This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via cc97d7b417a44749be1568478173b799a7dc5ff9 (commit) via a4fdc176429a03fb47f851a9767c93f8b3a19259 (commit) via 754efda13126e16c951f4051df6cfc9926fca490 (commit) from afc14499a725d2d7d6f363d6859492dc74b3300b (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit cc97d7b417a44749be1568478173b799a7dc5ff9 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jul 13 16:55:29 2016 +0100
collectd: Ignore *phys, macvtap* and vnet* interfaces
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a4fdc176429a03fb47f851a9767c93f8b3a19259 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Tue Jul 12 12:37:19 2016 +0200
dnsmasq 2.76: latest patches from upstream (004-009)
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 754efda13126e16c951f4051df6cfc9926fca490 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sat Jul 9 12:27:37 2016 +0200
dnsmasq 2.76: latest patches from upstream (001-003)
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/collectd/collectd.conf | 6 +- config/rootfiles/core/104/filelists/files | 1 + config/rootfiles/core/104/update.sh | 2 + lfs/dnsmasq | 9 +++ ...late_length_of_TFTP_error_reply_correctly.patch | 65 +++++++++++++++ .../dnsmasq/002-Zero_newly_malloc_ed_memory.patch | 36 +++++++++ .../003-Check_return_of_expand_always.patch | 44 ++++++++++ .../004-Fix_editing_error_on_man_page.patch | 40 ++++++++++ src/patches/dnsmasq/005-Manpage_typo.patch | 25 ++++++ ...aviour_with_some_DHCP_option_arrangements.patch | 49 ++++++++++++ ...007-Fix_logic_error_in_Linux_netlink_code.patch | 55 +++++++++++++ .../008-Fix_problem_with_--dnssec-timestamp.patch | 93 ++++++++++++++++++++++ .../009-malloc_memset_calloc_for_efficiency.patch | 46 +++++++++++ 13 files changed, 468 insertions(+), 3 deletions(-) create mode 100644 src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch create mode 100644 src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch create mode 100644 src/patches/dnsmasq/003-Check_return_of_expand_always.patch create mode 100644 src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch create mode 100644 src/patches/dnsmasq/005-Manpage_typo.patch create mode 100644 src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch create mode 100644 src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch create mode 100644 src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch create mode 100644 src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch
Difference in files: diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index 384c943..486077a 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -34,9 +34,9 @@ include "/etc/collectd.precache"
<Plugin interface> Interface "lo" - Interface "ipsec1" - Interface "ipsec2" - Interface "ipsec3" + Interface "/[0-9]*phys$/" + Interface "/^macvtap[0-9]*$/" + Interface "/^vnet[0-9]*$/" IgnoreSelected true </Plugin>
diff --git a/config/rootfiles/core/104/filelists/files b/config/rootfiles/core/104/filelists/files index 13e547a..6679071 100644 --- a/config/rootfiles/core/104/filelists/files +++ b/config/rootfiles/core/104/filelists/files @@ -1,4 +1,5 @@ etc/system-release etc/issue +etc/collectd.conf opt/pakfire/lib/functions.sh srv/web/ipfire/cgi-bin/ids.cgi diff --git a/config/rootfiles/core/104/update.sh b/config/rootfiles/core/104/update.sh index 615e797..53ca6f7 100644 --- a/config/rootfiles/core/104/update.sh +++ b/config/rootfiles/core/104/update.sh @@ -41,6 +41,7 @@ do done
