Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- lfs/dnsmasq | 6 ++ .../004-Fix_editing_error_on_man_page.patch | 40 ++++++++++ src/patches/dnsmasq/005-Manpage_typo.patch | 25 ++++++ ...aviour_with_some_DHCP_option_arrangements.patch | 49 ++++++++++++ ...007-Fix_logic_error_in_Linux_netlink_code.patch | 55 +++++++++++++ .../008-Fix_problem_with_--dnssec-timestamp.patch | 93 ++++++++++++++++++++++ .../009-malloc_memset_calloc_for_efficiency.patch | 46 +++++++++++ 7 files changed, 314 insertions(+) create mode 100644 src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch create mode 100644 src/patches/dnsmasq/005-Manpage_typo.patch create mode 100644 src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch create mode 100644 src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch create mode 100644 src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch create mode 100644 src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch
diff --git a/lfs/dnsmasq b/lfs/dnsmasq index 5782f77..a0fdc50 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -76,6 +76,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-Check_return_of_expand_always.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/005-Manpage_typo.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \ diff --git a/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch b/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch new file mode 100644 index 0000000..f4d0d20 --- /dev/null +++ b/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch @@ -0,0 +1,40 @@ +From 5874f3e9222397d82aabd9884d9bf5ce7e4109b0 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Sun, 10 Jul 2016 22:12:08 +0100 +Subject: [PATCH] Fix editing error on man page. + +Thanks to Eric Westbrook for spotting this. +--- + man/dnsmasq.8 | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index 0521534..bd8c0b3 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -1037,6 +1037,10 @@ is given, then read all the files contained in that directory. The advantage of + using this option is the same as for --dhcp-hostsfile: the + dhcp-optsfile will be re-read when dnsmasq receives SIGHUP. Note that + it is possible to encode the information in a ++.B --dhcp-boot ++flag as DHCP options, using the options names bootfile-name, ++server-ip-address and tftp-server. This allows these to be included ++in a dhcp-optsfile. + .TP + .B --dhcp-hostsdir=<path> + This is equivalent to dhcp-hostsfile, except for the following. The path MUST be a +@@ -1048,11 +1052,6 @@ is restarted; ie host records are only added dynamically. + .TP + .B --dhcp-optsdir=<path> + This is equivalent to dhcp-optsfile, with the differences noted for --dhcp-hostsdir. +-.TP +-.B --dhcp-boot +-flag as DHCP options, using the options names bootfile-name, +-server-ip-address and tftp-server. This allows these to be included +-in a dhcp-optsfile. + .TP + .B -Z, --read-ethers + Read /etc/ethers for information about hosts for the DHCP server. The +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/005-Manpage_typo.patch b/src/patches/dnsmasq/005-Manpage_typo.patch new file mode 100644 index 0000000..52f16de --- /dev/null +++ b/src/patches/dnsmasq/005-Manpage_typo.patch @@ -0,0 +1,25 @@ +From 907efeb2dc712603271093bce8a93c7c3e6fe64d Mon Sep 17 00:00:00 2001 +From: Kristjan Onu jeixav@gmail.com +Date: Sun, 10 Jul 2016 22:37:57 +0100 +Subject: [PATCH] Manpage typo. + +--- + man/dnsmasq.8 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index bd8c0b3..ac8d921 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -242,7 +242,7 @@ addresses associated with the interface. + .B --local-service + Accept DNS queries only from hosts whose address is on a local subnet, + ie a subnet for which an interface exists on the server. This option +-only has effect is there are no --interface --except-interface, ++only has effect if there are no --interface --except-interface, + --listen-address or --auth-server options. It is intended to be set as + a default on installation, to allow unconfigured installations to be + useful but also safe from being used for DNS amplification attacks. +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch