dnsmasq 275: latest upstream patches
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- lfs/dnsmasq | 6 +++ ..._5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch | 26 ++++++++++++ ...11-Catch_errors_from_sendmsg_in_DHCP_code.patch | 32 +++++++++++++++ ...12-Update_list_of_subnet_for_--bogus-priv.patch | 48 ++++++++++++++++++++++ ...y_address_from_DNS_overlays_A_record_from.patch | 43 +++++++++++++++++++ ...14-Handle_unknown_DS_hash_algos_correctly.patch | 39 ++++++++++++++++++ .../015-Fix_crash_at_start_up_with_conf-dir.patch | 38 +++++++++++++++++ 7 files changed, 232 insertions(+) create mode 100644 src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch create mode 100644 src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch create mode 100644 src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch create mode 100644 src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch create mode 100644 src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch create mode 100644 src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch
diff --git a/lfs/dnsmasq b/lfs/dnsmasq index db56091..d166392 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -82,6 +82,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \ diff --git a/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch b/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch new file mode 100644 index 0000000..281697f --- /dev/null +++ b/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch @@ -0,0 +1,26 @@ +From 27b78d990b7cd901866ad6f1a17b9d633a95fdce Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Sat, 26 Sep 2015 21:40:45 +0100 +Subject: [PATCH] Rationalise 5e3e464ac4022ee0b3794513abe510817e2cf3ca + +--- + src/rfc3315.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/rfc3315.c b/src/rfc3315.c +index 3f1f9ee..3ed8623 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -1324,8 +1324,7 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh) + if (opt_cfg->opt == OPTION6_DNS_SERVER) + done_dns = 1; + +- /* Empty DNS_SERVER option will not set DHOPT_ADDR6 */ +- if ((opt_cfg->flags & DHOPT_ADDR6) || opt_cfg->opt == OPTION6_DNS_SERVER) ++ if (opt_cfg->flags & DHOPT_ADDR6) + { + int len, j; + struct in6_addr *a; +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch b/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch new file mode 100644 index 0000000..631495f --- /dev/null +++ b/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch @@ -0,0 +1,32 @@ +From 98079ea89851da1df4966dfdfa1852a98da02912 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Tue, 13 Oct 2015 20:30:32 +0100 +Subject: [PATCH] Catch errors from sendmsg in DHCP code. Logs, eg, iptables + DROPS of dest 255.255.255.255 + +--- + src/dhcp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/dhcp.c b/src/dhcp.c +index e6fceb1..1c85e42 100644 +--- a/src/dhcp.c ++++ b/src/dhcp.c +@@ -452,8 +452,13 @@ void dhcp_packet(time_t now, int pxe_fd) + #endif + + while(retry_send(sendmsg(fd, &msg, 0))); ++ ++ /* This can fail when, eg, iptables DROPS destination 255.255.255.255 */ ++ if (errno != 0) ++ my_syslog(MS_DHCP | LOG_WARNING, _("Error sending DHCP packet to %s: %s"), ++ inet_ntoa(dest.sin_addr), strerror(errno)); + } +- ++ + /* check against secondary interface addresses */ + static int check_listen_addrs(struct in_addr local, int if_index, char *label, + struct in_addr netmask, struct in_addr broadcast, void *vparam) +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch b/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch new file mode 100644 index 0000000..3ba98fc --- /dev/null +++ b/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch @@ -0,0 +1,48 @@ +From 90477fb79420a34124b66ebd808c578817a30e4c Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Tue, 20 Oct 2015 21:21:32 +0100 +Subject: [PATCH] Update list of subnet for --bogus-priv + +RFC6303 specifies & recommends following zones not be forwarded +to globally facing servers. ++------------------------------+-----------------------+ +| Zone | Description | ++------------------------------+-----------------------+ +| 0.IN-ADDR.ARPA | IPv4 "THIS" NETWORK | +| 127.IN-ADDR.ARPA | IPv4 Loopback NETWORK | +| 254.169.IN-ADDR.ARPA | IPv4 LINK LOCAL | +| 2.0.192.IN-ADDR.ARPA | IPv4 TEST-NET-1 | +| 100.51.198.IN-ADDR.ARPA | IPv4 TEST-NET-2 | +| 113.0.203.IN-ADDR.ARPA | IPv4 TEST-NET-3 | +| 255.255.255.255.IN-ADDR.ARPA | IPv4 BROADCAST | ++------------------------------+-----------------------+ + +Signed-off-by: Kevin Darbyshire-Bryant kevin@darbyshire-bryant.me.uk +--- + src/rfc1035.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/rfc1035.c b/src/rfc1035.c +index 6a51b30..4eb1772 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -756,10 +756,14 @@ int private_net(struct in_addr addr, int ban_localhost) + return + (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ || + ((ip_addr & 0xFF000000) == 0x00000000) /* RFC 5735 section 3. "here" network */ || +- ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ || + ((ip_addr & 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ || + ((ip_addr & 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ || +- ((ip_addr & 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ ; ++ ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ || ++ ((ip_addr & 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ || ++ ((ip_addr & 0xFFFFFF00) == 0xC0000200) /* 192.0.2.0/24 (test-net) */ || ++ ((ip_addr & 0xFFFFFF00) == 0xC6336400) /* 198.51.100.0/24(test-net) */ || ++ ((ip_addr & 0xFFFFFF00) == 0xCB007100) /* 203.0.113.0/24 (test-net) */ || ++ ((ip_addr & 0xFFFFFFFF) == 0xFFFFFFFF) /* 255.255.255.255/32 (broadcast)*/ ; + } + + static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *header, size_t qlen, char *name, int *doctored) +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch b/src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch new file mode 100644 index 0000000..736cf38 --- /dev/null +++ b/src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch @@ -0,0 +1,43 @@ +From 41a8d9e99be9f2cc8b02051dd322cb45e0faac87 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Edwin=20T=C3=B6r=C3=B6k?= edwin+ml-cerowrt@etorok.net +Date: Sat, 14 Nov 2015 17:45:48 +0000 +Subject: [PATCH] Fix crash when empty address from DNS overlays A record from + hosts. + +--- + CHANGELOG | 5 +++++ + src/cache.c | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/CHANGELOG b/CHANGELOG +index d6e309f..93c73d0 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -13,6 +13,11 @@ version 2.76 + was a dangling symbolic link, even of --no-resolv set. + Thanks to Alexander Kurtz for spotting the problem. + ++ Fix crash when an A or AAAA record is defined locally, ++ in a hosts file, and an upstream server sends a reply ++ that the same name is empty. Thanks to Edwin Török for ++ the patch. ++ + + version 2.75 + Fix reversion on 2.74 which caused 100% CPU use when a +diff --git a/src/cache.c b/src/cache.c +index 178d654..1b76b67 100644 +--- a/src/cache.c ++++ b/src/cache.c +@@ -481,7 +481,7 @@ struct crec *cache_insert(char *name, struct all_addr *addr, + existing record is for an A or AAAA and + the record we're trying to insert is the same, + just drop the insert, but don't error the whole process. */ +- if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD)) ++ if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD) && addr) + { + if ((flags & F_IPV4) && (new->flags & F_IPV4) && + new->addr.addr.addr.addr4.s_addr == addr->addr.addr4.s_addr) +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch b/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch new file mode 100644 index 0000000..8b17431 --- /dev/null +++ b/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch @@ -0,0 +1,39 @@ +From 67ab3285b5d9a1b1e20e034cf272867fdab8a0f9 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Fri, 20 Nov 2015 23:20:47 +0000 +Subject: [PATCH] Handle unknown DS hash algos correctly. + +When we can validate a DS RRset, but don't speak the hash algo it +contains, treat that the same as an NSEC/3 proving that the DS +doesn't exist. 4025 5.2 +--- + src/dnssec.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/src/dnssec.c b/src/dnssec.c +index 67ce486..b4dc14e 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -1005,6 +1005,19 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch + if (crecp->flags & F_NEG) + return STAT_INSECURE_DS; + ++ /* 4035 5.2 ++ If the validator does not support any of the algorithms listed in an ++ authenticated DS RRset, then the resolver has no supported ++ authentication path leading from the parent to the child. The ++ resolver should treat this case as it would the case of an ++ authenticated NSEC RRset proving that no DS RRset exists, */ ++ for (recp1 = crecp; recp1; recp1 = cache_find_by_name(recp1, name, now, F_DS)) ++ if (hash_find(ds_digest_name(recp1->addr.ds.digest))) ++ break; ++ ++ if (!recp1) ++ return STAT_INSECURE_DS; ++ + /* NOTE, we need to find ONE DNSKEY which matches the DS */ + for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--) + { +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch b/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch new file mode 100644 index 0000000..a9102c1 --- /dev/null +++ b/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch @@ -0,0 +1,38 @@ +From 0007ee90646a5a78a96ee729932e89d31c69513a Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Sat, 21 Nov 2015 21:47:41 +0000 +Subject: [PATCH] Fix crash at start up with conf-dir=/path,* + +Thanks to Brian Carpenter and American Fuzzy Lop for finding the bug. +--- + src/option.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/option.c b/src/option.c +index 746cd11..71beb98 100644 +--- a/src/option.c ++++ b/src/option.c +@@ -1515,10 +1515,16 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma + li = opt_malloc(sizeof(struct list)); + if (*arg == '*') + { +- li->next = match_suffix; +- match_suffix = li; +- /* Have to copy: buffer is overwritten */ +- li->suffix = opt_string_alloc(arg+1); ++ /* "*" with no suffix is a no-op */ ++ if (arg[1] == 0) ++ free(li); ++ else ++ { ++ li->next = match_suffix; ++ match_suffix = li; ++ /* Have to copy: buffer is overwritten */ ++ li->suffix = opt_string_alloc(arg+1); ++ } + } + else + { +-- +1.7.10.4 +
Thank you. Merged that.
Sad to not get any reviews on the patches any more.
-Michael
On Fri, 2015-11-27 at 22:11 +0100, Matthias Fischer wrote:
dnsmasq 275: latest upstream patches