# Stop services +/etc/init.d/collectd stop
# Extract files extract_files @@ -55,6 +56,7 @@ ldconfig #/usr/local/bin/update-lang-cache
# Start services +/etc/init.d/collectd start /etc/init.d/snort restart
# This update need a reboot... diff --git a/lfs/dnsmasq b/lfs/dnsmasq index e425f7d..a0fdc50 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -73,6 +73,15 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-Check_return_of_expand_always.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/005-Manpage_typo.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \ diff --git a/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch b/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch new file mode 100644 index 0000000..43ac068 --- /dev/null +++ b/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch @@ -0,0 +1,65 @@ +From 294d36df4749e01199ab220d44c170e7db2b0c05 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Wed, 6 Jul 2016 21:30:25 +0100 +Subject: [PATCH] Calculate length of TFTP error reply correctly. + +--- + CHANGELOG | 14 ++++++++++++++ + src/tftp.c | 7 +++++-- + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 04ff3f0..0559a6f 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -1,3 +1,17 @@ ++version 2.77 ++ Calculate the length of TFTP error reply packet ++ correctly. This fixes a problem when the error ++ message in a TFTP packet exceeds the arbitrary ++ limit of 500 characters. The message was correctly ++ truncated, but not the packet length, so ++ extra data was appended. This is a possible ++ security risk, since the extra data comes from ++ a buffer which is also used for DNS, so that ++ previous DNS queries or replies may be leaked. ++ Thanks to Mozilla for funding the security audit ++ which spotted this bug. ++ ++ + version 2.76 + Include 0.0.0.0/8 in DNS rebind checks. This range + translates to hosts on the local network, or, at +diff --git a/src/tftp.c b/src/tftp.c +index 5e4a32a..3e1b5c5 100644 +--- a/src/tftp.c ++++ b/src/tftp.c +@@ -652,20 +652,23 @@ static void sanitise(char *buf) + + } + ++#define MAXMESSAGE 500 /* limit to make packet < 512 bytes and definitely smaller than buffer */ + static ssize_t tftp_err(int err, char *packet, char *message, char *file) + { + struct errmess { + unsigned short op, err; + char message[]; + } *mess = (struct errmess *)packet; +- ssize_t ret = 4; ++ ssize_t len, ret = 4; + char *errstr = strerror(errno); + + sanitise(file); + + mess->op = htons(OP_ERR); + mess->err = htons(err); +- ret += (snprintf(mess->message, 500, message, file, errstr) + 1); ++ len = snprintf(mess->message, MAXMESSAGE, message, file, errstr); ++ ret += (len < MAXMESSAGE) ? len + 1 : MAXMESSAGE; /* include terminating zero */ ++ + my_syslog(MS_TFTP | LOG_ERR, "%s", mess->message); + + return ret; +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch b/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch new file mode 100644 index 0000000..b748db8 --- /dev/null +++ b/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch @@ -0,0 +1,36 @@ +From d55f81f5fd53b1dfc2c4b3249b542f2d9679e236 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Wed, 6 Jul 2016 21:33:56 +0100 +Subject: [PATCH] Zero newly malloc'ed memory. + +--- + src/util.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/util.c b/src/util.c +index 93b24f5..82443c9 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -248,6 +248,8 @@ void *safe_malloc(size_t size) + + if (!ret) + die(_("could not get memory"), NULL, EC_NOMEM); ++ else ++ memset(ret, 0, size); + + return ret; + } +@@ -266,7 +268,9 @@ void *whine_malloc(size_t size) + + if (!ret) + my_syslog(LOG_ERR, _("failed to allocate %d bytes"), (int) size); +- ++ else ++ memset(ret, 0, size); ++ + return ret; + } + +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/003-Check_return_of_expand_always.patch b/src/patches/dnsmasq/003-Check_return_of_expand_always.patch new file mode 100644 index 0000000..a69f4ce --- /dev/null +++ b/src/patches/dnsmasq/003-Check_return_of_expand_always.patch @@ -0,0 +1,44 @@ +From ce7845bf5429bd2962c9b2e7d75e2659f3b5c1a8 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Wed, 6 Jul 2016 21:42:27 +0100 +Subject: [PATCH] Check return of expand() always. + +--- + src/radv.c | 4 +++- + src/slaac.c | 5 ++++- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/radv.c b/src/radv.c +index 749b666..faa0f6d 100644 +--- a/src/radv.c ++++ b/src/radv.c +@@ -262,7 +262,9 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad + parm.prio = calc_prio(ra_param); + + save_counter(0); +- ra = expand(sizeof(struct ra_packet)); ++ ++ if (!