b/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch new file mode 100644 index 0000000..ec17115 --- /dev/null +++ b/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch @@ -0,0 +1,49 @@ +From 591ed1e90503817938ccf5f127e677a8dd48b6d8 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Mon, 11 Jul 2016 18:18:42 +0100 +Subject: [PATCH] Fix bad behaviour with some DHCP option arrangements. + +The check that there's enough space to store the DHCP agent-id +at the end of the packet could succeed when it should fail +if the END option is in either of the oprion-overload areas. +That could overwrite legit options in the request and cause +bad behaviour. It's highly unlikely that any sane DHCP client +would trigger this bug, and it's never been seen, but this +fixes the problem. + +Also fix off-by-one in bounds checking of option processing. +Worst case scenario on that is a read one byte beyond the +end off a buffer with a crafted packet, and maybe therefore +a SIGV crash if the memory after the buffer is not mapped. + +Thanks to Timothy Becker for spotting these. +--- + src/rfc2131.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/rfc2131.c b/src/rfc2131.c +index b7c167e..8b99d4b 100644 +--- a/src/rfc2131.c ++++ b/src/rfc2131.c +@@ -186,7 +186,8 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index, + be enough free space at the end of the packet to copy the option. */ + unsigned char *sopt; + unsigned int total = option_len(opt) + 2; +- unsigned char *last_opt = option_find(mess, sz, OPTION_END, 0); ++ unsigned char *last_opt = option_find1(&mess->options[0] + sizeof(u32), ((unsigned char *)mess) + sz, ++ OPTION_END, 0); + if (last_opt && last_opt < end - total) + { + end -= total; +@@ -1606,7 +1607,7 @@ static unsigned char *option_find1(unsigned char *p, unsigned char *end, int opt + { + while (1) + { +- if (p > end) ++ if (p >= end) + return NULL; + else if (*p == OPTION_END) + return opt == OPTION_END ? p : NULL; +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch b/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch new file mode 100644 index 0000000..6a79eac --- /dev/null +++ b/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch @@ -0,0 +1,55 @@ +From 1d07667ac77c55b9de56b1b2c385167e0e0ec27a Mon Sep 17 00:00:00 2001 +From: Ivan Kokshaysky ink@jurassic.park.msu.ru +Date: Mon, 11 Jul 2016 18:36:05 +0100 +Subject: [PATCH] Fix logic error in Linux netlink code. + +This could cause dnsmasq to enter a tight loop on systems +with a very large number of network interfaces. +--- + CHANGELOG | 6 ++++++ + src/netlink.c | 8 +++++++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 0559a6f..59c9c49 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -11,6 +11,12 @@ version 2.77 + Thanks to Mozilla for funding the security audit + which spotted this bug. + ++ Fix logic error in Linux netlink code. This could ++ cause dnsmasq to enter a tight loop on systems ++ with a very large number of network interfaces. ++ Thanks to Ivan Kokshaysky for the diagnosis and ++ patch. ++ + + version 2.76 + Include 0.0.0.0/8 in DNS rebind checks. This range +diff --git a/src/netlink.c b/src/netlink.c +index 049247b..8cd51af 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -188,11 +188,17 @@ int iface_enumerate(int family, void *parm, int (*callback)()) + } + + for (h = (struct nlmsghdr *)iov.iov_base; NLMSG_OK(h, (size_t)len); h = NLMSG_NEXT(h, len)) +- if (h->nlmsg_seq != seq || h->nlmsg_pid != netlink_pid || h->nlmsg_type == NLMSG_ERROR) ++ if (h->nlmsg_pid != netlink_pid || h->nlmsg_type == NLMSG_ERROR) + { + /* May be multicast arriving async */ + nl_async(h); + } ++ else if (h->nlmsg_seq != seq) ++ { ++ /* May be part of incomplete response to previous request after ++ ENOBUFS. Drop it. */ ++ continue; ++ } + else if (h->nlmsg_type == NLMSG_DONE) + return callback_ok; + else if (h->nlmsg_type == RTM_NEWADDR && family != AF_UNSPEC && family != AF_LOCAL) +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch b/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch new file mode 100644 index 0000000..b32d17a --- /dev/null +++ b/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch @@ -0,0 +1,93 @@ +From 06093a9a845bb597005d892d5d1bc7859933ada4 Mon Sep 17 00:00:00 2001 +From: Kevin Darbyshire-Bryant kevin@darbyshire-bryant.me.uk +Date: Mon, 11 Jul 2016 21:03:27 +0100 +Subject: [PATCH] Fix problem with --dnssec-timestamp whereby receipt of + SIGHUP would erroneously engage timestamp checking. + +--- + CHANGELOG | 4 ++++ + src/dnsmasq.c | 7 ++++--- + src/dnsmasq.h | 1 + + src/dnssec.c | 5 +++-- + 4 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 59c9c49..9f1e404 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -17,6 +17,10 @@ version 2.77 + Thanks to Ivan Kokshaysky for the diagnosis and + patch. + ++ Fix problem with --dnssec-timestamp whereby receipt ++ of SIGHUP would erroneously engage timestamp checking. ++ Thanks to Kevin Darbyshire-Bryant for this work. ++ + + version 2.76 + Include 0.0.0.0/8 in DNS rebind checks. This range +diff --git a/src/dnsmasq.c b/src/dnsmasq.c +index 045ec53..a47273f 100644 +--- a/src/dnsmasq.c ++++ b/src/dnsmasq.c +@@ -750,7 +750,8 @@ int main (int argc, char **argv) + + my_syslog(LOG_INFO, _("DNSSEC validation enabled")); + +- if (option_bool(OPT_DNSSEC_TIME)) ++ daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME); ++ if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future) + my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload")); + + if (rc == 1) +@@ -1226,10 +1227,10 @@ static void async_event(int pipe, time_t now) + { + case EVENT_RELOAD: + #ifdef HAVE_DNSSEC +- if (option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) ++ if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) + { + my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps")); +- reset_option_bool(OPT_DNSSEC_TIME); ++ daemon->dnssec_no_time_check = 0; + } + #endif + /* fall through */ +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index 1896a64..be27ae0 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -992,6 +992,7 @@ extern struct daemon { + #endif + #ifdef HAVE_DNSSEC + struct ds_config *ds; ++ int dnssec_no_time_check; + int back_to_the_future; + char *timestamp_file; + #endif +diff --git a/src/dnssec.c b/src/dnssec.c +index 3c77c7d..64358fa 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -522,15 +522,16 @@ static int check_date_range(u32 date_start, u32 date_end) + if (utime(daemon->timestamp_file, NULL) != 0) + my_syslog(LOG_ERR, _("failed to update mtime on %s: %s"), daemon->timestamp_file, strerror(errno)); + ++ my_syslog(LOG_INFO, _("system time considered valid, now checking DNSSEC signature timestamps.")); + daemon->back_to_the_future = 1; +- set_option_bool(OPT_DNSSEC_TIME); ++ daemon->dnssec_no_time_check = 0; + queue_event(EVENT_RELOAD); /* purge cache */ + } + + if (daemon->back_to_the_future == 0) + return 1; + } +- else if (option_bool(OPT_DNSSEC_TIME)) ++ else if (daemon->dnssec_no_time_check) + return 1; + + /* We must explicitly check against wanted values, because of SERIAL_UNDEF */ +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch b/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch new file mode 100644 index 0000000..0300853 --- /dev/null +++ b/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch @@ -0,0 +1,46 @@ +From d6dce53e08b3a06be16d43e1bf566c6c1988e4a9 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Mon, 11 Jul 2016 21:34:31 +0100 +Subject: [PATCH] malloc(); memset() -> calloc() for efficiency. + +--- + src/util.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/src/util.c b/src/util.c +index 82443c9..211690e 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -244,13 +244,11 @@ unsigned char *do_rfc1035_name(unsigned char *p, char *sval) + /* for use during startup */ + void *safe_malloc(size_t size) + { +- void *ret = malloc(size); ++ void *ret = calloc(1, size); + + if (!ret) + die(_("could not get memory"), NULL, EC_NOMEM); +- else +- memset(ret, 0, size); +- ++ + return ret; + } + +@@ -264,12 +262,10 @@ void safe_pipe(int *fd, int read_noblock) + + void *whine_malloc(size_t size) + { +- void *ret = malloc(size); ++ void *ret = calloc(1, size); + + if (!ret) + my_syslog(LOG_ERR, _("failed to allocate %d bytes"), (int) size); +- else +- memset(ret, 0, size); + + return ret; + } +-- +1.7.10.4 +