webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-10 11:05:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

dnsmasq: Import latest patches from upstream

Browse Source
This commit is contained in:
Michael Tremer
2015-04-04 15:23:17 +02:00
parent 979c846343
commit 263d0a71a9
72 changed files with 22163 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
lfs/dnsmasq
View File

@@ -130,6 +130,20 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0055-Fix-last-commit-to-not-crash-if-uid-changing-not-con.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0058-Fix-boilerplate-code-for-re-running-system-calls-on-.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0059-Make-address-example.com-equivalent-to-server-exampl.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0060-dhcp-set-outbound-interface-via-cmsg-in-unicast-repl.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0061-Don-t-fail-DNSSEC-when-a-signed-CNAME-dangles-into-a.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0062-Return-SERVFAIL-when-validation-abandoned.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0063-Protect-against-broken-DNSSEC-upstreams.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0064-DNSSEC-fix-for-non-ascii-characters-in-labels.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0065-Allow-control-characters-in-names-in-the-cache-handl.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0066-Fix-crash-in-last-commit.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0067-Merge-message-translations.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0068-add-tftp-no-fail-to-ignore-missing-tftp-root.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0069-Whitespace-fixes.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0070-Return-INSECURE-rather-than-BOGUS-when-DS-proved-not.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0071-Fix-compiler-warning-when-not-including-DNSSEC.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \
-e 's|/\* #define HAVE_IDN \*/|#define HAVE_IDN|g' \

2
src/patches/dnsmasq/0001-Add-newline-at-the-end-of-example-config-file.patch
View File

@@ -1,7 +1,7 @@
From f2658275b25ebfe691cdcb9fede85a3088cca168 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 25 Sep 2014 21:51:25 +0100
Subject: [PATCH 01/55] Add newline at the end of example config file.
Subject: [PATCH 01/71] Add newline at the end of example config file.
---
dnsmasq.conf.example | 2 +-

2
src/patches/dnsmasq/0002-crash-at-startup-when-an-empty-suffix-is-supplied-to.patch
View File

@@ -1,7 +1,7 @@
From 00cd9d551998307225312fd21f761cfa8868bd2c Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 2 Oct 2014 21:44:21 +0100
Subject: [PATCH 02/55] crash at startup when an empty suffix is supplied to
Subject: [PATCH 02/71] crash at startup when an empty suffix is supplied to
--conf-dir
---

2
src/patches/dnsmasq/0003-Debian-build-fixes-for-kFreeBSD.patch
View File

@@ -1,7 +1,7 @@
From 6ac3bc0452a74e16e3d620a0757b0f8caab182ec Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 3 Oct 2014 08:48:11 +0100
Subject: [PATCH 03/55] Debian build fixes for kFreeBSD
Subject: [PATCH 03/71] Debian build fixes for kFreeBSD
---
src/tables.c | 6 +++++-

2
src/patches/dnsmasq/0004-Set-conntrack-mark-before-connect-call.patch
View File

@@ -1,7 +1,7 @@
From e9828b6f66b22ce8873f8d30a773137d1aef1b92 Mon Sep 17 00:00:00 2001
From: Karl Vogel <karl.vogel@gmail.com>
Date: Fri, 3 Oct 2014 21:45:15 +0100
Subject: [PATCH 04/55] Set conntrack mark before connect() call.
Subject: [PATCH 04/71] Set conntrack mark before connect() call.
SO_MARK has to be done before issuing the connect() call on the
TCP socket.

2
src/patches/dnsmasq/0005-Fix-typo-in-new-Dbus-code.patch
View File

@@ -1,7 +1,7 @@
From 17b475912f6a4e72797a543dad59d4d5dde6bb1b Mon Sep 17 00:00:00 2001
From: Daniel Collins <daniel.collins@smoothwall.net>
Date: Fri, 3 Oct 2014 21:58:43 +0100
Subject: [PATCH 05/55] Fix typo in new Dbus code.
Subject: [PATCH 05/71] Fix typo in new Dbus code.
Simon's fault.
---

2
src/patches/dnsmasq/0006-Fit-example-conf-file-typo.patch
View File

@@ -1,7 +1,7 @@
From 3d9d2dd0018603a2ae4b9cd65ac6ff959f4fd8c7 Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Mon, 6 Oct 2014 10:46:48 +0100
Subject: [PATCH 06/55] Fit example conf file typo.
Subject: [PATCH 06/71] Fit example conf file typo.
---
dnsmasq.conf.example | 2 +-

2
src/patches/dnsmasq/0007-Improve-RFC-compliance-when-unable-to-supply-address.patch
View File

@@ -1,7 +1,7 @@
From b9ff5c8f435173cfa616e3c398bdc089ef690a07 Mon Sep 17 00:00:00 2001
From: Vladislav Grishenko <themiron@mail.ru>
Date: Mon, 6 Oct 2014 14:34:24 +0100
Subject: [PATCH 07/55] Improve RFC-compliance when unable to supply addresses
Subject: [PATCH 07/71] Improve RFC-compliance when unable to supply addresses
in DHCPv6
While testing https://github.com/sbyx/odhcp6c client I have noticed it

2
src/patches/dnsmasq/0008-Fix-conntrack-with-bind-interfaces.patch
View File

@@ -1,7 +1,7 @@
From 98906275a02ae260fe3f82133bd79054f8315f06 Mon Sep 17 00:00:00 2001
From: Hans Dedecker <dedeckeh@gmail.com>
Date: Tue, 9 Dec 2014 22:22:53 +0000
Subject: [PATCH 08/55] Fix conntrack with --bind-interfaces
Subject: [PATCH 08/71] Fix conntrack with --bind-interfaces
Make sure dst_addr is assigned the correct address in receive_query when OPTNOWILD is
enabled so the assigned mark can be correctly retrieved and set in forward_query when

2
src/patches/dnsmasq/0009-Use-inotify-instead-of-polling-on-Linux.patch
View File

@@ -1,7 +1,7 @@
From 193de4abf59e49c6b70d54cfe9720fcb95ca2f71 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 10 Dec 2014 17:32:16 +0000
Subject: [PATCH 09/55] Use inotify instead of polling on Linux.
Subject: [PATCH 09/71] Use inotify instead of polling on Linux.
This should solve problems people are seeing when a file changes
twice within a second and thus is missed for polling.

2
src/patches/dnsmasq/0010-Teach-the-new-inotify-code-about-symlinks.patch
View File

@@ -1,7 +1,7 @@
From 857973e6f7e0a3d03535a9df7f9373fd7a0b65cc Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 15 Dec 2014 15:58:13 +0000
Subject: [PATCH 10/55] Teach the new inotify code about symlinks.
Subject: [PATCH 10/71] Teach the new inotify code about symlinks.
---
src/inotify.c | 43 +++++++++++++++++++++++++++----------------

2
src/patches/dnsmasq/0011-Remove-floor-on-EDNS0-packet-size-with-DNSSEC.patch
View File

@@ -1,7 +1,7 @@
From 800c5cc1e7438818fd80f08c2d472df249a6942d Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 15 Dec 2014 17:50:15 +0000
Subject: [PATCH 11/55] Remove floor on EDNS0 packet size with DNSSEC.
Subject: [PATCH 11/71] Remove floor on EDNS0 packet size with DNSSEC.
---
CHANGELOG | 6 +++++-

2
src/patches/dnsmasq/0012-CHANGELOG-re.-inotify.patch
View File

@@ -1,7 +1,7 @@
From ad946d555dce44eb690c7699933b6ff40ab85bb6 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 15 Dec 2014 17:52:22 +0000
Subject: [PATCH 12/55] CHANGELOG re. inotify.
Subject: [PATCH 12/71] CHANGELOG re. inotify.
---
CHANGELOG | 4 ++++

2
src/patches/dnsmasq/0013-Fix-breakage-of-domain-domain-subnet-local.patch
View File

@@ -1,7 +1,7 @@
From 3ad3f3bbd4ee716a7d2fb1e115cf89bd1b1a5de9 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 16 Dec 2014 18:25:17 +0000
Subject: [PATCH 13/55] Fix breakage of --domain=<domain>,<subnet>,local
Subject: [PATCH 13/71] Fix breakage of --domain=<domain>,<subnet>,local
---
CHANGELOG | 4 ++++

2
src/patches/dnsmasq/0014-Remove-redundant-IN6_IS_ADDR_ULA-a-macro-defn.patch
View File

@@ -1,7 +1,7 @@
From bd9520b7ade7098ee423acc38965376aa57feb07 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 16 Dec 2014 20:41:29 +0000
Subject: [PATCH 14/55] Remove redundant IN6_IS_ADDR_ULA(a) macro defn.
Subject: [PATCH 14/71] Remove redundant IN6_IS_ADDR_ULA(a) macro defn.
---
src/network.c | 4 ----

2
src/patches/dnsmasq/0015-Eliminate-IPv6-privacy-addresses-from-interface-name.patch
View File

@@ -1,7 +1,7 @@
From 476693678e778886b64d0b56e27eb7695cbcca99 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 17 Dec 2014 12:41:56 +0000
Subject: [PATCH 15/55] Eliminate IPv6 privacy addresses from --interface-name
Subject: [PATCH 15/71] Eliminate IPv6 privacy addresses from --interface-name
answers.
---

2
src/patches/dnsmasq/0016-Tweak-field-width-in-cache-dump-to-avoid-truncating-.patch
View File

@@ -1,7 +1,7 @@
From 3267804598047bd1781cab91508d1bc516e5ddbb Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 17 Dec 2014 20:38:20 +0000
Subject: [PATCH 16/55] Tweak field width in cache dump to avoid truncating
Subject: [PATCH 16/71] Tweak field width in cache dump to avoid truncating
IPv6 addresses.
---

2
src/patches/dnsmasq/0017-Fix-crash-in-DNSSEC-code-when-attempting-to-verify-l.patch
View File

@@ -1,7 +1,7 @@
From 094b5c3d904bae9aeb3206d9f3b8348926b84975 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 21 Dec 2014 16:11:52 +0000
Subject: [PATCH 17/55] Fix crash in DNSSEC code when attempting to verify
Subject: [PATCH 17/71] Fix crash in DNSSEC code when attempting to verify
large RRs.
---

2
src/patches/dnsmasq/0018-Make-caching-work-for-CNAMEs-pointing-to-A-AAAA-reco.patch
View File

@@ -1,7 +1,7 @@
From cbc652423403e3cef00e00240f6beef713142246 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 21 Dec 2014 21:21:53 +0000
Subject: [PATCH 18/55] Make caching work for CNAMEs pointing to A/AAAA records
Subject: [PATCH 18/71] Make caching work for CNAMEs pointing to A/AAAA records
shadowed in /etc/hosts
If the answer to an upstream query is a CNAME which points to an

2
src/patches/dnsmasq/0019-Fix-problems-validating-NSEC3-and-wildcards.patch
View File

@@ -1,7 +1,7 @@
From fbc5205702c7f6f431d9f1043c553d7fb62ddfdb Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 23 Dec 2014 15:46:08 +0000
Subject: [PATCH 19/55] Fix problems validating NSEC3 and wildcards.
Subject: [PATCH 19/71] Fix problems validating NSEC3 and wildcards.
---
src/dnssec.c | 253 ++++++++++++++++++++++++++++++-----------------------------

2
src/patches/dnsmasq/0020-Initialise-return-value.patch
View File

@@ -1,7 +1,7 @@
From 83d2ed09fc0216b567d7fb2197e4ff3eae150b0d Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 23 Dec 2014 18:42:38 +0000
Subject: [PATCH 20/55] Initialise return value.
Subject: [PATCH 20/71] Initialise return value.
---
src/dnssec.c | 7 +++++--