(ra = expand(sizeof(struct ra_packet)))) ++ return; + + ra->type = ND_ROUTER_ADVERT; + ra->code = 0; +diff --git a/src/slaac.c b/src/slaac.c +index 8034805..07b8ba4 100644 +--- a/src/slaac.c ++++ b/src/slaac.c +@@ -147,7 +147,10 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases) + struct sockaddr_in6 addr; + + save_counter(0); +- ping = expand(sizeof(struct ping_packet)); ++ ++ if (!(ping = expand(sizeof(struct ping_packet)))) ++ continue; ++ + ping->type = ICMP6_ECHO_REQUEST; + ping->code = 0; + ping->identifier = ping_id; +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch b/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch new file mode 100644 index 0000000..f4d0d20 --- /dev/null +++ b/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch @@ -0,0 +1,40 @@ +From 5874f3e9222397d82aabd9884d9bf5ce7e4109b0 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Sun, 10 Jul 2016 22:12:08 +0100 +Subject: [PATCH] Fix editing error on man page. + +Thanks to Eric Westbrook for spotting this. +--- + man/dnsmasq.8 | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index 0521534..bd8c0b3 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -1037,6 +1037,10 @@ is given, then read all the files contained in that directory. The advantage of + using this option is the same as for --dhcp-hostsfile: the + dhcp-optsfile will be re-read when dnsmasq receives SIGHUP. Note that + it is possible to encode the information in a ++.B --dhcp-boot ++flag as DHCP options, using the options names bootfile-name, ++server-ip-address and tftp-server. This allows these to be included ++in a dhcp-optsfile. + .TP + .B --dhcp-hostsdir=<path> + This is equivalent to dhcp-hostsfile, except for the following. The path MUST be a +@@ -1048,11 +1052,6 @@ is restarted; ie host records are only added dynamically. + .TP + .B --dhcp-optsdir=<path> + This is equivalent to dhcp-optsfile, with the differences noted for --dhcp-hostsdir. +-.TP +-.B --dhcp-boot +-flag as DHCP options, using the options names bootfile-name, +-server-ip-address and tftp-server. This allows these to be included +-in a dhcp-optsfile. + .TP + .B -Z, --read-ethers + Read /etc/ethers for information about hosts for the DHCP server. The +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/005-Manpage_typo.patch b/src/patches/dnsmasq/005-Manpage_typo.patch new file mode 100644 index 0000000..52f16de --- /dev/null +++ b/src/patches/dnsmasq/005-Manpage_typo.patch @@ -0,0 +1,25 @@ +From 907efeb2dc712603271093bce8a93c7c3e6fe64d Mon Sep 17 00:00:00 2001 +From: Kristjan Onu jeixav@gmail.com +Date: Sun, 10 Jul 2016 22:37:57 +0100 +Subject: [PATCH] Manpage typo. + +--- + man/dnsmasq.8 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index bd8c0b3..ac8d921 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -242,7 +242,7 @@ addresses associated with the interface. + .B --local-service + Accept DNS queries only from hosts whose address is on a local subnet, + ie a subnet for which an interface exists on the server. This option +-only has effect is there are no --interface --except-interface, ++only has effect if there are no --interface --except-interface, + --listen-address or --auth-server options. It is intended to be set as + a default on installation, to allow unconfigured installations to be + useful but also safe from being used for DNS amplification attacks. +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch b/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch new file mode 100644 index 0000000..ec17115 --- /dev/null +++ b/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch @@ -0,0 +1,49 @@ +From 591ed1e90503817938ccf5f127e677a8dd48b6d8 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Mon, 11 Jul 2016 18:18:42 +0100 +Subject: [PATCH] Fix bad behaviour with some DHCP option arrangements. + +The check that there's enough space to store