From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] dnsmasq 2.76: latest patches from upstream (010-012)
Date: Sat, 23 Jul 2016 23:03:14 +0200
Message-ID: <20160723210314.6731-1-matthias.fischer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0093368775169928742=="
List-Id: <development.lists.ipfire.org>

--===============0093368775169928742==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
 lfs/dnsmasq                                        |   3 +
 ...q-Add-support-to-read-ISC-DHCP-lease-file.patch |   6 +-
 ...put_to_reduce_risk_of_information_leakage.patch | 169 +++++++++++++++++++=
++
 ...on_transmission_in_case_of_retransmission.patch |  54 +++++++
 ...n_buffer_sizes_for_leasefile_parsing_code.patch | 103 +++++++++++++
 5 files changed, 332 insertions(+), 3 deletions(-)
 create mode 100644 src/patches/dnsmasq/010-Zero_packet_buffers_before_buildi=
ng_output_to_reduce_risk_of_information_leakage.patch
 create mode 100644 src/patches/dnsmasq/011-Dont_reset_packet_length_on_trans=
mission_in_case_of_retransmission.patch
 create mode 100644 src/patches/dnsmasq/012-Compile-time_check_on_buffer_size=
s_for_leasefile_parsing_code.patch

diff --git a/lfs/dnsmasq b/lfs/dnsmasq
index a0fdc50..eb0f0ba 100644
--- a/lfs/dnsmasq
+++ b/lfs/dnsmasq
@@ -82,6 +82,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-Fix_logic=
_error_in_Linux_netlink_code.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-Fix_probl=
em_with_--dnssec-timestamp.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-malloc_me=
mset_calloc_for_efficiency.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/010-Zero_pack=
et_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/011-Dont_rese=
t_packet_length_on_transmission_in_case_of_retransmission.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/012-Compile-t=
ime_check_on_buffer_sizes_for_leasefile_parsing_code.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-t=
o-read-ISC-DHCP-lease-file.patch
=20
 	cd $(DIR_APP) && sed -i src/config.h \
diff --git a/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patc=
h b/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
index 25feb8d..97b7749 100644
--- a/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
+++ b/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
@@ -42,7 +42,7 @@
 =20
 --- a/src/dnsmasq.c	Thu Jul 30 20:59:06 2015
 +++ b/src/dnsmasq.c	Wed Dec 16 19:38:32 2015
-@@ -1016,6 +1016,11 @@
+@@ -1017,6 +1017,11 @@
 =20
  	  poll_resolv(0, daemon->last_resolv !=3D 0, now); 	 =20
  	  daemon->last_resolv =3D now;
@@ -56,7 +56,7 @@
 =20
 --- a/src/dnsmasq.h	Wed Dec 16 19:24:12 2015
 +++ b/src/dnsmasq.h	Wed Dec 16 19:40:11 2015
-@@ -1514,6 +1514,11 @@
+@@ -1516,6 +1516,11 @@
  void poll_listen(int fd, short event);
  int do_poll(int timeout);
 =20
@@ -341,7 +341,7 @@
 +#endif
 --- a/src/option.c	Wed Dec 16 19:24:12 2015
 +++ b/src/option.c	Wed Dec 16 19:42:48 2015
-@@ -1770,7 +1770,7 @@
+@@ -1771,7 +1771,7 @@
  	ret_err(_("bad MX target"));
        break;
 =20
diff --git a/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_outp=
ut_to_reduce_risk_of_information_leakage.patch b/src/patches/dnsmasq/010-Zero=
_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.=
patch
new file mode 100644
index 0000000..a8c10a4
--- /dev/null
+++ b/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_r=
educe_risk_of_information_leakage.patch
@@ -0,0 +1,169 @@
+From fa78573778cb23337f67f5d0c9de723169919047 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Fri, 22 Jul 2016 20:56:01 +0100
+Subject: [PATCH] Zero packet buffers before building output, to reduce risk
+ of information leakage.
