Commit Graph

24 Commits

Author SHA1 Message Date
Tomas Korbar
8461a38356 Fix CVE 2023-50387 and CVE 2023-50868
Resolves: RHEL-25639
Resolves: RHEL-25675
2024-03-15 13:24:59 +01:00
Petr Menšík
7cbf2a2449 Fix bug in TCP process handling
Fix bug which caused dnsmasq to lose track of processes forked
to handle TCP DNS connections under heavy load. The code
checked that at least one free process table slot was
available before listening on TCP sockets, but didn't take
into account that more than one TCP connection could
arrive, so that check was not sufficient to ensure that
there would be slots for all new processes. It compounded
this error by silently failing to store the process when
it did run out of slots. Even when this bug is triggered,
all the right things happen, and answers are still returned.
Only under very exceptional circumstances, does the bug
manifest itself: see
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/014976.html
Thanks to Tijs Van Buggenhout for finding the conditions under
which the bug manifests itself, and then working out
exactly what was going on.

Resolves: RHEL-6584
2024-02-22 12:25:10 +01:00
Petr Menšík
4e78aa0303 Backport Coverity fix to hide detected issue
Backport already accepted upstream patch.

Fixes:
1. Defect type: GCC_ANALYZER_WARNING
2. dnsmasq-2.85/src/forward.c:2335:18: warning[-Wanalyzer-null-dereference]: dereference of NULL 'rfd'

Related: rhbz#2156789
2023-07-28 16:16:31 +02:00
Petr Menšík
6a1e3e7d2d Rebuild with modified gating settings
Related: rhbz#2156789
2023-07-20 13:15:50 +02:00
Petr Menšík
cafac891ea Add group writeable permission for log file
When log-facility is used to create a new file, make that file also
writeable by root. Systemd strips the ability to write into this file
even when started by root. Allow root explicitly.

Resolves: rhbz#2156789
2023-07-17 19:53:13 +02:00
Petr Menšík
418de6681f Do not create server_domain for non-server records
--local=/example/ and --address=/example/# create records, which contain
no address or just NULL address. Some people generate quite large
blocklists, which then can take quite long to walk through. Because it
uses linear algorithm, it gets quite slow.

Similar to upstream in 2.86, avoid walking through literal addresses or
local blocks. Speeds up significantly loading of 50k or more records.

Fixed regression caused by commit 73f4c86bcc

Resolves: rhbz#2209031
2023-06-14 08:08:05 +02:00
Petr Menšík
73f4c86bcc fixup! Correct releasing of serv_domain
Ensure correct domain entries are prepared also for DBus specified
domains. Initialize server_domain when adding new nameserver, no matter
what is its source. Do not wait for check_servers() to domain
initialization.

Resolves: rhbz#2188712
2023-05-10 13:18:42 +02:00
Petr Menšík
9c7ec692aa Ensure search_servers domain is set on dnssec
When dnssec validation is enabled the domain variable used when fetching
dnssec key or domain were not properly initialized always. It were read
anyway inside search_servers. Because it is changed only sometime, do
not use its value on the end of function. domain can be NULL only at
that point, use that value right away.

Resolves: rhbz#2182342
2023-05-10 13:18:42 +02:00
Petr Menšík
0b70f00773 Correct releasing of serv_domain
In case the server->serv_domain points to domain also when it is not the
last server used, ensure the reference to last_server is always reset.
Some records might reference the server_domain, but cannot ever become
last_server. Such as server=/example.com/#

Do proper check also for above case and do not delete used serv_domain
structure. Also do optimization to reuse common server domains and do
not create new entry to already existing one.

Do two step cleaning during nameservers cleanup stage. Should avoid any
invalid pointer present.

Resolves: rhbz#2188712
2023-05-04 16:17:10 +02:00
Petr Menšík
a84d6321e9 Set the default maximum DNS UDP packet size to 1232
Resolves: CVE-2023-28450
2023-04-03 16:36:40 +02:00
Petr Menšík
af18e549c8 Use upstream version of CVE-2022-0934 fix
My previous downstream changes introduced a regression. Use instead
upstream tested change, which makes smaller change and does not create
new regression in relay code.

