13:46:51 +0200
Subject: [PATCH] Introduce new --local-service=host parameter
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Similar to local-service, but more strict. Listen only on localhost
unless other interface is specified. Has no effect when interface is
provided explicitly. I had multiple bugs fillen on Fedora, because I have
changed default configuration to:
interface=lo
bind-interfaces
People just adding configuration parts to /etc/dnsmasq.d or appending to
existing configuration often fail to see some defaults are already there.
Give them auto-ignored configuration as smart default.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
Do not add a new parameter on command line. Instead add just parameter
for behaviour modification of existing local-service option. Now it
accepts two optional values:
- net: exactly the same as before
- host: bind only to lo interface, do not listen on any other addresses
than loopback.
---
man/dnsmasq.8 | 8 +++++---
src/dnsmasq.c | 2 ++
src/dnsmasq.h | 3 ++-
src/option.c | 44 +++++++++++++++++++++++++++++++++-----------
4 files changed, 42 insertions(+), 15 deletions(-)
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index e21bd09..855eda6 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -270,14 +270,16 @@ the address dnsmasq is listening on. When an interface is specified,
it may be qualified with "/4" or "/6" to specify only the IPv4 or IPv6
addresses associated with the interface. Since any defined authoritative zones are also available as part of the normal recusive DNS service supplied by dnsmasq, it can make sense to have an --auth-server declaration with no interfaces or address, but simply specifying the primary external nameserver.
.TP
-.B --local-service
+.B --local-service[=net|host]
+Without parameter or with net parameter, restricts service to connected network.
Accept DNS queries only from hosts whose address is on a local subnet,
-ie a subnet for which an interface exists on the server. This option
+ie a subnet for which an interface exists on the server. With host parameter, listens
+only on lo interface and accepts queries from localhost only. This option
only has effect if there are no \fB--interface\fP, \fB--except-interface\fP,
\fB--listen-address\fP or \fB--auth-server\fP options. It is intended to be set as
a default on installation, to allow unconfigured installations to be
useful but also safe from being used for DNS amplification attacks.
-.TP
+.TP
.B \-2, --no-dhcp-interface=<interface name>
Do not provide DHCP or TFTP on the specified interface, but do provide DNS service.
.TP
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 14fe368..0b34627 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -864,6 +864,8 @@ int main (int argc, char **argv)
if (option_bool(OPT_LOCAL_SERVICE))
my_syslog(LOG_INFO, _("DNS service limited to local subnets"));
+ else if (option_bool(OPT_LOCALHOST_SERVICE))
+ my_syslog(LOG_INFO, _("DNS service limited to localhost"));
}
my_syslog(LOG_INFO, _("compile time options: %s"), compile_opts);
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index fe9aa07..1fabc22 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -282,7 +282,8 @@ struct event_desc {
#define OPT_STRIP_MAC 70
#define OPT_NORR 71
#define OPT_NO_IDENT 72
-#define OPT_LAST 73
+#define OPT_LOCALHOST_SERVICE 73
+#define OPT_LAST 74
#define OPTION_BITS (sizeof(unsigned int)*8)
#define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
diff --git a/src/option.c b/src/option.c
index e4810fd..70cece6 100644
--- a/src/option.c
+++ b/src/option.c
@@ -217,7 +217,7 @@ static const struct myoption opts[] =
{ "domain-suffix", 1, 0, 's' },
{ "interface", 1, 0, 'i' },
{ "listen-address", 1, 0, 'a' },
- { "local-service", 0, 0, LOPT_LOCAL_SERVICE },
+ { "local-service", 2, 0, LOPT_LOCAL_SERVICE },
{ "bogus-priv", 0, 0, 'b' },
{ "bogus-nxdomain", 1, 0, 'B' },
{ "ignore-address", 1, 0, LOPT_IGNORE_ADDR },
@@ -560,7 +560,7 @@ static struct {
{ LOPT_QUIET_DHCP6, OPT_QUIET_DHCP6, NULL, gettext_noop("Do not log routine DHCPv6."), NULL },
{ LOPT_QUIET_RA, OPT_QUIET_RA, NULL, gettext_noop("Do not log RA."), NULL },
{ LOPT_LOG_DEBUG, OPT_LOG_DEBUG, NULL, gettext_noop("Log debugging information."), NULL },
- { LOPT_LOCAL_SERVICE, OPT_LOCAL_SERVICE, NULL, gettext_noop("Accept queries only from directly-connected networks."), NULL },
+ { LOPT_LOCAL_SERVICE, ARG_ONE, NULL, gettext_noop("Accept queries only from directly-connected networks."), NULL },
{ LOPT_LOOP_DETECT, OPT_LOOP_DETECT, NULL, gettext_noop("Detect and remove DNS forwarding loops."), NULL },
{ LOPT_IGNORE_ADDR, ARG_DUP, "<ipaddr>", gettext_noop("Ignore DNS responses containing ipaddr."), NULL },
{ LOPT_DHCPTTL, ARG_ONE, "<ttl>", gettext_noop("Set TTL in DNS responses with DHCP-derived addresses."), NULL },
@@ -1390,6 +1390,16 @@ static void dhcp_opt_free(struct dhcp_opt *opt)
free(opt);
}
+static void if_names_add(const char *ifname)
+{
+ struct iname *new = opt_malloc(sizeof(struct iname));
+ new->next = daemon->if_names;
+ daemon->if_names = new;
+ /* new->name may be NULL if someone does
+ "interface=" to disable all interfaces except loop. */
+ new->name = opt_string_alloc(ifname);
+ new->used = 0;
+}
/* This is too insanely large to keep in-line in the switch */
static int parse_dhcp_opt(char *errstr, char *arg, int flags)
@@ -2811,14 +2821,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
case 'i': /* --interface */
do {
- struct iname *new = opt_malloc(sizeof(struct iname));
- comma = split(arg);
- new->next = daemon->if_names;
- daemon->if_names = new;
- /* new->name may be NULL if someone does
- "interface=" to disable all interfaces except loop. */
- new->name = opt_string_alloc(arg);
- new->used = 0;
+ comma = split(arg);
+ if_names_add(arg);
arg = comma;
} while (arg);
break;
@@ -3377,6 +3381,15 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
ret_err(gen_err);
else if (daemon->max_logs > 100)
daemon->max_logs = 100;
+ break;
+
+ case LOPT_LOCAL_SERVICE: /* --local-service */
+ if (!arg || !strcmp(arg, "net"))
+ set_option_bool(OPT_LOCAL_SERVICE);
+ else if (!strcmp(arg, "host"))
+ set_option_bool(OPT_LOCALHOST_SERVICE);
+ else
+ ret_err(gen_err);
break;
case 'P': /* --edns-packet-max */
@@ -6056,7 +6069,16 @@ void read_opts(int argc, char **argv, char *compile_opts)
/* If there's access-control config, then ignore --local-service, it's intended
as a system default to keep otherwise unconfigured installations safe. */
if (daemon->if_names || daemon->if_except || daemon->if_addrs || daemon->authserver)
- reset_option_bool(OPT_LOCAL_SERVICE);
+ {
+ reset_option_bool(OPT_LOCAL_SERVICE);
+ reset_option_bool(OPT_LOCALHOST_SERVICE);
+ }
+ else if (option_bool(OPT_LOCALHOST_SERVICE) && !option_bool(OPT_LOCAL_SERVICE))
+ {
+ /* listen only on localhost, emulate --interface=lo --bind-interfaces */
+ if_names_add(NULL);
+ set_option_bool(OPT_NOWILD);
+ }
if (testmode)
{
--
2.43.0