2
src/patches/dnsmasq/0021-Add-ignore-address-option.patch
View File

@@ -1,7 +1,7 @@
From 32fc6dbe03569d70dd394420ceb73532cf303c33 Mon Sep 17 00:00:00 2001
From: Glen Huang <curvedmark@gmail.com>
Date: Sat, 27 Dec 2014 15:28:12 +0000
Subject: [PATCH 21/55] Add --ignore-address option.
Subject: [PATCH 21/71] Add --ignore-address option.
---
CHANGELOG | 8 ++++++++

2
src/patches/dnsmasq/0022-Bad-packet-protection.patch
View File

@@ -1,7 +1,7 @@
From 0b1008d367d44e77352134a4c5178f896f0db3e7 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 27 Dec 2014 15:33:32 +0000
Subject: [PATCH 22/55] Bad packet protection.
Subject: [PATCH 22/71] Bad packet protection.
---
src/dnssec.c | 2 +-

2
src/patches/dnsmasq/0023-Fix-build-failure-in-new-inotify-code-on-BSD.patch
View File

@@ -1,7 +1,7 @@
From d310ab7ecbffce79d3d90debba621e0222f9bced Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Sat, 27 Dec 2014 15:36:38 +0000
Subject: [PATCH 23/55] Fix build failure in new inotify code on BSD.
Subject: [PATCH 23/71] Fix build failure in new inotify code on BSD.
---
src/inotify.c | 4 ++--

2
src/patches/dnsmasq/0024-Implement-makefile-dependencies-on-COPTS-variable.patch
View File

@@ -1,7 +1,7 @@
From 81c538efcebfce2ce4a1d3a420b6c885b8f08df9 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Sat, 3 Jan 2015 16:36:14 +0000
Subject: [PATCH 24/55] Implement makefile dependencies on COPTS variable.
Subject: [PATCH 24/71] Implement makefile dependencies on COPTS variable.
---
.gitignore | 2 +-

2
src/patches/dnsmasq/0025-Fix-race-condition-issue-in-makefile.patch
View File

@@ -1,7 +1,7 @@
From d8dbd903d024f84a149dac2f8a674a68dfed47a3 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Mon, 5 Jan 2015 17:03:35 +0000
Subject: [PATCH 25/55] Fix race condition issue in makefile.
Subject: [PATCH 25/71] Fix race condition issue in makefile.
---
Makefile | 4 +++-

2
src/patches/dnsmasq/0026-DNSSEC-do-top-down-search-for-limit-of-secure-delega.patch
View File

@@ -1,7 +1,7 @@
From 97e618a0e3f29465acc689d87288596b006f197e Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 7 Jan 2015 21:55:43 +0000
Subject: [PATCH 26/55] DNSSEC: do top-down search for limit of secure
Subject: [PATCH 26/71] DNSSEC: do top-down search for limit of secure
delegation.
---

2
src/patches/dnsmasq/0027-Add-log-queries-extra-option-for-more-complete-loggi.patch
View File

@@ -1,7 +1,7 @@
From 25cf5e373eb41c088d4ee5e625209c4cf6a5659e Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 9 Jan 2015 15:53:03 +0000
Subject: [PATCH 27/55] Add --log-queries=extra option for more complete
Subject: [PATCH 27/71] Add --log-queries=extra option for more complete
logging.
---

2
src/patches/dnsmasq/0028-Add-min-cache-ttl-option.patch
View File

@@ -1,7 +1,7 @@
From 28de38768e2c7d763b9aa5b7a4d251d5e56bab0b Mon Sep 17 00:00:00 2001
From: RinSatsuki <aa65535@live.com>
Date: Sat, 10 Jan 2015 15:22:21 +0000
Subject: [PATCH 28/55] Add --min-cache-ttl option.
Subject: [PATCH 28/71] Add --min-cache-ttl option.
---
CHANGELOG | 7 +++++++

2
src/patches/dnsmasq/0029-Log-port-of-requestor-when-doing-extra-logging.patch
View File

@@ -1,7 +1,7 @@
From 9f79ee4ae34886c0319f06d8f162b81ef79d62fb Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 12 Jan 2015 20:18:18 +0000
Subject: [PATCH 29/55] Log port of requestor when doing extra logging.
Subject: [PATCH 29/71] Log port of requestor when doing extra logging.
---
src/cache.c | 6 +++---

2
src/patches/dnsmasq/0030-Don-t-answer-from-cache-RRsets-from-wildcards-as-we-.patch
View File

@@ -1,7 +1,7 @@
From 5e321739db381a1d7b5964d76e9c81471d2564c9 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 12 Jan 2015 23:16:56 +0000
Subject: [PATCH 30/55] Don't answer from cache RRsets from wildcards, as we
Subject: [PATCH 30/71] Don't answer from cache RRsets from wildcards, as we
don't have NSECs.
---

2
src/patches/dnsmasq/0031-Logs-for-DS-records-consistent.patch
View File

@@ -1,7 +1,7 @@
From ae4624bf46b5e37ff1a9a2ba3c927e0dede95adb Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 12 Jan 2015 23:22:08 +0000
Subject: [PATCH 31/55] Logs for DS records consistent.
Subject: [PATCH 31/71] Logs for DS records consistent.
---
src/rfc1035.c | 2 +-

2
src/patches/dnsmasq/0032-Cope-with-multiple-interfaces-with-the-same-LL-addre.patch
View File

@@ -1,7 +1,7 @@
From 393415597c8b5b09558b789ab9ac238dbe3db65d Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 18 Jan 2015 22:11:10 +0000
Subject: [PATCH 32/55] Cope with multiple interfaces with the same LL address.
Subject: [PATCH 32/71] Cope with multiple interfaces with the same LL address.
---
CHANGELOG | 4 ++++

2
src/patches/dnsmasq/0033-Don-t-treat-SERVFAIL-as-a-recoverable-error.patch
View File

@@ -1,7 +1,7 @@
From 2ae195f5a71f7c5a75717845de1bd72fc7dd67f3 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 18 Jan 2015 22:20:48 +0000
Subject: [PATCH 33/55] Don't treat SERVFAIL as a recoverable error.....
Subject: [PATCH 33/71] Don't treat SERVFAIL as a recoverable error.....
---
src/forward.c | 2 +-

2
src/patches/dnsmasq/0034-Add-dhcp-hostsdir-config-option.patch
View File

@@ -1,7 +1,7 @@
From 5f4dc5c6ca50655ab14f572c7e30815ed74cd51a Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 20 Jan 2015 20:51:02 +0000
Subject: [PATCH 34/55] Add --dhcp-hostsdir config option.
Subject: [PATCH 34/71] Add --dhcp-hostsdir config option.
---
CHANGELOG | 5 +++

2
src/patches/dnsmasq/0035-Update-German-translation.patch
View File

@@ -1,7 +1,7 @@
From fbf01f7046e75f9aa73fd4aab2a94e43386d9052 Mon Sep 17 00:00:00 2001
From: Conrad Kostecki <ck@conrad-kostecki.de>
Date: Tue, 20 Jan 2015 21:07:56 +0000
Subject: [PATCH 35/55] Update German translation.
Subject: [PATCH 35/71] Update German translation.
---
po/de.po | 101 +++++++++++++++++++++++++++++----------------------------------

2
src/patches/dnsmasq/0036-Don-t-reply-to-DHCPv6-SOLICIT-messages-when-not-conf.patch
View File

@@ -1,7 +1,7 @@
From 61b838dd574c51d96fef100285a0d225824534f9 Mon Sep 17 00:00:00 2001
From: Win King Wan <pinwing+dnsmasq@gmail.com>
Date: Wed, 21 Jan 2015 20:41:48 +0000
Subject: [PATCH 36/55] Don't reply to DHCPv6 SOLICIT messages when not
Subject: [PATCH 36/71] Don't reply to DHCPv6 SOLICIT messages when not
configured for statefull DHCPv6.
---

2
src/patches/dnsmasq/0037-Allow-inotify-to-be-disabled-at-compile-time-on-Linu.patch
View File

@@ -1,7 +1,7 @@
From 0491805d2ff6e7727f0272c94fd97d9897d1e22c Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 26 Jan 2015 11:23:43 +0000
Subject: [PATCH 37/55] Allow inotify to be disabled at compile time on Linux.
Subject: [PATCH 37/71] Allow inotify to be disabled at compile time on Linux.
---
CHANGELOG | 4 +++-

2
src/patches/dnsmasq/0038-Expand-inotify-code-to-dhcp-hostsdir-dhcp-optsdir-an.patch
View File

@@ -1,7 +1,7 @@
From 70d1873dd9e70041ed4bb88c69d5b886b7cc634c Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 31 Jan 2015 19:59:29 +0000
Subject: [PATCH 38/55] Expand inotify code to dhcp-hostsdir, dhcp-optsdir and
Subject: [PATCH 38/71] Expand inotify code to dhcp-hostsdir, dhcp-optsdir and
hostsdir.
---

2
src/patches/dnsmasq/0039-Update-copyrights-for-dawn-of-2015.patch
View File

@@ -1,7 +1,7 @@
From aff3396280e944833f0e23d834aa6acd5fe2605a Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 31 Jan 2015 20:13:40 +0000
Subject: [PATCH 39/55] Update copyrights for dawn of 2015.
Subject: [PATCH 39/71] Update copyrights for dawn of 2015.
---
Makefile | 2 +-

2
src/patches/dnsmasq/0040-inotify-documentation-updates.patch
View File

@@ -1,7 +1,7 @@
From 3d04f46334d0e345f589eda1372e638b946fe637 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 31 Jan 2015 21:59:13 +0000
Subject: [PATCH 40/55] inotify documentation updates.
Subject: [PATCH 40/71] inotify documentation updates.
---
man/dnsmasq.8 | 11 +++++++++--

2
src/patches/dnsmasq/0041-Fix-broken-ECDSA-DNSSEC-signatures.patch
View File

@@ -1,7 +1,7 @@
From 6ef15b34ca83c62a939f69356d5c3f7a6bfef3d0 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 31 Jan 2015 22:44:26 +0000
Subject: [PATCH 41/55] Fix broken ECDSA DNSSEC signatures.
Subject: [PATCH 41/71] Fix broken ECDSA DNSSEC signatures.
---
CHANGELOG | 2 ++

2
src/patches/dnsmasq/0042-BSD-make-support.patch
View File

@@ -1,7 +1,7 @@
From 106266761828a0acb006346ae47bf031dee46a5d Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 1 Feb 2015 00:15:16 +0000
Subject: [PATCH 42/55] BSD make support
Subject: [PATCH 42/71] BSD make support
---
Makefile | 6 ++++--

2
src/patches/dnsmasq/0043-Fix-build-failure-on-openBSD.patch
View File

@@ -1,7 +1,7 @@
From 8d8a54ec79d9f96979fabbd97b1dd2ddebc7d78f Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 1 Feb 2015 21:48:46 +0000
Subject: [PATCH 43/55] Fix build failure on openBSD.
Subject: [PATCH 43/71] Fix build failure on openBSD.
---
src/tables.c | 2 +-

2
src/patches/dnsmasq/0044-Manpage-typo-fix.patch
View File

@@ -1,7 +1,7 @@
From d36b732c4cfa91ea09af64b5dc0f3a85a075e5bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <thiebaud@weksteen.fr>
Date: Mon, 2 Feb 2015 21:37:27 +0000
Subject: [PATCH 44/55] Manpage typo fix.
Subject: [PATCH 44/71] Manpage typo fix.
---
man/dnsmasq.8 | 2 +-

2
src/patches/dnsmasq/0045-Fixup-dhcp-configs-after-reading-extra-hostfiles-wit.patch
View File

@@ -1,7 +1,7 @@
From 2941d3ac898cf84b544e47c9735c5e4111711db1 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 2 Feb 2015 22:36:42 +0000
Subject: [PATCH 45/55] Fixup dhcp-configs after reading extra hostfiles with
Subject: [PATCH 45/71] Fixup dhcp-configs after reading extra hostfiles with
inotify.
---