Resolves: rhbz#2126586
2023-01-26 18:42:54 +01:00
Petr Menšík
6734b8717a Ensure also server_domains_cleanup is called always
Fixes issue in patch dnsmasq-2.79-server-domain-rh1919894.patch.

When /etc/resolv.conf is changed, dnsmasq reloads used servers. But it
does not call cleanup of server domains in this case. It might cause
serv_domain->last_server to become non-null, but pointing released
server. Ensure it is checked before any cleanup_servers() action always
and from all other places, like dbus setting.

Caused unending loop in forward_query function, rhbz#2106361.

Resolves: rhbz#2120711
2022-08-30 13:46:48 +02:00
Petr Menšík
ea063256c7 Change message type by dedicated function
Long-term pointer to beginning of message does not work well. I case
outpacket is reallocated in any new_opt6() section, original outmsgtypep
pointer becomes invalid. Instead of using that pointer use dedicated
function, which will change just the first byte of the message.

This makes sure correct beginning of packet is always used.

Resolves: CVE-2022-0934
2022-04-27 21:55:10 +02:00
Petr Menšík
a787d2924a Support client arch and interface identifier options
Understand symbolic names for remaining boot option. Interface
identifier expects 3 byte hex encoding in 01:03:01 format.

Related: rhbz#2002871
2022-02-24 15:35:13 +01:00
Petr Menšík
c8b997fc6f Offer alternative address if requested is leased
In some cases booting firware requires multiple IPv6 addresses leased
from DHCP. Dnsmasq offers the same address to different IAIDs requests.
The first gets it successfully, but remaining requests would be denied
with address in use error. Change behaviour and supply alternative
address from the same range, just like Rapid Commit DHCP option allows.
Reuse the same code.

Resolves: rhbz#2002871
2022-02-24 15:34:12 +01:00
Petr Menšík
7524c9f8df dnsmasq option to query the last known working domain specific upstream server first
Similar functionality was implemented in upstream release 2.86 as part
of bigger optimization. While it should have introduce better
performance on bigger domain filter list, it caused several regressions
including crashes.

This is attempt to make similar functionality in different way, without
so heavy change to basic system. It instead adds new structure for each
unique domain, which tracks last tried server for a given domain. It
makes the same algorithm used for domain-less servers, such as those
read from /etc/resolv.conf. But uses that also for servers forwarding
only for subdomains.

It might slightly increase used memory on high number of local=/example/
or server=/example/::1.

Resolves: rhbz#2047510
2022-02-10 23:22:39 +01:00
Mohan Boddu
38555922b3 Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-09 19:50:01 +00:00
Petr Menšík
1d340ea569 Remove broken and unnecessary patch
Upstream has merged patch dnsmasq-2.81-rh1834454.patch slightly
different way, but it is applied anyway. SIOCGSTAMP was fixed by
upstream different way.

Resolves: rhbz#1978728
2021-07-02 18:30:45 +02:00
Petr Menšík
2ed68fa38b Change default pid file into run directory
(cherry picked from commit 72ba11797c)

Related: rhbz#1978728
2021-07-02 18:10:26 +02:00
Petr Menšík
288c0613a9 Update to 2.85 (#1947198)
Change to production release.

(cherry picked from commit 7ce0e29ff5)

Resolves: rhbz#1978728
2021-07-02 18:07:30 +02:00
Mohan Boddu
85302dc0b8 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-04-15 23:06:09 +00:00
DistroBaker
01975e83ad Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/dnsmasq.git#e2a508e666a6a3ebb47625e4c8185a1f8ce0584f
2021-01-26 13:17:33 +00:00
DistroBaker
498c522839 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/dnsmasq.git#85b95520cf06f64468258b01a2594476d1c0cd2f
2021-01-19 22:39:57 +00:00
Petr Šabata
fa9ecc575b RHEL 9.0.0 Alpha bootstrap
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/dnsmasq#9d4a531b209034079edd34dc8b364672a9f6625f
2020-10-14 23:43:55 +02:00