+
+---
+ src/auth.c      |    5 +++++
+ src/dnsmasq.h   |    1 +
+ src/outpacket.c |   10 ++++++++++
+ src/radv.c      |    2 +-
+ src/rfc1035.c   |    5 +++++
+ src/rfc3315.c   |    6 +++---
+ src/slaac.c     |    2 +-
+ src/tftp.c      |    5 ++++-
+ 8 files changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/src/auth.c b/src/auth.c
+index 198572d..3c5c37f 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -101,6 +101,11 @@ size_t answer_auth(struct dns_header *header, char *lim=
it, size_t qlen, time_t n
+   struct all_addr addr;
+   struct cname *a;
+  =20
++  /* Clear buffer beyond request to avoid risk of
++     information disclosure. */
++  memset(((char *)header) + qlen, 0,=20
++	 (limit - ((char *)header)) - qlen);
++ =20
+   if (ntohs(header->qdcount) =3D=3D 0 || OPCODE(header) !=3D QUERY )
+     return 0;
+=20
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index be27ae0..2bda5d0 100644
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -1471,6 +1471,7 @@ void log_relay(int family, struct dhcp_relay *relay);
+ /* outpacket.c */
+ #ifdef HAVE_DHCP6
+ void end_opt6(int container);
++void reset_counter(void);
+ int save_counter(int newval);
+ void *expand(size_t headroom);
+ int new_opt6(int opt);
+diff --git a/src/outpacket.c b/src/outpacket.c
+index a414efa..2caacd9 100644
+--- a/src/outpacket.c
++++ b/src/outpacket.c
+@@ -29,9 +29,19 @@ void end_opt6(int container)
+    PUTSHORT(len, p);
+ }
+=20
++void reset_counter(void)
++{
++  /* Clear out buffer when starting from begining */
++  if (daemon->outpacket.iov_base)
++    memset(daemon->outpacket.iov_base, 0, daemon->outpacket.iov_len);
++=20
++  save_counter(0);
++}
++
+ int save_counter(int newval)
+ {
+   int ret =3D outpacket_counter;
++ =20
+   if (newval !=3D -1)
+     outpacket_counter =3D newval;
+=20
+diff --git a/src/radv.c b/src/radv.c
+index faa0f6d..39c9217 100644
+--- a/src/radv.c
++++ b/src/radv.c
+@@ -261,7 +261,7 @@ static void send_ra_alias(time_t now, int iface, char *i=
face_name, struct in6_ad
+   parm.adv_interval =3D calc_interval(ra_param);
+   parm.prio =3D calc_prio(ra_param);
+  =20
+-  save_counter(0);
++  reset_counter();
+  =20
+   if (!(ra =3D expand(sizeof(struct ra_packet))))
+     return;
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 24d08c1..9e730a9 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1209,6 +1209,11 @@ size_t answer_request(struct dns_header *header, char=
 *limit, size_t qlen,
+   int nxdomain =3D 0, auth =3D 1, trunc =3D 0, sec_data =3D 1;
+   struct mx_srv_record *rec;
+   size_t len;
++
++  /* Clear buffer beyond request to avoid risk of
++     information disclosure. */
++  memset(((char *)header) + qlen, 0,=20
++	 (limit - ((char *)header)) - qlen);
+  =20
+   if (ntohs(header->ancount) !=3D 0 ||
+       ntohs(header->nscount) !=3D 0 ||
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 3f4d69c..e1271a1 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -89,7 +89,7 @@ unsigned short dhcp6_reply(struct dhcp_context *context, i=
nt interface, char *if
+   for (vendor =3D daemon->dhcp_vendors; vendor; vendor =3D vendor->next)
+     vendor->netid.next =3D &vendor->netid;
+  =20
+-  save_counter(0);
++  reset_counter();
+   state.context =3D context;
+   state.interface =3D interface;
+   state.iface_name =3D iface_name;
+@@ -2084,7 +2084,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t=
 sz,
+   if (hopcount > 32)
+     return;
+=20
+-  save_counter(0);
++  reset_counter();
+=20
+   if ((header =3D put_opt6(NULL, 34)))
+     {
+@@ -2161,7 +2161,7 @@ unsigned short relay_reply6(struct sockaddr_in6 *peer,=
 ssize_t sz, char *arrival
+ 	(!relay->interface || wildcard_match(relay->interface, arrival_interface)))
+       break;
+      =20
+-  save_counter(0);
++  reset_counter();
+=20
+   if (relay)
+     {
+diff --git a/src/slaac.c b/src/slaac.c
+index 07b8ba4..bd6c9b4 100644
+--- a/src/slaac.c
++++ b/src/slaac.c