2
src/patches/dnsmasq/0046-Extra-logging-for-inotify-code.patch
View File

@@ -1,7 +1,7 @@
From f9c863708c6b0aea31ff7a466647685dc739de50 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 3 Feb 2015 21:52:48 +0000
Subject: [PATCH 46/55] Extra logging for inotify code.
Subject: [PATCH 46/71] Extra logging for inotify code.
---
src/cache.c | 9 ++++-----

2
src/patches/dnsmasq/0047-man-page-typo.patch
View File

@@ -1,7 +1,7 @@
From efb8b5566aafc1f3ce18514a2df93af5a2e4998c Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 7 Feb 2015 22:36:34 +0000
Subject: [PATCH 47/55] man page typo.
Subject: [PATCH 47/71] man page typo.
---
man/dnsmasq.8 | 1 +

2
src/patches/dnsmasq/0048-Fix-get-version-script-which-returned-wrong-tag-in-s.patch
View File

@@ -1,7 +1,7 @@
From f4f400776b3c1aa303d1a0fcd500f0ab5bc970f2 Mon Sep 17 00:00:00 2001
From: Shantanu Gadgil <shantanugadgil@yahoo.com>
Date: Wed, 11 Feb 2015 20:16:59 +0000
Subject: [PATCH 48/55] Fix get-version script which returned wrong tag in some
Subject: [PATCH 48/71] Fix get-version script which returned wrong tag in some
situations.
---

2
src/patches/dnsmasq/0049-Typos.patch
View File

@@ -1,7 +1,7 @@
From 8ff70de618eb7de9147dbfbd4deca4a2dd62f0cb Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 14 Feb 2015 20:02:37 +0000
Subject: [PATCH 49/55] Typos.
Subject: [PATCH 49/71] Typos.
---
src/inotify.c | 3 ++-

2
src/patches/dnsmasq/0050-Make-dynamic-hosts-files-work-when-no-hosts-set.patch
View File

@@ -1,7 +1,7 @@
From caeea190f12efd20139f694aac4942d1ac00019f Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 14 Feb 2015 20:08:56 +0000
Subject: [PATCH 50/55] Make dynamic hosts files work when --no-hosts set.
Subject: [PATCH 50/71] Make dynamic hosts files work when --no-hosts set.
---
src/cache.c | 21 +++++++++++----------

2
src/patches/dnsmasq/0051-Fix-trivial-memory-leaks-to-quieten-valgrind.patch
View File

@@ -1,7 +1,7 @@
From 28b879ac47b872af6e8c5e86d76806c69338434d Mon Sep 17 00:00:00 2001
From: Chen Wei <weichen302@icloud.com>
Date: Tue, 17 Feb 2015 22:07:35 +0000
Subject: [PATCH 51/55] Fix trivial memory leaks to quieten valgrind.
Subject: [PATCH 51/71] Fix trivial memory leaks to quieten valgrind.
---
src/dnsmasq.c | 2 ++

2
src/patches/dnsmasq/0052-Fix-uninitialized-value-used-in-get_client_mac.patch
View File

@@ -1,7 +1,7 @@
From 0705a7e2d57654b27c7e14f35ca77241c1821f4d Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Mon, 23 Feb 2015 21:26:26 +0000
Subject: [PATCH 52/55] Fix uninitialized value used in get_client_mac()
Subject: [PATCH 52/71] Fix uninitialized value used in get_client_mac()
---
src/dhcp6.c | 4 +++-

41
src/patches/dnsmasq/0053-Log-parsing-utils-in-contrib-reverse-dns.patch
View File

@@ -1,15 +1,13 @@
From 47b9ac59c715827252ae6e6732903c3dabb697fb Mon Sep 17 00:00:00 2001
From: Joachim Zobel <jz-2014@heute-morgen.de>
Date: Mon, 23 Feb 2015 21:38:11 +0000
Subject: [PATCH 53/55] Log parsing utils in contrib/reverse-dns
Subject: [PATCH 53/71] Log parsing utils in contrib/reverse-dns
---
contrib/reverse-dns/README | 18 ++++++++++++++++++
contrib/reverse-dns/reverse_dns.sh | 29 +++++++++++++++++++++++++++++
contrib/reverse-dns/reverse_replace.sh | 28 ++++++++++++++++++++++++++++
3 files changed, 75 insertions(+)
2 files changed, 46 insertions(+)
create mode 100644 contrib/reverse-dns/README
create mode 100644 contrib/reverse-dns/reverse_dns.sh
create mode 100644 contrib/reverse-dns/reverse_replace.sh
diff --git a/contrib/reverse-dns/README b/contrib/reverse-dns/README
@@ -36,41 +34,6 @@ index 000000000000..f87eb77c4c22
+Joachim
+
+
diff --git a/contrib/reverse-dns/reverse_dns.sh b/contrib/reverse-dns/reverse_dns.sh
new file mode 100644
index 000000000000..c0fff300a947
--- /dev/null
+++ b/contrib/reverse-dns/reverse_dns.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+# $Id: reverse_dns.sh 4 2015-02-17 20:14:59Z jo $
+#
+# Usage: reverse_dns.sh IP
+# Uses the dnsmasq query log to lookup the name
+# that was last queried to return the given IP.
+#
+
+IP=$1
+qmIP=`echo $IP | sed 's#\.#\\.#g'`
+LOG=/var/log/dnsmasq.log
+
+IP_regex='^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'
+
+if ! [[ $IP =~ $IP_regex ]]; then
+ echo -n $IP
+ exit
+fi
+
+NAME=`tac $LOG | \
+ grep " is $IP" | head -1 | \
+ sed "s#.* \([^ ]*\) is $qmIP.*#\1#" `
+
+if [ -z "$NAME" ]; then
+ echo -n $IP
+else
+ echo -n $NAME
+fi
+
diff --git a/contrib/reverse-dns/reverse_replace.sh b/contrib/reverse-dns/reverse_replace.sh
new file mode 100644
index 000000000000..a11c164b7f19

2
src/patches/dnsmasq/0054-Add-dnssec-timestamp-option-and-facility.patch
View File

@@ -1,7 +1,7 @@
From f6e62e2af96f5fa0d1e3d93167a93a8f09bf6e61 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 1 Mar 2015 18:17:54 +0000
Subject: [PATCH 54/55] Add --dnssec-timestamp option and facility.
Subject: [PATCH 54/71] Add --dnssec-timestamp option and facility.
---
CHANGELOG | 6 +++++

2
src/patches/dnsmasq/0055-Fix-last-commit-to-not-crash-if-uid-changing-not-con.patch
View File

@@ -1,7 +1,7 @@
From 9003b50b13da624ca45f3e0cf99abb623b8d026b Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 2 Mar 2015 22:47:23 +0000
Subject: [PATCH 55/55] Fix last commit to not crash if uid changing not
Subject: [PATCH 55/71] Fix last commit to not crash if uid changing not
configured.
---

2
src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch
View File

@@ -1,7 +1,7 @@
From 4c960fa90a975d20f75a1ecabd217247f1922c8f Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 4 Mar 2015 20:32:26 +0000
Subject: [PATCH 56/57] New version of contrib/reverse-dns
Subject: [PATCH 56/71] New version of contrib/reverse-dns
---
contrib/reverse-dns/README | 22 +++---

2
src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch
View File

@@ -1,7 +1,7 @@
From 360f2513ab12a9bf1e262d388dd2ea8a566590a3 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 7 Mar 2015 18:28:06 +0000
Subject: [PATCH 57/57] Tweak DNSSEC timestamp code to create file later,
Subject: [PATCH 57/71] Tweak DNSSEC timestamp code to create file later,
removing need to chown it.
---

458
src/patches/dnsmasq/0058-Fix-boilerplate-code-for-re-running-system-calls-on-.patch Normal file
View File