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/dnsmasq | 6 +++ ..._5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch | 26 ++++++++++++ ...11-Catch_errors_from_sendmsg_in_DHCP_code.patch | 32 +++++++++++++++ ...12-Update_list_of_subnet_for_--bogus-priv.patch | 48 ++++++++++++++++++++++ ...y_address_from_DNS_overlays_A_record_from.patch | 43 +++++++++++++++++++ ...14-Handle_unknown_DS_hash_algos_correctly.patch | 39 ++++++++++++++++++ .../015-Fix_crash_at_start_up_with_conf-dir.patch | 38 +++++++++++++++++ 7 files changed, 232 insertions(+) create mode 100644 src/patches/dnsmasq/010 -Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch create mode 100644 src/patches/dnsmasq/011 -Catch_errors_from_sendmsg_in_DHCP_code.patch create mode 100644 src/patches/dnsmasq/012 -Update_list_of_subnet_for_--bogus-priv.patch create mode 100644 src/patches/dnsmasq/013 -Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch create mode 100644 src/patches/dnsmasq/014 -Handle_unknown_DS_hash_algos_correctly.patch create mode 100644 src/patches/dnsmasq/015 -Fix_crash_at_start_up_with_conf-dir.patch
diff --git a/lfs/dnsmasq b/lfs/dnsmasq index db56091..d166392 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -82,6 +82,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007 -handle_signed_dangling_CNAME_replies_to_DS_queries.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008 -DHCPv6_option_56_does_not_hold_an_address_list.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-Respect_the_- -no_resolv_flag_in_inotify_code.patch
- cd $(DIR_APP) && patch -Np1 -i
$(DIR_SRC)/src/patches/dnsmasq/010 -Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch
- cd $(DIR_APP) && patch -Np1 -i
$(DIR_SRC)/src/patches/dnsmasq/011 -Catch_errors_from_sendmsg_in_DHCP_code.patch
- cd $(DIR_APP) && patch -Np1 -i
$(DIR_SRC)/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus -priv.patch
- cd $(DIR_APP) && patch -Np1 -i
$(DIR_SRC)/src/patches/dnsmasq/013 -Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch
- cd $(DIR_APP) && patch -Np1 -i
$(DIR_SRC)/src/patches/dnsmasq/014 -Handle_unknown_DS_hash_algos_correctly.patch
- cd $(DIR_APP) && patch -Np1 -i
$(DIR_SRC)/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf -dir.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease -file.patch
cd $(DIR_APP) && sed -i src/config.h \ diff --git a/src/patches/dnsmasq/010 -Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch b/src/patches/dnsmasq/010 -Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch new file mode 100644 index 0000000..281697f --- /dev/null +++ b/src/patches/dnsmasq/010 -Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch @@ -0,0 +1,26 @@ +From 27b78d990b7cd901866ad6f1a17b9d633a95fdce Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Sat, 26 Sep 2015 21:40:45 +0100 +Subject: [PATCH] Rationalise 5e3e464ac4022ee0b3794513abe510817e2cf3ca
+---
- src/rfc3315.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
+diff --git a/src/rfc3315.c b/src/rfc3315.c +index 3f1f9ee..3ed8623 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -1324,8 +1324,7 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh)
if (opt_cfg->opt == OPTION6_DNS_SERVER)- done_dns = 1;
+- /* Empty DNS_SERVER option will not set DHOPT_ADDR6 */ +- if ((opt_cfg->flags & DHOPT_ADDR6) || opt_cfg->opt == OPTION6_DNS_SERVER) ++ if (opt_cfg->flags & DHOPT_ADDR6)
- {
int len, j;struct in6_addr *a;+-- +1.7.10.4
diff --git a/src/patches/dnsmasq/011 -Catch_errors_from_sendmsg_in_DHCP_code.patch b/src/patches/dnsmasq/011 -Catch_errors_from_sendmsg_in_DHCP_code.patch new file mode 100644 index 0000000..631495f --- /dev/null +++ b/src/patches/dnsmasq/011 -Catch_errors_from_sendmsg_in_DHCP_code.patch @@ -0,0 +1,32 @@ +From 98079ea89851da1df4966dfdfa1852a98da02912 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Tue, 13 Oct 2015 20:30:32 +0100 +Subject: [PATCH] Catch errors from sendmsg in DHCP code. Logs, eg, iptables
- DROPS of dest 255.255.255.255
+---
- src/dhcp.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
+diff --git a/src/dhcp.c b/src/dhcp.c +index e6fceb1..1c85e42 100644 +--- a/src/dhcp.c ++++ b/src/dhcp.c +@@ -452,8 +452,13 @@ void dhcp_packet(time_t now, int pxe_fd)