+@@ -146,7 +146,7 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *lea=
ses)
+ 	    struct ping_packet *ping;
+ 	    struct sockaddr_in6 addr;
+ =20
+-	    save_counter(0);
++	    reset_counter();
+=20
+ 	    if (!(ping =3D expand(sizeof(struct ping_packet))))
+ 	      continue;
+diff --git a/src/tftp.c b/src/tftp.c
+index 3e1b5c5..618c406 100644
+--- a/src/tftp.c
++++ b/src/tftp.c
+@@ -662,8 +662,9 @@ static ssize_t tftp_err(int err, char *packet, char *mes=
sage, char *file)
+   ssize_t len, ret =3D 4;
+   char *errstr =3D strerror(errno);
+  =20
++  memset(packet, 0, daemon->packet_buff_sz);
+   sanitise(file);
+-
++ =20
+   mess->op =3D htons(OP_ERR);
+   mess->err =3D htons(err);
+   len =3D snprintf(mess->message, MAXMESSAGE,  message, file, errstr);
+@@ -684,6 +685,8 @@ static ssize_t tftp_err_oops(char *packet, char *file)
+ /* return -1 for error, zero for done. */
+ static ssize_t get_block(char *packet, struct tftp_transfer *transfer)
+ {
++  memset(packet, 0, daemon->packet_buff_sz);
++ =20
+   if (transfer->block =3D=3D 0)
+     {
+       /* send OACK */
+--=20
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission=
_in_case_of_retransmission.patch b/src/patches/dnsmasq/011-Dont_reset_packet_=
length_on_transmission_in_case_of_retransmission.patch
new file mode 100644
index 0000000..ab8ba28
--- /dev/null
+++ b/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_cas=
e_of_retransmission.patch
@@ -0,0 +1,54 @@
+From 6b1c464d6de3d7d2afc9b53afe78cda6d6e3316f Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Fri, 22 Jul 2016 20:59:16 +0100
+Subject: [PATCH] Don't reset packet length on transmission, in case of
+ retransmission.
+
+---
+ src/radv.c    |    2 +-
+ src/rfc3315.c |    2 +-
+ src/slaac.c   |    2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/radv.c b/src/radv.c
+index 39c9217..ffc37f2 100644
+--- a/src/radv.c
++++ b/src/radv.c
+@@ -528,7 +528,7 @@ static void send_ra_alias(time_t now, int iface, char *i=
face_name, struct in6_ad
+     }
+  =20
+   while (retry_send(sendto(daemon->icmp6fd, daemon->outpacket.iov_base,=20
+-			   save_counter(0), 0, (struct sockaddr *)&addr,=20
++			   save_counter(-1), 0, (struct sockaddr *)&addr,=20
+ 			   sizeof(addr))));
+  =20
+ }
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index e1271a1..c7bf46f 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -2127,7 +2127,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t=
 sz,
+ 		my_syslog(MS_DHCP | LOG_ERR, _("Cannot multicast to DHCPv6 server without=
 correct interface"));
+ 	    }
+ 	=09
+-	  send_from(daemon->dhcp6fd, 0, daemon->outpacket.iov_base, save_counter(0=
), &to, &from, 0);
++	  send_from(daemon->dhcp6fd, 0, daemon->outpacket.iov_base, save_counter(-=
1), &to, &from, 0);
+ 	 =20
+ 	  if (option_bool(OPT_LOG_OPTS))
+ 	    {
+diff --git a/src/slaac.c b/src/slaac.c
+index bd6c9b4..7ecf127 100644
+--- a/src/slaac.c
++++ b/src/slaac.c
+@@ -164,7 +164,7 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *lea=
ses)
+ 	    addr.sin6_port =3D htons(IPPROTO_ICMPV6);
+ 	    addr.sin6_addr =3D slaac->addr;
+ 	   =20
+-	    if (sendto(daemon->icmp6fd, daemon->outpacket.iov_base, save_counter(0=
), 0,
++	    if (sendto(daemon->icmp6fd, daemon->outpacket.iov_base, save_counter(-=
1), 0,
+ 		       (struct sockaddr *)&addr,  sizeof(addr)) =3D=3D -1 &&
+ 		errno =3D=3D EHOSTUNREACH)
+ 	      slaac->ping_time =3D 0; /* Give up */=20
+--=20
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_l=
easefile_parsing_code.patch b/src/patches/dnsmasq/012-Compile-time_check_on_b=
uffer_sizes_for_leasefile_parsing_code.patch
new file mode 100644
index 0000000..c71f470
--- /dev/null
+++ b/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefil=
e_parsing_code.patch
@@ -0,0 +1,103 @@
+From bf4e62c19e619f7edf8d03d58d33a5752f190bfd Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Fri, 22 Jul 2016 21:37:59 +0100
+Subject: [PATCH] Compile-time check on buffer sizes for leasefile parsing
+ code.