@@ -0,0 +1,458 @@
From ff841ebf5a5d6864ff48571f607c32ce80dbb75a Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 11 Mar 2015 21:36:30 +0000
Subject: [PATCH 58/71] Fix boilerplate code for re-running system calls on
EINTR and EAGAIN etc.
The nasty code with static variable in retry_send() which
avoids looping forever needs to be called on success of the syscall,
to reset the static variable.
---
src/bpf.c | 2 +-
src/dhcp.c | 2 +-
src/dhcp6.c | 6 +++---
src/dnsmasq.c | 35 +++++++++++++++++----------------
src/dnsmasq.h | 2 +-
src/forward.c | 41 ++++++++++++++++++--------------------
src/ipset.c | 8 ++++----
src/loop.c | 5 +++--
src/netlink.c | 8 ++++----
src/radv.c | 5 +++--
src/util.c | 63 ++++++++++++++++++++++++++++++++++-------------------------
11 files changed, 93 insertions(+), 84 deletions(-)
diff --git a/src/bpf.c b/src/bpf.c
index 997d87421bed..a066641f969f 100644
--- a/src/bpf.c
+++ b/src/bpf.c
@@ -359,7 +359,7 @@ void send_via_bpf(struct dhcp_packet *mess, size_t len,
iov[3].iov_base = mess;
iov[3].iov_len = len;
- while (writev(daemon->dhcp_raw_fd, iov, 4) == -1 && retry_send());
+ while (retry_send(writev(daemon->dhcp_raw_fd, iov, 4)));
}
#endif /* defined(HAVE_BSD_NETWORK) && defined(HAVE_DHCP) */
diff --git a/src/dhcp.c b/src/dhcp.c
index f29be9b489a7..5c3089ab94ff 100644
--- a/src/dhcp.c
+++ b/src/dhcp.c
@@ -443,7 +443,7 @@ void dhcp_packet(time_t now, int pxe_fd)
setsockopt(fd, IPPROTO_IP, IP_BOUND_IF, &iface_index, sizeof(iface_index));
#endif
- while(sendmsg(fd, &msg, 0) == -1 && retry_send());
+ while(retry_send(sendmsg(fd, &msg, 0)));
}
/* check against secondary interface addresses */
diff --git a/src/dhcp6.c b/src/dhcp6.c
index c7144f5fee7c..ee2aa5d3bf3c 100644
--- a/src/dhcp6.c
+++ b/src/dhcp6.c
@@ -225,9 +225,9 @@ void dhcp6_packet(time_t now)
if (port != 0)
{
from.sin6_port = htons(port);
- while (sendto(daemon->dhcp6fd, daemon->outpacket.iov_base, save_counter(0),
- 0, (struct sockaddr *)&from, sizeof(from)) == -1 &&
- retry_send());
+ while (retry_send(sendto(daemon->dhcp6fd, daemon->outpacket.iov_base,
+ save_counter(0), 0, (struct sockaddr *)&from,
+ sizeof(from))));
}
}
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index f3e5bcffec4f..b784951950d4 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -444,7 +444,7 @@ int main (int argc, char **argv)
char *msg;
/* close our copy of write-end */
- close(err_pipe[1]);
+ while (retry_send(close(err_pipe[1])));
/* check for errors after the fork */
if (read_event(err_pipe[0], &ev, &msg))
@@ -453,7 +453,7 @@ int main (int argc, char **argv)
_exit(EC_GOOD);
}
- close(err_pipe[0]);
+ while (retry_send(close(err_pipe[0])));
/* NO calls to die() from here on. */
@@ -505,10 +505,12 @@ int main (int argc, char **argv)
{
if (!read_write(fd, (unsigned char *)daemon->namebuff, strlen(daemon->namebuff), 0))
err = 1;
-
- while (!err && close(fd) == -1)
- if (!retry_send())
- err = 1;
+ else
+ {
+ while (retry_send(close(fd)));
+ if (errno != 0)
+ err = 1;
+ }
}
if (err)
@@ -813,7 +815,7 @@ int main (int argc, char **argv)
/* finished start-up - release original process */
if (err_pipe[1] != -1)
- close(err_pipe[1]);
+ while (retry_send(close(err_pipe[1])));
if (daemon->port != 0)
check_servers();
@@ -1319,7 +1321,7 @@ static void async_event(int pipe, time_t now)
do {
helper_write();
} while (!helper_buf_empty() || do_script_run(now));
- close(daemon->helperfd);
+ while (retry_send(close(daemon->helperfd)));
}
#endif
@@ -1544,7 +1546,7 @@ static void check_dns_listeners(fd_set *set, time_t now)
if (getsockname(confd, (struct sockaddr *)&tcp_addr, &tcp_len) == -1)
{
- close(confd);
+ while (retry_send(close(confd)));
continue;
}
@@ -1609,7 +1611,7 @@ static void check_dns_listeners(fd_set *set, time_t now)
if (!client_ok)
{
shutdown(confd, SHUT_RDWR);
- close(confd);
+ while (retry_send(close(confd)));
}
#ifndef NO_FORK
else if (!option_bool(OPT_DEBUG) && (p = fork()) != 0)
@@ -1624,7 +1626,7 @@ static void check_dns_listeners(fd_set *set, time_t now)
break;
}
}
- close(confd);
+ while (retry_send(close(confd)));
/* The child can use up to TCP_MAX_QUERIES ids, so skip that many. */
daemon->log_id += TCP_MAX_QUERIES;
@@ -1669,7 +1671,7 @@ static void check_dns_listeners(fd_set *set, time_t now)
buff = tcp_request(confd, now, &tcp_addr, netmask, auth_dns);
shutdown(confd, SHUT_RDWR);
- close(confd);
+ while (retry_send(close(confd)));
if (buff)
free(buff);
@@ -1678,7 +1680,7 @@ static void check_dns_listeners(fd_set *set, time_t now)
if (s->tcpfd != -1)
{
shutdown(s->tcpfd, SHUT_RDWR);
- close(s->tcpfd);
+ while (retry_send(close(s->tcpfd)));
}
#ifndef NO_FORK
if (!option_bool(OPT_DEBUG))
@@ -1756,9 +1758,8 @@ int icmp_ping(struct in_addr addr)
j = (j & 0xffff) + (j >> 16);
packet.icmp.icmp_cksum = (j == 0xffff) ? j : ~j;
- while (sendto(fd, (char *)&packet.icmp, sizeof(struct icmp), 0,
- (struct sockaddr *)&saddr, sizeof(saddr)) == -1 &&
- retry_send());
+ while (retry_send(sendto(fd, (char *)&packet.icmp, sizeof(struct icmp), 0,
+ (struct sockaddr *)&saddr, sizeof(saddr))));
for (now = start = dnsmasq_time();
difftime(now, start) < (float)PING_WAIT;)
@@ -1820,7 +1821,7 @@ int icmp_ping(struct in_addr addr)
}
#if defined(HAVE_LINUX_NETWORK) || defined(HAVE_SOLARIS_NETWORK)
- close(fd);
+ while (retry_send(close(fd)));
#else
opt = 1;
setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &opt, sizeof(opt));
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index fc7259881358..de95d0e875e3 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1177,7 +1177,7 @@ int is_same_net6(struct in6_addr *a, struct in6_addr *b, int prefixlen);
u64 addr6part(struct in6_addr *addr);
void setaddr6part(struct in6_addr *addr, u64 host);
#endif
-int retry_send(void);
+int retry_send(ssize_t rc);
void prettyprint_time(char *buf, unsigned int t);
int prettyprint_addr(union mysockaddr *addr, char *buf);
int parse_hex(char *in, unsigned char *out, int maxlen,
diff --git a/src/forward.c b/src/forward.c
index 438e9fa490b8..7c0fa8da3fdf 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -103,15 +103,11 @@ int send_from(int fd, int nowild, char *packet, size_t len,
#endif
}
- while (sendmsg(fd, &msg, 0) == -1)
+ while (retry_send(sendmsg(fd, &msg, 0)));
+
+ /* If interface is still in DAD, EINVAL results - ignore that. */
+ if (errno != 0 && errno != EINVAL)
{
- if (retry_send())
- continue;
-
- /* If interface is still in DAD, EINVAL results - ignore that. */
- if (errno == EINVAL)
- break;
-
my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
return 0;
}
@@ -297,9 +293,9 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
fd = forward->rfd4->fd;
}
- while (sendto(fd, (char *)header, plen, 0,
- &forward->sentto->addr.sa,
- sa_len(&forward->sentto->addr)) == -1 && retry_send());
+ while (retry_send( sendto(fd, (char *)header, plen, 0,
+ &forward->sentto->addr.sa,
+ sa_len(&forward->sentto->addr))));
return 1;
}
@@ -469,14 +465,12 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
#endif
}
- if (sendto(fd, (char *)header, plen, 0,
- &start->addr.sa,
- sa_len(&start->addr)) == -1)
- {
- if (retry_send())
- continue;
- }
- else
+ if (retry_send(sendto(fd, (char *)header, plen, 0,
+ &start->addr.sa,
+ sa_len(&start->addr))))
+ continue;
+
+ if (errno == 0)
{
/* Keep info in case we want to re-send this packet */
daemon->srv_save = start;
@@ -932,7 +926,9 @@ void reply_query(int fd, int family, time_t now)
if (fd != -1)
{
- while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
+ while (retry_send(sendto(fd, (char *)header, nn, 0,
+ &server->addr.sa,
+ sa_len(&server->addr))));
server->queries++;
}
@@ -2228,8 +2224,9 @@ void resend_query()
else
return;
- while(sendto(fd, daemon->packet, daemon->packet_len, 0,
- &daemon->srv_save->addr.sa, sa_len(&daemon->srv_save->addr)) == -1 && retry_send());
+ while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0,
+ &daemon->srv_save->addr.sa,
+ sa_len(&daemon->srv_save->addr))));
}
}
diff --git a/src/ipset.c b/src/ipset.c
index 8c5b72722371..a315e86bc7f4 100644
--- a/src/ipset.c
+++ b/src/ipset.c
@@ -121,7 +121,6 @@ static int new_add_to_ipset(const char *setname, const struct all_addr *ipaddr,
struct my_nlattr *nested[2];
uint8_t proto;
int addrsz = INADDRSZ;
- ssize_t rc;
#ifdef HAVE_IPV6
if (af == AF_INET6)
@@ -162,9 +161,10 @@ static int new_add_to_ipset(const char *setname, const struct all_addr *ipaddr,
nested[1]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[1];
nested[0]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[0];
- while ((rc = sendto(ipset_sock, buffer, nlh->nlmsg_len, 0,
- (struct sockaddr *)&snl, sizeof(snl))) == -1 && retry_send());
- return rc;
+ while (retry_send(sendto(ipset_sock, buffer, nlh->nlmsg_len, 0,
+ (struct sockaddr *)&snl, sizeof(snl))));
+
+ return errno == 0 ? 0 : -1;
}
diff --git a/src/loop.c b/src/loop.c
index 565f7d8e58e0..c9ed075670de 100644
--- a/src/loop.c
+++ b/src/loop.c
@@ -45,8 +45,9 @@ void loop_send_probes()
fd = rfd->fd;
}
- while (sendto(fd, daemon->packet, len, 0, &serv->addr.sa, sa_len(&serv->addr)) == -1 && retry_send());
-
+ while (retry_send(sendto(fd, daemon->packet, len, 0,
+ &serv->addr.sa, sa_len(&serv->addr))));
+
free_rfd(rfd);
}
}
diff --git a/src/netlink.c b/src/netlink.c
index 10f94db25a14..753784dc20b4 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -169,10 +169,10 @@ int iface_enumerate(int family, void *parm, int (*callback)())
req.g.rtgen_family = family;
/* Don't block in recvfrom if send fails */
- while((len = sendto(daemon->netlinkfd, (void *)&req, sizeof(req), 0,
- (struct sockaddr *)&addr, sizeof(addr))) == -1 && retry_send());
-
- if (len == -1)
+ while(retry_send(sendto(daemon->netlinkfd, (void *)&req, sizeof(req), 0,
+ (struct sockaddr *)&addr, sizeof(addr))));
+
+ if (errno != 0)
return 0;
while (1)
diff --git a/src/radv.c b/src/radv.c
index 6da125b864ae..d0faddf8684a 100644
--- a/src/radv.c
+++ b/src/radv.c
@@ -479,8 +479,9 @@ static void send_ra(time_t now, int iface, char *iface_name, struct in6_addr *de
setsockopt(daemon->icmp6fd, IPPROTO_IPV6, IPV6_MULTICAST_IF, &iface, sizeof(iface));
}
- while (sendto(daemon->icmp6fd, daemon->outpacket.iov_base, save_counter(0), 0,
- (struct sockaddr *)&addr, sizeof(addr)) == -1 && retry_send());
+ while (retry_send(sendto(daemon->icmp6fd, daemon->outpacket.iov_base,
+ save_counter(0), 0, (struct sockaddr *)&addr,
+ sizeof(addr))));
}
diff --git a/src/util.c b/src/util.c
index 91d02410b13f..648bc4d4b428 100644
--- a/src/util.c
+++ b/src/util.c
@@ -569,17 +569,27 @@ void bump_maxfd(int fd, int *max)
*max = fd;
}
-int retry_send(void)
+/* rc is return from sendto and friends.
+ Return 1 if we should retry.
+ Set errno to zero if we succeeded. */
+int retry_send(ssize_t rc)
{
+ static int retries = 0;
+ struct timespec waiter;
+
+ if (rc != -1)
+ {
+ retries = 0;
+ errno = 0;
+ return 0;
+ }
+
/* Linux kernels can return EAGAIN in perpetuity when calling
sendmsg() and the relevant interface has gone. Here we loop
retrying in EAGAIN for 1 second max, to avoid this hanging
dnsmasq. */
- static int retries = 0;
- struct timespec waiter;
-
- if (errno == EAGAIN || errno == EWOULDBLOCK)
+ if (errno == EAGAIN || errno == EWOULDBLOCK)
{
waiter.tv_sec = 0;
waiter.tv_nsec = 10000;
@@ -587,13 +597,13 @@ int retry_send(void)
if (retries++ < 1000)
return 1;
}
-
- retries = 0;
-
- if (errno == EINTR)
- return 1;
-
- return 0;
+
+ retries = 0;
+
+ if (errno == EINTR)
+ return 1;
+
+ return 0;
}
int read_write(int fd, unsigned char *packet, int size, int rw)
@@ -602,22 +612,21 @@ int read_write(int fd, unsigned char *packet, int size, int rw)
for (done = 0; done < size; done += n)
{
- retry:
- if (rw)
- n = read(fd, &packet[done], (size_t)(size - done));
- else
- n = write(fd, &packet[done], (size_t)(size - done));
-
- if (n == 0)
- return 0;
- else if (n == -1)
- {
- if (retry_send() || errno == ENOMEM || errno == ENOBUFS)
- goto retry;
- else
- return 0;
- }
+ do {
+ if (rw)
+ n = read(fd, &packet[done], (size_t)(size - done));
+ else
+ n = write(fd, &packet[done], (size_t)(size - done));
+
+ if (n == 0)
+ return 0;
+
+ } while (retry_send(n) || errno == ENOMEM || errno == ENOBUFS);
+
+ if (errno != 0)
+ return 0;
}
+
return 1;
}
--
2.1.0

75
src/patches/dnsmasq/0059-Make-address-example.com-equivalent-to-server-exampl.patch Normal file
View File