View File

@ -22,8 +22,8 @@
%bcond_with sourcegit
Name: dnsmasq
Version: 2.89
Release: 9%{?extraversion:.%{extraversion}}%{?dist}
Version: 2.90
Release: 1%{?extraversion:.%{extraversion}}%{?dist}
Summary: A lightweight DHCP/caching DNS server
# SPDX identifiers already
@ -46,12 +46,6 @@ Patch1: dnsmasq-2.77-underflow.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1852373
Patch2: dnsmasq-2.81-configuration.patch
Patch3: dnsmasq-2.78-fips.patch
# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5
Patch4: dnsmasq-2.89-edns0-size.patch
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=33635d8564f96cedcef9bf9826cbbca76f28aa81
Patch5: dnsmasq-2.90-dbus-watchers-bz2186468.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2258062
Patch6: dnsmasq-2.90-local-service-host.patch
Requires: nettle
@ -222,6 +216,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
%endif
%changelog
* Tue Feb 13 2024 Petr Menšík <pemensik@redhat.com> - 2.90-1
- Update to 2.90 (#2264049)
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.89-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild

View File

@ -1,2 +1,2 @@
SHA512 (dnsmasq-2.89.tar.xz) = 4384ed5b673e10eaf6532e6eaeb5c0a6b817581433cc28c632bdcbadbfc050a0ab73bc5b73c98d708cd39515bb3f72168714b0aa5f16436cebdd18020648d428
SHA512 (dnsmasq-2.89.tar.xz.asc) = 953316fa47e5793af1493cb81af14bbbb4a56160a067ca31b94c1c65dbb4515f670d56378d15e624575954cd5b6117e6c746f88f746005c1b8f5e4eff59914ae
SHA512 (dnsmasq-2.90.tar.xz) = e169de1892f935e219b0f49d90107f95cba42b40bca20bd3c973313c2cd4df58b929af6628cd988419051d81c3b4ccf8e9f816274df7d0840e79f5bf49602442
SHA512 (dnsmasq-2.90.tar.xz.asc) = a1d5d1f8ccf1a0bfe6fc19025e616e38f1aea617f5d1b2deead55735608960eca73a8f8ca9c92897cf893df37ac0b7e8c4481992b3e57e0746f55180d2ef4bd0