+
+---
+ src/dhcp-common.c   |   16 ++++++++--------
+ src/dhcp-protocol.h |    4 ++++
+ src/lease.c         |    9 ++++++++-
+ src/rfc3315.c       |    2 +-
+ 4 files changed, 21 insertions(+), 10 deletions(-)
+
+diff --git a/src/dhcp-common.c b/src/dhcp-common.c
+index 08528e8..ecc752b 100644
+--- a/src/dhcp-common.c
++++ b/src/dhcp-common.c
+@@ -20,11 +20,11 @@
+=20
+ void dhcp_common_init(void)
+ {
+-    /* These each hold a DHCP option max size 255
+-       and get a terminating zero added */
+-  daemon->dhcp_buff =3D safe_malloc(256);
+-  daemon->dhcp_buff2 =3D safe_malloc(256);=20
+-  daemon->dhcp_buff3 =3D safe_malloc(256);
++  /* These each hold a DHCP option max size 255
++     and get a terminating zero added */
++  daemon->dhcp_buff =3D safe_malloc(DHCP_BUFF_SZ);
++  daemon->dhcp_buff2 =3D safe_malloc(DHCP_BUFF_SZ);=20
++  daemon->dhcp_buff3 =3D safe_malloc(DHCP_BUFF_SZ);
+  =20
+   /* dhcp_packet is used by v4 and v6, outpacket only by v6=20
+      sizeof(struct dhcp_packet) is as good an initial size as any,
+@@ -855,14 +855,14 @@ void log_context(int family, struct dhcp_context *cont=
ext)
+       if (context->flags & CONTEXT_RA_STATELESS)
+ 	{
+ 	  if (context->flags & CONTEXT_TEMPLATE)
+-	    strncpy(daemon->dhcp_buff, context->template_interface, 256);
++	    strncpy(daemon->dhcp_buff, context->template_interface, DHCP_BUFF_SZ);
+ 	  else
+ 	    strcpy(daemon->dhcp_buff, daemon->addrbuff);
+ 	}
+       else=20
+ #endif
+-	inet_ntop(family, start, daemon->dhcp_buff, 256);
+-      inet_ntop(family, end, daemon->dhcp_buff3, 256);
++	inet_ntop(family, start, daemon->dhcp_buff, DHCP_BUFF_SZ);
++      inet_ntop(family, end, daemon->dhcp_buff3, DHCP_BUFF_SZ);
+       my_syslog(MS_DHCP | LOG_INFO,=20
+ 		(context->flags & CONTEXT_RA_STATELESS) ?=20
+ 		_("%s stateless on %s%.0s%.0s%s") :
+diff --git a/src/dhcp-protocol.h b/src/dhcp-protocol.h
+index a31d829..0ea449b 100644
+--- a/src/dhcp-protocol.h
++++ b/src/dhcp-protocol.h
+@@ -19,6 +19,10 @@
+ #define DHCP_CLIENT_ALTPORT 1068
+ #define PXE_PORT 4011
+=20
++/* These each hold a DHCP option max size 255
++   and get a terminating zero added */
++#define DHCP_BUFF_SZ 256
++
+ #define BOOTREQUEST              1
+ #define BOOTREPLY                2
+ #define DHCP_COOKIE              0x63825363
+diff --git a/src/lease.c b/src/lease.c
+index 20cac90..ca62cc5 100644
+--- a/src/lease.c
++++ b/src/lease.c
+@@ -65,7 +65,14 @@ void lease_init(time_t now)
+     }
+  =20
+   /* client-id max length is 255 which is 255*2 digits + 254 colons=20
+-     borrow DNS packet buffer which is always larger than 1000 bytes */
++     borrow DNS packet buffer which is always larger than 1000 bytes=20
++ =20
++     Check various buffers are big enough for the code below */
++
++#if (DHCP_BUFF_SZ < 255) || (MAXDNAME < 64) || (PACKETSZ+MAXDNAME+RRFIXEDSZ=
  < 764)
++# error Buffer size breakage in leasfile parsing.=20
++#endif
++
+   if (leasestream)
+     while (fscanf(leasestream, "%255s %255s", daemon->dhcp_buff3, daemon->d=
hcp_buff2) =3D=3D 2)
+       {
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index c7bf46f..568b0c8 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -1975,7 +1975,7 @@ static void log6_packet(struct state *state, char *typ=
e, struct in6_addr *addr,
+=20
+   if (addr)
+     {
+-      inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, 255);
++      inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, DHCP_BUFF_SZ - 1);
+       strcat(daemon->dhcp_buff2, " ");
+     }
+   else
+--=20
+1.7.10.4
+
--=20
2.9.2


--===============0093368775169928742==--