@@ -0,0 +1,75 @@
From 979fe86bc8693f660eddea232ae39cbbb50b294c Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 19 Mar 2015 22:50:22 +0000
Subject: [PATCH 59/71] Make --address=/example.com/ equivalent to
--server=/example.com/
---
man/dnsmasq.8 | 7 +++++--
src/network.c | 4 ++--
src/option.c | 2 --
3 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 2db780d90987..1f1dd7b69c53 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -460,7 +460,7 @@ but provides some syntactic sugar to make specifying address-to-name queries eas
is exactly equivalent to
.B --server=/3.2.1.in-addr.arpa/192.168.0.1
.TP
-.B \-A, --address=/<domain>/[domain/]<ipaddr>
+.B \-A, --address=/<domain>/[domain/][<ipaddr>]
Specify an IP address to return for any host in the given domains.
Queries in the domains are never forwarded and always replied to
with the specified IP address which may be IPv4 or IPv6. To give
@@ -472,7 +472,10 @@ domain specification works in the same was as for --server, with the
additional facility that /#/ matches any domain. Thus
--address=/#/1.2.3.4 will always return 1.2.3.4 for any query not
answered from /etc/hosts or DHCP and not sent to an upstream
-nameserver by a more specific --server directive.
+nameserver by a more specific --server directive. As for --server,
+one or more domains with no address returns a no-such-domain answer, so
+--address=/example.com/ is equivalent to --server=/example.com/ and returns
+NXDOMAIN for example.com and all its subdomains.
.TP
.B --ipset=/<domain>/[domain/]<ipset>[,<ipset>]
Places the resolved IP addresses of queries for the specified domains
diff --git a/src/network.c b/src/network.c
index 7045253d467b..992f023c31de 100644
--- a/src/network.c
+++ b/src/network.c
@@ -1459,7 +1459,7 @@ void check_servers(void)
}
}
- if (!(serv->flags & SERV_NO_REBIND))
+ if (!(serv->flags & SERV_NO_REBIND) && !(serv->flags & SERV_LITERAL_ADDRESS))
{
if (serv->flags & (SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_USE_RESOLV))
{
@@ -1475,7 +1475,7 @@ void check_servers(void)
my_syslog(LOG_INFO, _("using local addresses only for %s %s"), s1, s2);
else if (serv->flags & SERV_USE_RESOLV)
my_syslog(LOG_INFO, _("using standard nameservers for %s %s"), s1, s2);
- else if (!(serv->flags & SERV_LITERAL_ADDRESS))
+ else
my_syslog(LOG_INFO, _("using nameserver %s#%d for %s %s"), daemon->namebuff, port, s1, s2);
}
#ifdef HAVE_LOOP
diff --git a/src/option.c b/src/option.c
index eace40bb566c..3009eb545fde 100644
--- a/src/option.c
+++ b/src/option.c
@@ -2284,8 +2284,6 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
{
if (!(newlist->flags & SERV_NO_REBIND))
newlist->flags |= SERV_NO_ADDR; /* no server */
- if (newlist->flags & SERV_LITERAL_ADDRESS)
- ret_err(gen_err);
}
else if (strcmp(arg, "#") == 0)
--
2.1.0

80
src/patches/dnsmasq/0060-dhcp-set-outbound-interface-via-cmsg-in-unicast-repl.patch Normal file
View File

@@ -0,0 +1,80 @@
From 65c721200023ef0023114459a8d12f8b0a24cfd8 Mon Sep 17 00:00:00 2001
From: Lung-Pin Chang <changlp@cs.nctu.edu.tw>
Date: Thu, 19 Mar 2015 23:22:21 +0000
Subject: [PATCH 60/71] dhcp: set outbound interface via cmsg in unicast reply
If multiple routes to the same network exist, Linux blindly picks
the first interface (route) based on destination address, which might not be
the one we're actually offering leases. Rather than relying on this,
always set the interface for outgoing unicast DHCP packets.
---
src/dhcp.c | 45 +++++++++++++++++++++++++--------------------
1 file changed, 25 insertions(+), 20 deletions(-)
diff --git a/src/dhcp.c b/src/dhcp.c
index 5c3089ab94ff..f1f43f8d8f90 100644
--- a/src/dhcp.c
+++ b/src/dhcp.c
@@ -376,10 +376,9 @@ void dhcp_packet(time_t now, int pxe_fd)
}
}
#if defined(HAVE_LINUX_NETWORK)
- else if ((ntohs(mess->flags) & 0x8000) || mess->hlen == 0 ||
- mess->hlen > sizeof(ifr.ifr_addr.sa_data) || mess->htype == 0)
+ else
{
- /* broadcast to 255.255.255.255 (or mac address invalid) */
+ /* fill cmsg for outbound interface (both broadcast & unicast) */
struct in_pktinfo *pkt;
msg.msg_control = control_u.control;
msg.msg_controllen = sizeof(control_u);
@@ -389,23 +388,29 @@ void dhcp_packet(time_t now, int pxe_fd)
pkt->ipi_spec_dst.s_addr = 0;
msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
cmptr->cmsg_level = IPPROTO_IP;
- cmptr->cmsg_type = IP_PKTINFO;
- dest.sin_addr.s_addr = INADDR_BROADCAST;
- dest.sin_port = htons(daemon->dhcp_client_port);
- }
- else
- {
- /* unicast to unconfigured client. Inject mac address direct into ARP cache.
- struct sockaddr limits size to 14 bytes. */
- dest.sin_addr = mess->yiaddr;
- dest.sin_port = htons(daemon->dhcp_client_port);
- memcpy(&arp_req.arp_pa, &dest, sizeof(struct sockaddr_in));
- arp_req.arp_ha.sa_family = mess->htype;
- memcpy(arp_req.arp_ha.sa_data, mess->chaddr, mess->hlen);
- /* interface name already copied in */
- arp_req.arp_flags = ATF_COM;
- if (ioctl(daemon->dhcpfd, SIOCSARP, &arp_req) == -1)
- my_syslog(MS_DHCP | LOG_ERR, _("ARP-cache injection failed: %s"), strerror(errno));
+ cmptr->cmsg_type = IP_PKTINFO;
+
+ if ((ntohs(mess->flags) & 0x8000) || mess->hlen == 0 ||
+ mess->hlen > sizeof(ifr.ifr_addr.sa_data) || mess->htype == 0)
+ {
+ /* broadcast to 255.255.255.255 (or mac address invalid) */
+ dest.sin_addr.s_addr = INADDR_BROADCAST;
+ dest.sin_port = htons(daemon->dhcp_client_port);
+ }
+ else
+ {
+ /* unicast to unconfigured client. Inject mac address direct into ARP cache.
+ struct sockaddr limits size to 14 bytes. */
+ dest.sin_addr = mess->yiaddr;
+ dest.sin_port = htons(daemon->dhcp_client_port);
+ memcpy(&arp_req.arp_pa, &dest, sizeof(struct sockaddr_in));
+ arp_req.arp_ha.sa_family = mess->htype;
+ memcpy(arp_req.arp_ha.sa_data, mess->chaddr, mess->hlen);
+ /* interface name already copied in */
+ arp_req.arp_flags = ATF_COM;
+ if (ioctl(daemon->dhcpfd, SIOCSARP, &arp_req) == -1)
+ my_syslog(MS_DHCP | LOG_ERR, _("ARP-cache injection failed: %s"), strerror(errno));
+ }
}
#elif defined(HAVE_SOLARIS_NETWORK)
else if ((ntohs(mess->flags) & 0x8000) || mess->hlen != ETHER_ADDR_LEN || mess->htype != ARPHRD_ETHER)
--
2.1.0

27
src/patches/dnsmasq/0061-Don-t-fail-DNSSEC-when-a-signed-CNAME-dangles-into-a.patch Normal file
View File

@@ -0,0 +1,27 @@
From 8805283088d670baecb92569252c01cf754cda51 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 26 Mar 2015 21:15:43 +0000
Subject: [PATCH 61/71] Don't fail DNSSEC when a signed CNAME dangles into an
unsigned zone.
---
src/dnssec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/dnssec.c b/src/dnssec.c
index ad0d6f072ba2..db5c768bd751 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -2032,7 +2032,8 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
/* NXDOMAIN or NODATA reply, prove that (name, class1, type1) can't exist */
/* First marshall the NSEC records, if we've not done it previously */
if (!nsec_type && !(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, qclass)))
- return STAT_BOGUS; /* No NSECs */
+ return STAT_NO_SIG; /* No NSECs, this is probably a dangling CNAME pointing into
+ an unsigned zone. Return STAT_NO_SIG to cause this to be proved. */
/* Get name of missing answer */
if (!extract_name(header, plen, &qname, name, 1, 0))
--
2.1.0

48
src/patches/dnsmasq/0062-Return-SERVFAIL-when-validation-abandoned.patch Normal file
View File

@@ -0,0 +1,48 @@
From 150162bc37170a6edae9d488435e836b1e4e3a4e Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 27 Mar 2015 09:58:26 +0000
Subject: [PATCH 62/71] Return SERVFAIL when validation abandoned.
---
src/forward.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/forward.c b/src/forward.c
index 7c0fa8da3fdf..985814c3aec5 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -663,6 +663,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
header->ancount = htons(0);
header->nscount = htons(0);
header->arcount = htons(0);
+ header->hb3 &= ~HB3_TC;
}
/* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
@@ -991,7 +992,10 @@ void reply_query(int fd, int family, time_t now)
char *result;
if (forward->work_counter == 0)
- result = "ABANDONED";
+ {
+ result = "ABANDONED";
+ status = STAT_BOGUS;
+ }
else
result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
@@ -1938,7 +1942,10 @@ unsigned char *tcp_request(int confd, time_t now,
char *result;
if (keycount == 0)
- result = "ABANDONED";
+ {
+ result = "ABANDONED";
+ status = STAT_BOGUS;
+ }
else
result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
--
2.1.0

37
src/patches/dnsmasq/0063-Protect-against-broken-DNSSEC-upstreams.patch Normal file
View File

@@ -0,0 +1,37 @@
From 0b8a5a30a77331974ba24a04e43e720585dfbc61 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 27 Mar 2015 11:44:55 +0000
Subject: [PATCH 63/71] Protect against broken DNSSEC upstreams.
---
src/dnssec.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/dnssec.c b/src/dnssec.c
index db5c768bd751..14bae7e9bf75 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1177,7 +1177,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
STAT_NO_DS It's proved there's no DS here.
STAT_NO_NS It's proved there's no DS _or_ NS here.
STAT_BOGUS no DS in reply or not signed, fails validation, bad packet.
- STAT_NEED_DNSKEY DNSKEY records to validate a DS not found, name in keyname
+ STAT_NEED_KEY DNSKEY records to validate a DS not found, name in keyname
*/
int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class)
@@ -1208,7 +1208,10 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
if (!(p = skip_section(p, ntohs(header->ancount), header, plen)))
val = STAT_BOGUS;
- if (val == STAT_BOGUS)
+ /* If the key needed to validate the DS is on the same domain as the DS, we'll
+ loop getting nowhere. Stop that now. This can happen of the DS answer comes
+ from the DS's zone, and not the parent zone. */
+ if (val == STAT_BOGUS || (val == STAT_NEED_KEY && hostname_isequal(name, keyname)))
{
log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS");
return STAT_BOGUS;
--
2.1.0

197
src/patches/dnsmasq/0064-DNSSEC-fix-for-non-ascii-characters-in-labels.patch Normal file
View File