the DHCP agent-id +at the end of the packet could succeed when it should fail +if the END option is in either of the oprion-overload areas. +That could overwrite legit options in the request and cause +bad behaviour. It's highly unlikely that any sane DHCP client +would trigger this bug, and it's never been seen, but this +fixes the problem. + +Also fix off-by-one in bounds checking of option processing. +Worst case scenario on that is a read one byte beyond the +end off a buffer with a crafted packet, and maybe therefore +a SIGV crash if the memory after the buffer is not mapped. + +Thanks to Timothy Becker for spotting these. +--- + src/rfc2131.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/rfc2131.c b/src/rfc2131.c +index b7c167e..8b99d4b 100644 +--- a/src/rfc2131.c ++++ b/src/rfc2131.c +@@ -186,7 +186,8 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index, + be enough free space at the end of the packet to copy the option. */ + unsigned char *sopt; + unsigned int total = option_len(opt) + 2; +- unsigned char *last_opt = option_find(mess, sz, OPTION_END, 0); ++ unsigned char *last_opt = option_find1(&mess->options[0] + sizeof(u32), ((unsigned char *)mess) + sz, ++ OPTION_END, 0); + if (last_opt && last_opt < end - total) + { + end -= total; +@@ -1606,7 +1607,7 @@ static unsigned char *option_find1(unsigned char *p, unsigned char *end, int opt + { + while (1) + { +- if (p > end) ++ if (p >= end) + return NULL; + else if (*p == OPTION_END) + return opt == OPTION_END ? p : NULL; +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch b/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch new file mode 100644 index 0000000..6a79eac --- /dev/null +++ b/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch @@ -0,0 +1,55 @@ +From 1d07667ac77c55b9de56b1b2c385167e0e0ec27a Mon Sep 17 00:00:00 2001 +From: Ivan Kokshaysky ink@jurassic.park.msu.ru +Date: Mon, 11 Jul 2016 18:36:05 +0100 +Subject: [PATCH] Fix logic error in Linux netlink code. + +This could cause dnsmasq to enter a tight loop on systems +with a very large number of network interfaces. +--- + CHANGELOG | 6 ++++++ + src/netlink.c | 8 +++++++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 0559a6f..59c9c49 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -11,6 +11,12 @@ version 2.77 + Thanks to Mozilla for funding the security audit + which spotted this bug. + ++ Fix logic error in Linux netlink code. This could ++ cause dnsmasq to enter a tight loop on systems ++ with a very large number of network interfaces. ++ Thanks to Ivan Kokshaysky for the diagnosis and ++ patch. ++ + + version 2.76 + Include 0.0.0.0/8 in DNS rebind checks. This range +diff --git a/src/netlink.c b/src/netlink.c +index 049247b..8cd51af 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -188,11 +188,17 @@ int iface_enumerate(int family, void *parm, int (*callback)()) + } + + for (h = (struct nlmsghdr *)iov.iov_base; NLMSG_OK(h, (size_t)len); h = NLMSG_NEXT(h, len)) +- if (h->nlmsg_seq != seq || h->nlmsg_pid != netlink_pid || h->nlmsg_type == NLMSG_ERROR) ++ if (h->nlmsg_pid != netlink_pid || h->nlmsg_type == NLMSG_ERROR) + { + /* May be multicast arriving async */ + nl_async(h); + } ++ else if (h->nlmsg_seq != seq) ++ { ++ /* May be part of incomplete response to previous request after ++ ENOBUFS. Drop it. */ ++ continue; ++ } + else if (h->nlmsg_type == NLMSG_DONE) + return callback_ok; + else if (h->nlmsg_type == RTM_NEWADDR && family != AF_UNSPEC && family != AF_LOCAL) +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch b/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch new file mode 100644 index 0000000..b32d17a --- /dev/null +++ b/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch @@ -0,0 +1,93 @@ +From 06093a9a845bb597005d892d5d1bc7859933ada4 Mon Sep 17 00:00:00 2001 +From: Kevin Darbyshire-Bryant kevin@darbyshire-bryant.me.uk +Date: Mon, 11 Jul 2016 21:03:27 +0100 +Subject: [PATCH] Fix problem with --dnssec-timestamp whereby receipt of + SIGHUP would erroneously engage timestamp checking. + +--- + CHANGELOG | 4 ++++ + src/dnsmasq.c | 7 ++++--- + src/dnsmasq.h | 1 + + src/dnssec.c | 5 +++-- + 4 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 59c9c49..9f1e404 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -17,6 +17,10 @@ version 2.77 + Thanks to Ivan Kokshaysky for the diagnosis and + patch. + ++ Fix problem with --dnssec-timestamp whereby receipt ++ of SIGHUP would erroneously engage timestamp checking. ++ Thanks to Kevin Darbyshire-Bryant for this work. ++ + + version 2.76 + Include 0.0.0.0/8 in DNS rebind checks. This range +diff --git a/src/dnsmasq.c b/src/dnsmasq.c +index 045ec53..a47273f 100644 +--- a/src/dnsmasq.c ++++ b/src/dnsmasq.c +@@ -750,7 +750,8 @@ int main (int argc, char **argv) + + my_syslog(LOG_INFO, _("DNSSEC validation enabled")); + +- if (option_bool(OPT_DNSSEC_TIME)) ++ daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME); ++ if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future) + my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload")); + + if (rc == 1) +@@ -1226,10 +1227,10 @@ static void async_event(int pipe, time_t now) + { + case EVENT_RELOAD: + #ifdef HAVE_DNSSEC +- if (option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) ++ if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) + { + my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps")); +- reset_option_bool(OPT_DNSSEC_TIME); ++ daemon->dnssec_no_time_check = 0; + } + #endif + /* fall through */ +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index 1896a64..be27ae0 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -992,6 +992,7 @@ extern struct daemon { + #endif + #ifdef HAVE_DNSSEC + struct ds_config *ds; ++ int dnssec_no_time_check; + int back_to_the_future; + char *timestamp_file; + #endif +diff --git a/src/dnssec.c b/src/dnssec.c +index 3c77c7d..64358fa 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -522,15 +522,16 @@ static int check_date_range(u32 date_start, u32 date_end) + if (utime(daemon->timestamp_file, NULL) != 0) + my_syslog(LOG_ERR, _("failed to update mtime on %s: %s"), daemon->timestamp_file, strerror(errno)); + ++ my_syslog(LOG_INFO, _("system time considered valid, now checking DNSSEC signature timestamps.")); + daemon->back_to_the_future = 1; +- set_option_bool(OPT_DNSSEC_TIME); ++ daemon->dnssec_no_time_check = 0; + queue_event(EVENT_RELOAD); /* purge cache */ + } + + if (daemon->back_to_the_future == 0) + return 1; + } +- else if (option_bool(OPT_DNSSEC_TIME)) ++ else if (daemon->dnssec_no_time_check) + return 1; + + /* We must explicitly check against wanted values, because of SERIAL_UNDEF */ +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch b/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch new file mode 100644 index 0000000..0300853 --- /dev/null +++ b/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch @@ -0,0 +1,46 @@ +From d6dce53e08b3a06be16d43e1bf566c6c1988e4a9 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Mon, 11 Jul 2016 21:34:31 +0100 +Subject: [PATCH] malloc(); memset() -> calloc() for efficiency. + +--- + src/util.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/src/util.c b/src/util.c +index 82443c9..211690e 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -244,13 +244,11 @@ unsigned char *do_rfc1035_name(unsigned char *p, char *sval) + /* for use during startup */ + void *safe_malloc(size_t size) + { +- void *ret = malloc(size); ++ void *ret = calloc(1, size); + + if (!ret) + die(_("could not get memory"), NULL, EC_NOMEM); +- else +- memset(ret, 0, size); +- ++ + return ret; + } + +@@ -264,12 +262,10 @@ void safe_pipe(int *fd, int read_noblock) + + void *whine_malloc(size_t size) + { +- void *ret = malloc(size); ++ void *ret = calloc(1, size); + + if (!ret) + my_syslog(LOG_ERR, _("failed to allocate %d bytes"), (int) size); +- else +- memset(ret, 0, size); + + return ret; + } +-- +1.7.10.4 +
hooks/post-receive -- IPFire 2.x development tree