- #endif
- while(retry_send(sendmsg(fd, &msg, 0)));
++ ++ /* This can fail when, eg, iptables DROPS destination 255.255.255.255 */ ++ if (errno != 0) ++ my_syslog(MS_DHCP | LOG_WARNING, _("Error sending DHCP packet to %s: %s"), ++ inet_ntoa(dest.sin_addr), strerror(errno));
- }
+- ++
- /* check against secondary interface addresses */
- static int check_listen_addrs(struct in_addr local, int if_index,
char *label,
struct in_addr netmask, structin_addr broadcast, void *vparam) +-- +1.7.10.4
diff --git a/src/patches/dnsmasq/012-Update_list_of_subnet_for_- -bogus-priv.patch b/src/patches/dnsmasq/012 -Update_list_of_subnet_for_--bogus-priv.patch new file mode 100644 index 0000000..3ba98fc --- /dev/null +++ b/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus -priv.patch @@ -0,0 +1,48 @@ +From 90477fb79420a34124b66ebd808c578817a30e4c Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Tue, 20 Oct 2015 21:21:32 +0100 +Subject: [PATCH] Update list of subnet for --bogus-priv
+RFC6303 specifies & recommends following zones not be forwarded +to globally facing servers. ++------------------------------+-----------------------+ +| Zone | Description | ++------------------------------+-----------------------+ +| 0.IN-ADDR.ARPA | IPv4 "THIS" NETWORK | +| 127.IN-ADDR.ARPA | IPv4 Loopback NETWORK | +| 254.169.IN-ADDR.ARPA | IPv4 LINK LOCAL | +| 2.0.192.IN-ADDR.ARPA | IPv4 TEST-NET-1 | +| 100.51.198.IN-ADDR.ARPA | IPv4 TEST-NET-2 | +| 113.0.203.IN-ADDR.ARPA | IPv4 TEST-NET-3 | +| 255.255.255.255.IN-ADDR.ARPA | IPv4 BROADCAST | ++------------------------------+-----------------------+
+Signed-off-by: Kevin Darbyshire-Bryant < kevin@darbyshire-bryant.me.uk> +---
- src/rfc1035.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
+diff --git a/src/rfc1035.c b/src/rfc1035.c +index 6a51b30..4eb1772 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -756,10 +756,14 @@ int private_net(struct in_addr addr, int ban_localhost)
- return
(((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /*127.0.0.0/8 (loopback) */ ||
((ip_addr & 0xFF000000) == 0x00000000) /* RFC 5735 section 3."here" network */ || +- ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ ||
((ip_addr & 0xFF000000) == 0x0A000000) /* 10.0.0.0/8(private) */ ||
((ip_addr & 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12(private) */ || +- ((ip_addr & 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ ; ++ ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ || ++ ((ip_addr & 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ || ++ ((ip_addr & 0xFFFFFF00) == 0xC0000200) /* 192.0.2.0/24 (test -net) */ || ++ ((ip_addr & 0xFFFFFF00) == 0xC6336400) /* 198.51.100.0/24(test -net) */ || ++ ((ip_addr & 0xFFFFFF00) == 0xCB007100) /* 203.0.113.0/24 (test -net) */ || ++ ((ip_addr & 0xFFFFFFFF) == 0xFFFFFFFF) /* 255.255.255.255/32 (broadcast)*/ ;
- }
- static unsigned char *do_doctor(unsigned char *p, int count, struct
dns_header *header, size_t qlen, char *name, int *doctored) +-- +1.7.10.4
diff --git a/src/patches/dnsmasq/013 -Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch b/src/patches/dnsmasq/013 -Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch new file mode 100644 index 0000000..736cf38 --- /dev/null +++ b/src/patches/dnsmasq/013 -Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch @@ -0,0 +1,43 @@ +From 41a8d9e99be9f2cc8b02051dd322cb45e0faac87 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Edwin=20T=C3=B6r=C3=B6k?= < edwin+ml-cerowrt@etorok.net> +Date: Sat, 14 Nov 2015 17:45:48 +0000 +Subject: [PATCH] Fix crash when empty address from DNS overlays A record from
- hosts.