@@ -0,0 +1,197 @@
From 1e153945def3c50d1e59ceea6a768db0ac770f98 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 28 Mar 2015 21:34:07 +0000
Subject: [PATCH 64/71] DNSSEC fix for non-ascii characters in labels.
---
src/dnssec.c | 34 +++++++++++++++++-----------------
src/rfc1035.c | 5 +++--
2 files changed, 20 insertions(+), 19 deletions(-)
diff --git a/src/dnssec.c b/src/dnssec.c
index 14bae7e9bf75..8bd5294ce773 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -552,7 +552,7 @@ static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end,
(*desc)++;
- if (d == 0 && extract_name(header, plen, p, buff, 1, 0))
+ if (d == 0 && extract_name(header, plen, p, buff, 2, 0))
/* domain-name, canonicalise */
return to_wire(buff);
else
@@ -811,7 +811,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
GETLONG(sig_inception, p);
GETSHORT(key_tag, p);
- if (!extract_name(header, plen, &p, keyname, 1, 0))
+ if (!extract_name(header, plen, &p, keyname, 2, 0))
return STAT_BOGUS;
/* RFC 4035 5.3.1 says that the Signer's Name field MUST equal
@@ -866,7 +866,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
u16 len, *dp;
p = rrset[i];
- if (!extract_name(header, plen, &p, name, 1, 10))
+ if (!extract_name(header, plen, &p, name, 2, 10))
return STAT_BOGUS;
name_start = name;
@@ -923,7 +923,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
/* namebuff used for workspace above, restore to leave unchanged on exit */
p = (unsigned char*)(rrset[0]);
- extract_name(header, plen, &p, name, 1, 0);
+ extract_name(header, plen, &p, name, 2, 0);
if (key)
{
@@ -963,7 +963,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
struct all_addr a;
if (ntohs(header->qdcount) != 1 ||
- !extract_name(header, plen, &p, name, 1, 4))
+ !extract_name(header, plen, &p, name, 2, 4))
return STAT_BOGUS;
GETSHORT(qtype, p);
@@ -1202,7 +1202,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
val = STAT_BOGUS;
p = (unsigned char *)(header+1);
- extract_name(header, plen, &p, name, 1, 4);
+ extract_name(header, plen, &p, name, 2, 4);
p += 4; /* qtype, qclass */
if (!(p = skip_section(p, ntohs(header->ancount), header, plen)))
@@ -1419,12 +1419,12 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
for (i = 0; i < nsec_count; i++)
{
p = nsecs[i];
- if (!extract_name(header, plen, &p, workspace1, 1, 10))
+ if (!extract_name(header, plen, &p, workspace1, 2, 10))
return STAT_BOGUS;
p += 8; /* class, type, TTL */
GETSHORT(rdlen, p);
psave = p;
- if (!extract_name(header, plen, &p, workspace2, 1, 10))
+ if (!extract_name(header, plen, &p, workspace2, 2, 10))
return STAT_BOGUS;
rc = hostname_cmp(workspace1, name);
@@ -1553,7 +1553,7 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
for (i = 0; i < nsec_count; i++)
if ((p = nsecs[i]))
{
- if (!extract_name(header, plen, &p, workspace1, 1, 0) ||
+ if (!extract_name(header, plen, &p, workspace1, 2, 0) ||
!(base32_len = base32_decode(workspace1, (unsigned char *)workspace2)))
return 0;
@@ -1730,7 +1730,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
for (i = 0; i < nsec_count; i++)
if ((p = nsecs[i]))
{
- if (!extract_name(header, plen, &p, workspace1, 1, 0) ||
+ if (!extract_name(header, plen, &p, workspace1, 2, 0) ||
!(base32_len = base32_decode(workspace1, (unsigned char *)workspace2)))
return STAT_BOGUS;
@@ -1796,7 +1796,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
qname = p1 = (unsigned char *)(header+1);
- if (!extract_name(header, plen, &p1, name, 1, 4))
+ if (!extract_name(header, plen, &p1, name, 2, 4))
return STAT_BOGUS;
GETSHORT(qtype, p1);
@@ -1836,7 +1836,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
qname = p1;
/* looped CNAMES */
- if (!cname_count-- || !extract_name(header, plen, &p1, name, 1, 0))
+ if (!cname_count-- || !extract_name(header, plen, &p1, name, 2, 0))
return STAT_BOGUS;
p1 = ans_start;
@@ -1857,7 +1857,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
for (p1 = ans_start, i = 0; i < ntohs(header->ancount) + ntohs(header->nscount); i++)
{
- if (!extract_name(header, plen, &p1, name, 1, 10))
+ if (!extract_name(header, plen, &p1, name, 2, 10))
return STAT_BOGUS; /* bad packet */
GETSHORT(type1, p1);
@@ -2039,7 +2039,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
an unsigned zone. Return STAT_NO_SIG to cause this to be proved. */
/* Get name of missing answer */
- if (!extract_name(header, plen, &qname, name, 1, 0))
+ if (!extract_name(header, plen, &qname, name, 2, 0))
return STAT_BOGUS;
if (nsec_type == T_NSEC)
@@ -2061,7 +2061,7 @@ int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char
int cname_count = CNAME_CHAIN;
/* Get question */
- if (!extract_name(header, plen, &p, name, 1, 4))
+ if (!extract_name(header, plen, &p, name, 2, 4))
return STAT_BOGUS;
p +=2; /* type */
@@ -2102,7 +2102,7 @@ int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char
/* Loop down CNAME chain/ */
if (!cname_count-- ||
- !extract_name(header, plen, &p, name, 1, 0) ||
+ !extract_name(header, plen, &p, name, 2, 0) ||
!(p = skip_questions(header, plen)))
return STAT_BOGUS;
@@ -2419,7 +2419,7 @@ unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name
for (q = ntohs(header->qdcount); q != 0; q--)
{
- if (!extract_name(header, plen, &p, name, 1, 4))
+ if (!extract_name(header, plen, &p, name, 2, 4))
break; /* bad packet */
len = to_wire(name);
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 5ef5ddb7485e..10832a3d5d2e 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -16,6 +16,7 @@
#include "dnsmasq.h"
+/* isExtract == 2 -> DNSSEC mode, no bitstrings, no ascii checks. */
int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
char *name, int isExtract, int extrabytes)
{
@@ -86,7 +87,7 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
if ((l & 0x3f) != 1)
return 0; /* we only understand bitstrings */
- if (!isExtract)
+ if (isExtract != 1)
return 0; /* Cannot compare bitsrings */
count = *p++;
@@ -128,7 +129,7 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
if (isExtract)
{
unsigned char c = *p;
- if (isascii(c) && !iscntrl(c) && c != '.')
+ if ((isExtract == 2 || (isascii(c) && !iscntrl(c))) && c != '.')
*cp++ = *p;
else
return 0;
--
2.1.0

246
src/patches/dnsmasq/0065-Allow-control-characters-in-names-in-the-cache-handl.patch Normal file
View File

@@ -0,0 +1,246 @@
From 394ff492da6af5da7e7d356be9586683bc5fc011 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 29 Mar 2015 22:17:14 +0100
Subject: [PATCH 65/71] Allow control characters in names in the cache, handle
when logging.
---
src/cache.c | 19 +++++++++++++++++--
src/dnssec.c | 34 +++++++++++++++++-----------------
src/rfc1035.c | 7 +++----
3 files changed, 37 insertions(+), 23 deletions(-)
diff --git a/src/cache.c b/src/cache.c
index c95624c42b1c..873c5779044c 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -1399,6 +1399,19 @@ int cache_make_stat(struct txt_record *t)
return 1;
}
+/* There can be names in the cache containing control chars, don't
+ mess up logging or open security holes. */
+static char *sanitise(char *name)
+{
+ unsigned char *r;
+ for (r = (unsigned char *)name; *r; r++)
+ if (!isprint((int)*r))
+ return "<name unprintable>";
+
+ return name;
+}
+
+
void dump_cache(time_t now)
{
struct server *serv, *serv1;
@@ -1452,9 +1465,9 @@ void dump_cache(time_t now)
*a = 0;
if (strlen(n) == 0 && !(cache->flags & F_REVERSE))
n = "<Root>";
- p += sprintf(p, "%-30.30s ", n);
+ p += sprintf(p, "%-30.30s ", sanitise(n));
if ((cache->flags & F_CNAME) && !is_outdated_cname_pointer(cache))
- a = cache_get_cname_target(cache);
+ a = sanitise(cache_get_cname_target(cache));
#ifdef HAVE_DNSSEC
else if (cache->flags & F_DS)
{
@@ -1587,6 +1600,8 @@ void log_query(unsigned int flags, char *name, struct all_addr *addr, char *arg)
if (!option_bool(OPT_LOG))
return;
+ name = sanitise(name);
+
if (addr)
{
if (flags & F_KEYTAG)
diff --git a/src/dnssec.c b/src/dnssec.c
index 8bd5294ce773..14bae7e9bf75 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -552,7 +552,7 @@ static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end,
(*desc)++;
- if (d == 0 && extract_name(header, plen, p, buff, 2, 0))
+ if (d == 0 && extract_name(header, plen, p, buff, 1, 0))
/* domain-name, canonicalise */
return to_wire(buff);
else
@@ -811,7 +811,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
GETLONG(sig_inception, p);
GETSHORT(key_tag, p);
- if (!extract_name(header, plen, &p, keyname, 2, 0))
+ if (!extract_name(header, plen, &p, keyname, 1, 0))
return STAT_BOGUS;
/* RFC 4035 5.3.1 says that the Signer's Name field MUST equal
@@ -866,7 +866,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
u16 len, *dp;
p = rrset[i];
- if (!extract_name(header, plen, &p, name, 2, 10))
+ if (!extract_name(header, plen, &p, name, 1, 10))
return STAT_BOGUS;
name_start = name;
@@ -923,7 +923,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
/* namebuff used for workspace above, restore to leave unchanged on exit */
p = (unsigned char*)(rrset[0]);
- extract_name(header, plen, &p, name, 2, 0);
+ extract_name(header, plen, &p, name, 1, 0);
if (key)
{
@@ -963,7 +963,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
struct all_addr a;
if (ntohs(header->qdcount) != 1 ||
- !extract_name(header, plen, &p, name, 2, 4))
+ !extract_name(header, plen, &p, name, 1, 4))
return STAT_BOGUS;
GETSHORT(qtype, p);
@@ -1202,7 +1202,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
val = STAT_BOGUS;
p = (unsigned char *)(header+1);
- extract_name(header, plen, &p, name, 2, 4);
+ extract_name(header, plen, &p, name, 1, 4);
p += 4; /* qtype, qclass */
if (!(p = skip_section(p, ntohs(header->ancount), header, plen)))
@@ -1419,12 +1419,12 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
for (i = 0; i < nsec_count; i++)
{
p = nsecs[i];
- if (!extract_name(header, plen, &p, workspace1, 2, 10))
+ if (!extract_name(header, plen, &p, workspace1, 1, 10))
return STAT_BOGUS;
p += 8; /* class, type, TTL */
GETSHORT(rdlen, p);
psave = p;
- if (!extract_name(header, plen, &p, workspace2, 2, 10))
+ if (!extract_name(header, plen, &p, workspace2, 1, 10))
return STAT_BOGUS;
rc = hostname_cmp(workspace1, name);
@@ -1553,7 +1553,7 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
for (i = 0; i < nsec_count; i++)
if ((p = nsecs[i]))
{
- if (!extract_name(header, plen, &p, workspace1, 2, 0) ||
+ if (!extract_name(header, plen, &p, workspace1, 1, 0) ||
!(base32_len = base32_decode(workspace1, (unsigned char *)workspace2)))
return 0;
@@ -1730,7 +1730,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
for (i = 0; i < nsec_count; i++)
if ((p = nsecs[i]))
{
- if (!extract_name(header, plen, &p, workspace1, 2, 0) ||
+ if (!extract_name(header, plen, &p, workspace1, 1, 0) ||
!(base32_len = base32_decode(workspace1, (unsigned char *)workspace2)))
return STAT_BOGUS;
@@ -1796,7 +1796,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
qname = p1 = (unsigned char *)(header+1);
- if (!extract_name(header, plen, &p1, name, 2, 4))
+ if (!extract_name(header, plen, &p1, name, 1, 4))
return STAT_BOGUS;
GETSHORT(qtype, p1);
@@ -1836,7 +1836,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
qname = p1;
/* looped CNAMES */
- if (!cname_count-- || !extract_name(header, plen, &p1, name, 2, 0))
+ if (!cname_count-- || !extract_name(header, plen, &p1, name, 1, 0))
return STAT_BOGUS;
p1 = ans_start;
@@ -1857,7 +1857,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
for (p1 = ans_start, i = 0; i < ntohs(header->ancount) + ntohs(header->nscount); i++)
{
- if (!extract_name(header, plen, &p1, name, 2, 10))
+ if (!extract_name(header, plen, &p1, name, 1, 10))
return STAT_BOGUS; /* bad packet */
GETSHORT(type1, p1);
@@ -2039,7 +2039,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
an unsigned zone. Return STAT_NO_SIG to cause this to be proved. */
/* Get name of missing answer */
- if (!extract_name(header, plen, &qname, name, 2, 0))
+ if (!extract_name(header, plen, &qname, name, 1, 0))
return STAT_BOGUS;
if (nsec_type == T_NSEC)
@@ -2061,7 +2061,7 @@ int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char
int cname_count = CNAME_CHAIN;
/* Get question */
- if (!extract_name(header, plen, &p, name, 2, 4))
+ if (!extract_name(header, plen, &p, name, 1, 4))
return STAT_BOGUS;
p +=2; /* type */
@@ -2102,7 +2102,7 @@ int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char
/* Loop down CNAME chain/ */
if (!cname_count-- ||
- !extract_name(header, plen, &p, name, 2, 0) ||
+ !extract_name(header, plen, &p, name, 1, 0) ||
!(p = skip_questions(header, plen)))
return STAT_BOGUS;
@@ -2419,7 +2419,7 @@ unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name
for (q = ntohs(header->qdcount); q != 0; q--)
{
- if (!extract_name(header, plen, &p, name, 2, 4))
+ if (!extract_name(header, plen, &p, name, 1, 4))
break; /* bad packet */
len = to_wire(name);
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 10832a3d5d2e..7a07b0cee906 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -16,7 +16,6 @@
#include "dnsmasq.h"
-/* isExtract == 2 -> DNSSEC mode, no bitstrings, no ascii checks. */
int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
char *name, int isExtract, int extrabytes)
{
@@ -87,7 +86,7 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
if ((l & 0x3f) != 1)
return 0; /* we only understand bitstrings */
- if (isExtract != 1)
+ if (!isExtract)
return 0; /* Cannot compare bitsrings */
count = *p++;
@@ -129,8 +128,8 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
if (isExtract)
{
unsigned char c = *p;
- if ((isExtract == 2 || (isascii(c) && !iscntrl(c))) && c != '.')
- *cp++ = *p;
+ if (c != 0 && c != '.')
+ *cp++ = c;
else
return 0;
}
--
2.1.0

30
src/patches/dnsmasq/0066-Fix-crash-in-last-commit.patch Normal file
View File

@@ -0,0 +1,30 @@
From 794fccca7ffebfba4468bfffc6276b68bbf6afd9 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 29 Mar 2015 22:35:44 +0100
Subject: [PATCH 66/71] Fix crash in last commit.
---
src/cache.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/cache.c b/src/cache.c
index 873c5779044c..d7bea574c0d8 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -1404,9 +1404,10 @@ int cache_make_stat(struct txt_record *t)
static char *sanitise(char *name)
{
unsigned char *r;
- for (r = (unsigned char *)name; *r; r++)
- if (!isprint((int)*r))
- return "<name unprintable>";
+ if (name)
+ for (r = (unsigned char *)name; *r; r++)
+ if (!isprint((int)*r))
+ return "<name unprintable>";
return name;
}
--
2.1.0

20329
src/patches/dnsmasq/0067-Merge-message-translations.patch Normal file
View File

File diff suppressed because it is too large Load Diff

199
src/patches/dnsmasq/0068-add-tftp-no-fail-to-ignore-missing-tftp-root.patch Normal file
View File

@@ -0,0 +1,199 @@
From 30d0879ed55cb67b1b735beab3d93f3bb3ef1dd2 Mon Sep 17 00:00:00 2001
From: Stefan Tomanek <stefan.tomanek+dnsmasq@wertarbyte.de>
Date: Tue, 31 Mar 2015 22:32:11 +0100
Subject: [PATCH 68/71] add --tftp-no-fail to ignore missing tftp root
---
CHANGELOG | 3 +++
dnsmasq.conf.example | 3 +++
man/dnsmasq.8 | 3 +++
src/dnsmasq.c | 40 ++++++++++++++++++++++++++++++----------
src/dnsmasq.h | 4 +++-
src/option.c | 3 +++
6 files changed, 45 insertions(+), 11 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index 4f4fa305deaa..34432ae4807f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -72,6 +72,9 @@ version 2.73
on systems without an RTC, whilst allowing DNS queries before the
clock is valid so that NTP can run. Thanks to
Kevin Darbyshire-Bryant for developing this idea.
+
+ Add --tftp-no-fail option. Thanks to Stefan Tomanek for
+ the patch.
version 2.72
diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
index 1bd305dbdbad..67be99acb028 100644
--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
@@ -486,6 +486,9 @@
# Set the root directory for files available via FTP.
#tftp-root=/var/ftpd
+# Do not abort if the tftp-root is unavailable
+#tftp-no-fail
+
# Make the TFTP server more secure: with this set, only files owned by
# the user dnsmasq is running as will be send over the net.
#tftp-secure
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 1f1dd7b69c53..6b4626cc0aad 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -1711,6 +1711,9 @@ Absolute paths (starting with /) are allowed, but they must be within
the tftp-root. If the optional interface argument is given, the
directory is only used for TFTP requests via that interface.
.TP
+.B --tftp-no-fail
+Do not abort startup if specified tftp root directories are inaccessible.
+.TP
.B --tftp-unique-root
Add the IP address of the TFTP client as a path component on the end
of the TFTP-root (in standard dotted-quad format). Only valid if a
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index b784951950d4..0d4d4558a2e2 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -58,6 +58,9 @@ int main (int argc, char **argv)
struct dhcp_context *context;
struct dhcp_relay *relay;
#endif
+#ifdef HAVE_TFTP
+ int tftp_prefix_missing = 0;
+#endif
#ifdef LOCALEDIR
setlocale(LC_ALL, "");
@@ -636,7 +639,7 @@ int main (int argc, char **argv)
#endif
#ifdef HAVE_TFTP
- if (option_bool(OPT_TFTP))
+ if (option_bool(OPT_TFTP))
{
DIR *dir;
struct tftp_prefix *p;
@@ -645,24 +648,33 @@ int main (int argc, char **argv)
{
if (!((dir = opendir(daemon->tftp_prefix))))
{
- send_event(err_pipe[1], EVENT_TFTP_ERR, errno, daemon->tftp_prefix);
- _exit(0);
+ tftp_prefix_missing = 1;
+ if (!option_bool(OPT_TFTP_NO_FAIL))
+ {
+ send_event(err_pipe[1], EVENT_TFTP_ERR, errno, daemon->tftp_prefix);
+ _exit(0);
+ }
}
closedir(dir);
}
-
+
for (p = daemon->if_prefix; p; p = p->next)
{
+ p->missing = 0;
if (!((dir = opendir(p->prefix))))
- {
- send_event(err_pipe[1], EVENT_TFTP_ERR, errno, p->prefix);
- _exit(0);
- }
+ {
+ p->missing = 1;
+ if (!option_bool(OPT_TFTP_NO_FAIL))
+ {
+ send_event(err_pipe[1], EVENT_TFTP_ERR, errno, p->prefix);
+ _exit(0);
+ }
+ }
closedir(dir);
}
}
#endif
-
+
if (daemon->port == 0)
my_syslog(LOG_INFO, _("started, version %s DNS disabled"), VERSION);
else if (daemon->cachesize != 0)
@@ -772,7 +784,8 @@ int main (int argc, char **argv)
#ifdef HAVE_TFTP
if (option_bool(OPT_TFTP))
- {
+ {
+ struct tftp_prefix *p;
#ifdef FD_SETSIZE
if (FD_SETSIZE < (unsigned)max_fd)
max_fd = FD_SETSIZE;
@@ -782,7 +795,14 @@ int main (int argc, char **argv)
daemon->tftp_prefix ? _("root is ") : _("enabled"),
daemon->tftp_prefix ? daemon->tftp_prefix: "",
option_bool(OPT_TFTP_SECURE) ? _("secure mode") : "");
+
+ if (tftp_prefix_missing)
+ my_syslog(MS_TFTP | LOG_WARNING, _("warning: %s inaccessible"), daemon->tftp_prefix);
+ for (p = daemon->if_prefix; p; p = p->next)
+ if (p->missing)
+ my_syslog(MS_TFTP | LOG_WARNING, _("warning: TFTP directory %s inaccessible"), p->prefix);
+
/* This is a guess, it assumes that for small limits,
disjoint files might be served, but for large limits,
a single file will be sent to may clients (the file only needs
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index de95d0e875e3..42952fc76c7a 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -240,7 +240,8 @@ struct event_desc {
#define OPT_LOCAL_SERVICE 49
#define OPT_LOOP_DETECT 50
#define OPT_EXTRALOG 51
-#define OPT_LAST 52
+#define OPT_TFTP_NO_FAIL 52
+#define OPT_LAST 53
/* extra flags for my_syslog, we use a couple of facilities since they are known
not to occupy the same bits as priorities, no matter how syslog.h is set up. */
@@ -901,6 +902,7 @@ struct addr_list {
struct tftp_prefix {
char *interface;
char *prefix;
+ int missing;
struct tftp_prefix *next;
};
diff --git a/src/option.c b/src/option.c
index 3009eb545fde..f91cfbb1aa54 100644
--- a/src/option.c
+++ b/src/option.c
@@ -153,6 +153,7 @@ struct myoption {
#define LOPT_DHOPT_INOTIFY 341
#define LOPT_HOST_INOTIFY 342
#define LOPT_DNSSEC_STAMP 343
+#define LOPT_TFTP_NO_FAIL 344
#ifdef HAVE_GETOPT_LONG
static const struct option opts[] =
@@ -235,6 +236,7 @@ static const struct myoption opts[] =
{ "dhcp-ignore-names", 2, 0, LOPT_NO_NAMES },
{ "enable-tftp", 2, 0, LOPT_TFTP },
{ "tftp-secure", 0, 0, LOPT_SECURE },
+ { "tftp-no-fail", 0, 0, LOPT_TFTP_NO_FAIL },
{ "tftp-unique-root", 0, 0, LOPT_APREF },
{ "tftp-root", 1, 0, LOPT_PREFIX },
{ "tftp-max", 1, 0, LOPT_TFTP_MAX },
@@ -419,6 +421,7 @@ static struct {
{ LOPT_PREFIX, ARG_DUP, "<dir>[,<iface>]", gettext_noop("Export files by TFTP only from the specified subtree."), NULL },
{ LOPT_APREF, OPT_TFTP_APREF, NULL, gettext_noop("Add client IP address to tftp-root."), NULL },
{ LOPT_SECURE, OPT_TFTP_SECURE, NULL, gettext_noop("Allow access only to files owned by the user running dnsmasq."), NULL },
+ { LOPT_TFTP_NO_FAIL, OPT_TFTP_NO_FAIL, NULL, gettext_noop("Do not terminate the service if TFTP directories are inaccessible."), NULL },
{ LOPT_TFTP_MAX, ARG_ONE, "<integer>", gettext_noop("Maximum number of conncurrent TFTP transfers (defaults to %s)."), "#" },
{ LOPT_NOBLOCK, OPT_TFTP_NOBLOCK, NULL, gettext_noop("Disable the TFTP blocksize extension."), NULL },
{ LOPT_TFTP_LC, OPT_TFTP_LC, NULL, gettext_noop("Convert TFTP filenames to lowercase"), NULL },
--
2.1.0