+---
- CHANGELOG | 5 +++++
- src/cache.c | 2 +-
- 2 files changed, 6 insertions(+), 1 deletion(-)
+diff --git a/CHANGELOG b/CHANGELOG +index d6e309f..93c73d0 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -13,6 +13,11 @@ version 2.76
was a dangling symbolic link, even of --no-resolv set.Thanks to Alexander Kurtz for spotting the problem.++ Fix crash when an A or AAAA record is defined locally, ++ in a hosts file, and an upstream server sends a reply ++ that the same name is empty. Thanks to Edwin Török for ++ the patch. ++
- version 2.75
Fix reversion on 2.74 which caused 100% CPU use when a+diff --git a/src/cache.c b/src/cache.c +index 178d654..1b76b67 100644 +--- a/src/cache.c ++++ b/src/cache.c +@@ -481,7 +481,7 @@ struct crec *cache_insert(char *name, struct all_addr *addr,
existing record is for an A or AAAA andthe record we're trying to insert is the same,just drop the insert, but don't error the whole process.*/ +- if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD)) ++ if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD) && addr)
- {
if ((flags & F_IPV4) && (new->flags & F_IPV4) &&new->addr.addr.addr.addr4.s_addr == addr->addr.addr4.s_addr) +-- +1.7.10.4
diff --git a/src/patches/dnsmasq/014 -Handle_unknown_DS_hash_algos_correctly.patch b/src/patches/dnsmasq/014 -Handle_unknown_DS_hash_algos_correctly.patch new file mode 100644 index 0000000..8b17431 --- /dev/null +++ b/src/patches/dnsmasq/014 -Handle_unknown_DS_hash_algos_correctly.patch @@ -0,0 +1,39 @@ +From 67ab3285b5d9a1b1e20e034cf272867fdab8a0f9 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Fri, 20 Nov 2015 23:20:47 +0000 +Subject: [PATCH] Handle unknown DS hash algos correctly.
+When we can validate a DS RRset, but don't speak the hash algo it +contains, treat that the same as an NSEC/3 proving that the DS +doesn't exist. 4025 5.2 +---
- src/dnssec.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
+diff --git a/src/dnssec.c b/src/dnssec.c +index 67ce486..b4dc14e 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -1005,6 +1005,19 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
- if (crecp->flags & F_NEG)
return STAT_INSECURE_DS;++ /* 4035 5.2 ++ If the validator does not support any of the algorithms listed in an ++ authenticated DS RRset, then the resolver has no supported ++ authentication path leading from the parent to the child. The ++ resolver should treat this case as it would the case of an ++ authenticated NSEC RRset proving that no DS RRset exists, */ ++ for (recp1 = crecp; recp1; recp1 = cache_find_by_name(recp1, name, now, F_DS)) ++ if (hash_find(ds_digest_name(recp1->addr.ds.digest))) ++ break; ++ ++ if (!recp1) ++ return STAT_INSECURE_DS; ++
- /* NOTE, we need to find ONE DNSKEY which matches the DS */
- for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j-
-)
{+-- +1.7.10.4
diff --git a/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf -dir.patch b/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf -dir.patch new file mode 100644 index 0000000..a9102c1 --- /dev/null +++ b/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf -dir.patch @@ -0,0 +1,38 @@ +From 0007ee90646a5a78a96ee729932e89d31c69513a Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Sat, 21 Nov 2015 21:47:41 +0000 +Subject: [PATCH] Fix crash at start up with conf-dir=/path,*
+Thanks to Brian Carpenter and American Fuzzy Lop for finding the bug. +---
- src/option.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
+diff --git a/src/option.c b/src/option.c +index 746cd11..71beb98 100644 +--- a/src/option.c ++++ b/src/option.c +@@ -1515,10 +1515,16 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
li = opt_malloc(sizeof(struct list));if (*arg == '*'){+- li->next = match_suffix; +- match_suffix = li; +- /* Have to copy: buffer is overwritten */ +- li->suffix = opt_string_alloc(arg+1); ++ /* "*" with no suffix is a no-op */ ++ if (arg[1] == 0) ++ free(li); ++ else ++ { ++ li->next = match_suffix; ++ match_suffix = li; ++ /* Have to copy: buffer is overwritten */ ++ li->suffix = opt_string_alloc(arg+1); ++ }
}else{+-- +1.7.10.4
-
Matthias Fischer -
Michael Tremer