85
src/patches/dnsmasq/0069-Whitespace-fixes.patch Normal file
View File

@@ -0,0 +1,85 @@
From 7aa970e2c7043201663d86a4b5d8cd5c592cef39 Mon Sep 17 00:00:00 2001
From: Stefan Tomanek <stefan.tomanek+dnsmasq@wertarbyte.de>
Date: Wed, 1 Apr 2015 17:55:07 +0100
Subject: [PATCH 69/71] Whitespace fixes.
---
src/dnsmasq.c | 14 +++++++-------
src/tftp.c | 2 +-
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 0d4d4558a2e2..a7c5da8fbd01 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -345,7 +345,7 @@ int main (int argc, char **argv)
#else
die(_("DBus not available: set HAVE_DBUS in src/config.h"), NULL, EC_BADCONF);
#endif
-
+
if (daemon->port != 0)
pre_allocate_sfds();
@@ -657,7 +657,7 @@ int main (int argc, char **argv)
}
closedir(dir);
}
-
+
for (p = daemon->if_prefix; p; p = p->next)
{
p->missing = 0;
@@ -669,12 +669,12 @@ int main (int argc, char **argv)
send_event(err_pipe[1], EVENT_TFTP_ERR, errno, p->prefix);
_exit(0);
}
- }
+ }
closedir(dir);
}
}
#endif
-
+
if (daemon->port == 0)
my_syslog(LOG_INFO, _("started, version %s DNS disabled"), VERSION);
else if (daemon->cachesize != 0)
@@ -784,7 +784,7 @@ int main (int argc, char **argv)
#ifdef HAVE_TFTP
if (option_bool(OPT_TFTP))
- {
+ {
struct tftp_prefix *p;
#ifdef FD_SETSIZE
if (FD_SETSIZE < (unsigned)max_fd)
@@ -795,10 +795,10 @@ int main (int argc, char **argv)
daemon->tftp_prefix ? _("root is ") : _("enabled"),
daemon->tftp_prefix ? daemon->tftp_prefix: "",
option_bool(OPT_TFTP_SECURE) ? _("secure mode") : "");
-
+
if (tftp_prefix_missing)
my_syslog(MS_TFTP | LOG_WARNING, _("warning: %s inaccessible"), daemon->tftp_prefix);
-
+
for (p = daemon->if_prefix; p; p = p->next)
if (p->missing)
my_syslog(MS_TFTP | LOG_WARNING, _("warning: TFTP directory %s inaccessible"), p->prefix);
diff --git a/src/tftp.c b/src/tftp.c
index a57a31514f44..d3fb6d7492e4 100644
--- a/src/tftp.c
+++ b/src/tftp.c
@@ -236,7 +236,7 @@ void tftp_request(struct listener *listen, time_t now)
if (ioctl(listen->tftpfd, SIOCGIFMTU, &ifr) != -1)
mtu = ifr.ifr_mtu;
}
-
+
if (name)
{
/* check for per-interface prefix */
--
2.1.0

254
src/patches/dnsmasq/0070-Return-INSECURE-rather-than-BOGUS-when-DS-proved-not.patch Normal file
View File

@@ -0,0 +1,254 @@
From fe3992f9fa69fa975ea31919c53933b5f6a63527 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 3 Apr 2015 21:25:05 +0100
Subject: [PATCH 70/71] Return INSECURE, rather than BOGUS when DS proved not
to exist.
Return INSECURE when validating DNS replies which have RRSIGs, but
when a needed DS record in the trust chain is proved not to exist.
It's allowed for a zone to set up DNSKEY and RRSIG records first, then
add a DS later, completing the chain of trust.
Also, since we don't have the infrastructure to track that these
non-validated replies have RRSIGS, don't cache them, so we don't
provide answers with missing RRSIGS from the cache.
---
src/dnsmasq.h | 1 +
src/dnssec.c | 2 +-
src/forward.c | 87 +++++++++++++++++++++++++++++++++++++++++++++--------------
3 files changed, 69 insertions(+), 21 deletions(-)
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 42952fc76c7a..6fe4a4189188 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -583,6 +583,7 @@ struct hostsfile {
#define STAT_NO_NS 10
#define STAT_NEED_DS_NEG 11
#define STAT_CHASE_CNAME 12
+#define STAT_INSECURE_DS 13
#define FREC_NOREBIND 1
#define FREC_CHECKING_DISABLED 2
diff --git a/src/dnssec.c b/src/dnssec.c
index 14bae7e9bf75..05e0983cb251 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -981,7 +981,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
/* If we've cached that DS provably doesn't exist, result must be INSECURE */
if (crecp->flags & F_NEG)
- return STAT_INSECURE;
+ return STAT_INSECURE_DS;
/* NOTE, we need to find ONE DNSKEY which matches the DS */
for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--)
diff --git a/src/forward.c b/src/forward.c
index 985814c3aec5..e8cf615aa939 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -521,7 +521,8 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
}
static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
- int no_cache, int cache_secure, int ad_reqd, int do_bit, int added_pheader, int check_subnet, union mysockaddr *query_source)
+ int no_cache, int cache_secure, int bogusanswer, int ad_reqd, int do_bit, int added_pheader,
+ int check_subnet, union mysockaddr *query_source)
{
unsigned char *pheader, *sizep;
char **sets = 0;
@@ -634,7 +635,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
}
#ifdef HAVE_DNSSEC
- if (no_cache && !(header->hb4 & HB4_CD))
+ if (bogusanswer && !(header->hb4 & HB4_CD))
{
if (!option_bool(OPT_DNSSEC_DEBUG))
{
@@ -786,7 +787,7 @@ void reply_query(int fd, int family, time_t now)
everything is broken */
if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != SERVFAIL)
{
- int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
+ int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
if (option_bool(OPT_NO_REBIND))
check_rebind = !(forward->flags & FREC_NOREBIND);
@@ -819,7 +820,13 @@ void reply_query(int fd, int family, time_t now)
else if (forward->flags & FREC_DS_QUERY)
{
status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
- if (status == STAT_NO_DS || status == STAT_NO_NS)
+ /* Provably no DS, everything below is insecure, even if signatures are offered */
+ if (status == STAT_NO_DS)
+ /* We only cache sigs when we've validated a reply.
+ Avoid caching a reply with sigs if there's a vaildated break in the
+ DS chain, so we don't return replies from cache missing sigs. */
+ status = STAT_INSECURE_DS;
+ else if (status == STAT_NO_NS)
status = STAT_BOGUS;
}
else if (forward->flags & FREC_CHECK_NOSIGN)
@@ -959,8 +966,14 @@ void reply_query(int fd, int family, time_t now)
else if (forward->flags & FREC_DS_QUERY)
{
status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
- if (status == STAT_NO_DS || status == STAT_NO_NS)
- status = STAT_BOGUS;
+ /* Provably no DS, everything below is insecure, even if signatures are offered */
+ if (status == STAT_NO_DS)
+ /* We only cache sigs when we've validated a reply.
+ Avoid caching a reply with sigs if there's a vaildated break in the
+ DS chain, so we don't return replies from cache missing sigs. */
+ status = STAT_INSECURE_DS;
+ else if (status == STAT_NO_NS)
+ status = STAT_BOGUS;
}
else if (forward->flags & FREC_CHECK_NOSIGN)
{
@@ -985,6 +998,17 @@ void reply_query(int fd, int family, time_t now)
}
}
+ no_cache_dnssec = 0;
+
+ if (status == STAT_INSECURE_DS)
+ {
+ /* We only cache sigs when we've validated a reply.
+ Avoid caching a reply with sigs if there's a vaildated break in the
+ DS chain, so we don't return replies from cache missing sigs. */
+ status = STAT_INSECURE;
+ no_cache_dnssec = 1;
+ }
+
if (status == STAT_TRUNCATED)
header->hb3 |= HB3_TC;
else
@@ -1002,12 +1026,13 @@ void reply_query(int fd, int family, time_t now)
log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
}
- no_cache_dnssec = 0;
-
if (status == STAT_SECURE)
cache_secure = 1;
else if (status == STAT_BOGUS)
- no_cache_dnssec = 1;
+ {
+ no_cache_dnssec = 1;
+ bogusanswer = 1;
+ }
}
#endif
@@ -1017,7 +1042,7 @@ void reply_query(int fd, int family, time_t now)
else
header->hb4 &= ~HB4_CD;
- if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
+ if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer,
forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
{
@@ -1420,7 +1445,7 @@ static int do_check_sign(struct frec *forward, int status, time_t now, char *nam
}
}
-/* Move toward the root, until we find a signed non-existance of a DS, in which case
+/* Move down from the root, until we find a signed non-existance of a DS, in which case
an unsigned answer is OK, or we find a signed DS, in which case there should be
a signature, and the answer is BOGUS */
static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name,
@@ -1570,8 +1595,13 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
{
new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
- if (status == STAT_NEED_DS && (new_status == STAT_NO_DS || new_status == STAT_NO_NS))
- new_status = STAT_BOGUS;
+ if (status == STAT_NEED_DS)
+ {
+ if (new_status == STAT_NO_DS)
+ new_status = STAT_INSECURE_DS;
+ else if (new_status == STAT_NO_NS)
+ new_status = STAT_BOGUS;
+ }
}
else if (status == STAT_CHASE_CNAME)
new_status = dnssec_chase_cname(now, header, n, name, keyname);
@@ -1630,8 +1660,13 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
{
new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
- if (status == STAT_NEED_DS && (new_status == STAT_NO_DS || new_status == STAT_NO_NS))
- new_status = STAT_BOGUS; /* Validated no DS */
+ if (status == STAT_NEED_DS)
+ {
+ if (new_status == STAT_NO_DS)
+ new_status = STAT_INSECURE_DS;
+ else if (new_status == STAT_NO_NS)
+ new_status = STAT_BOGUS; /* Validated no DS */
+ }
}
else if (status == STAT_CHASE_CNAME)
new_status = dnssec_chase_cname(now, header, n, name, keyname);
@@ -1652,7 +1687,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
goto another_tcp_key;
}
}
-
+
free(packet);
}
return new_status;
@@ -1673,7 +1708,7 @@ unsigned char *tcp_request(int confd, time_t now,
int local_auth = 0;
#endif
int checking_disabled, ad_question, do_bit, added_pheader = 0;
- int check_subnet, no_cache_dnssec = 0, cache_secure = 0;
+ int check_subnet, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
size_t m;
unsigned short qtype;
unsigned int gotname;
@@ -1941,6 +1976,15 @@ unsigned char *tcp_request(int confd, time_t now,
int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
char *result;
+ if (status == STAT_INSECURE_DS)
+ {
+ /* We only cache sigs when we've validated a reply.
+ Avoid caching a reply with sigs if there's a vaildated break in the
+ DS chain, so we don't return replies from cache missing sigs. */
+ status = STAT_INSECURE;
+ no_cache_dnssec = 1;
+ }
+
if (keycount == 0)
{
result = "ABANDONED";
@@ -1952,8 +1996,11 @@ unsigned char *tcp_request(int confd, time_t now,
log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
if (status == STAT_BOGUS)
- no_cache_dnssec = 1;
-
+ {
+ no_cache_dnssec = 1;
+ bogusanswer = 1;
+ }
+
if (status == STAT_SECURE)
cache_secure = 1;
}
@@ -1987,7 +2034,7 @@ unsigned char *tcp_request(int confd, time_t now,
#endif
m = process_reply(header, now, last_server, (unsigned int)m,
- option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec,
+ option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, bogusanswer,
cache_secure, ad_question, do_bit, added_pheader, check_subnet, &peer_addr);
break;
--
2.1.0

26
src/patches/dnsmasq/0071-Fix-compiler-warning-when-not-including-DNSSEC.patch Normal file
View File

@@ -0,0 +1,26 @@
From 982faf402487e265ed11ac03524531d42b03c966 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 3 Apr 2015 21:42:30 +0100
Subject: [PATCH 71/71] Fix compiler warning when not including DNSSEC.
---
src/forward.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/forward.c b/src/forward.c
index e8cf615aa939..3f6b9a23b6ab 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -530,7 +530,8 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
size_t plen;
(void)ad_reqd;
- (void) do_bit;
+ (void)do_bit;
+ (void)bogusanswer;
#ifdef HAVE_IPSET
if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL))
--
2.1.0