dnsmasq 2.75: latest upstream patches

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

lfs/dnsmasq

@@ -82,6 +82,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
 
 	cd $(DIR_APP) && sed -i src/config.h \

src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch

@@ -0,0 +1,26 @@
+From 27b78d990b7cd901866ad6f1a17b9d633a95fdce Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Sat, 26 Sep 2015 21:40:45 +0100
+Subject: [PATCH] Rationalise 5e3e464ac4022ee0b3794513abe510817e2cf3ca
+
+---
+ src/rfc3315.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 3f1f9ee..3ed8623 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -1324,8 +1324,7 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh)
+       if (opt_cfg->opt == OPTION6_DNS_SERVER)
+ 	done_dns = 1;
+       
+-      /* Empty DNS_SERVER option will not set DHOPT_ADDR6 */
+-      if ((opt_cfg->flags & DHOPT_ADDR6) || opt_cfg->opt == OPTION6_DNS_SERVER)
++      if (opt_cfg->flags & DHOPT_ADDR6)
+ 	{
+ 	  int len, j;
+ 	  struct in6_addr *a;
+-- 
+1.7.10.4
+

src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch

@@ -0,0 +1,32 @@
+From 98079ea89851da1df4966dfdfa1852a98da02912 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Tue, 13 Oct 2015 20:30:32 +0100
+Subject: [PATCH] Catch errors from sendmsg in DHCP code.  Logs, eg,  iptables
+ DROPS of dest 255.255.255.255
+
+---
+ src/dhcp.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/dhcp.c b/src/dhcp.c
+index e6fceb1..1c85e42 100644
+--- a/src/dhcp.c
++++ b/src/dhcp.c
+@@ -452,8 +452,13 @@ void dhcp_packet(time_t now, int pxe_fd)
+ #endif
+   
+   while(retry_send(sendmsg(fd, &msg, 0)));
++
++  /* This can fail when, eg, iptables DROPS destination 255.255.255.255 */
++  if (errno != 0)
++    my_syslog(MS_DHCP | LOG_WARNING, _("Error sending DHCP packet to %s: %s"),
++	      inet_ntoa(dest.sin_addr), strerror(errno));
+ }
+- 
++
+ /* check against secondary interface addresses */
+ static int check_listen_addrs(struct in_addr local, int if_index, char *label,
+ 			      struct in_addr netmask, struct in_addr broadcast, void *vparam)
+-- 
+1.7.10.4
+

src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch

@@ -0,0 +1,48 @@
+From 90477fb79420a34124b66ebd808c578817a30e4c Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Tue, 20 Oct 2015 21:21:32 +0100
+Subject: [PATCH] Update list of subnet for --bogus-priv
+
+RFC6303 specifies & recommends following zones not be forwarded
+to globally facing servers.
++------------------------------+-----------------------+
+| Zone                         | Description           |
++------------------------------+-----------------------+
+| 0.IN-ADDR.ARPA               | IPv4 "THIS" NETWORK   |
+| 127.IN-ADDR.ARPA             | IPv4 Loopback NETWORK |
+| 254.169.IN-ADDR.ARPA         | IPv4 LINK LOCAL       |
+| 2.0.192.IN-ADDR.ARPA         | IPv4 TEST-NET-1       |
+| 100.51.198.IN-ADDR.ARPA      | IPv4 TEST-NET-2       |
+| 113.0.203.IN-ADDR.ARPA       | IPv4 TEST-NET-3       |
+| 255.255.255.255.IN-ADDR.ARPA | IPv4 BROADCAST        |
++------------------------------+-----------------------+
+
+Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
+---
+ src/rfc1035.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 6a51b30..4eb1772 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -756,10 +756,14 @@ int private_net(struct in_addr addr, int ban_localhost)
+   return
+     (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost)  /* 127.0.0.0/8    (loopback) */ ||
+     ((ip_addr & 0xFF000000) == 0x00000000)  /* RFC 5735 section 3. "here" network */ ||
+-    ((ip_addr & 0xFFFF0000) == 0xC0A80000)  /* 192.168.0.0/16 (private)  */ ||
+     ((ip_addr & 0xFF000000) == 0x0A000000)  /* 10.0.0.0/8     (private)  */ ||
+     ((ip_addr & 0xFFF00000) == 0xAC100000)  /* 172.16.0.0/12  (private)  */ ||
+-    ((ip_addr & 0xFFFF0000) == 0xA9FE0000)  /* 169.254.0.0/16 (zeroconf) */ ;
++    ((ip_addr & 0xFFFF0000) == 0xC0A80000)  /* 192.168.0.0/16 (private)  */ ||
++    ((ip_addr & 0xFFFF0000) == 0xA9FE0000)  /* 169.254.0.0/16 (zeroconf) */ ||
++    ((ip_addr & 0xFFFFFF00) == 0xC0000200)  /* 192.0.2.0/24   (test-net) */ ||
++    ((ip_addr & 0xFFFFFF00) == 0xC6336400)  /* 198.51.100.0/24(test-net) */ ||
++    ((ip_addr & 0xFFFFFF00) == 0xCB007100)  /* 203.0.113.0/24 (test-net) */ ||
++    ((ip_addr & 0xFFFFFFFF) == 0xFFFFFFFF)  /* 255.255.255.255/32 (broadcast)*/ ;
+ }
+ 
+ static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *header, size_t qlen, char *name, int *doctored)
+-- 
+1.7.10.4
+

src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch

@@ -0,0 +1,43 @@
+From 41a8d9e99be9f2cc8b02051dd322cb45e0faac87 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Edwin=20T=C3=B6r=C3=B6k?= <edwin+ml-cerowrt@etorok.net>
+Date: Sat, 14 Nov 2015 17:45:48 +0000
+Subject: [PATCH] Fix crash when empty address from DNS overlays A record from
+ hosts.
+
+---
+ CHANGELOG   |    5 +++++
+ src/cache.c |    2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index d6e309f..93c73d0 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -13,6 +13,11 @@ version 2.76
+ 	    was a dangling symbolic link, even of --no-resolv set.
+ 	    Thanks to Alexander Kurtz for spotting the problem.
+ 
++	    Fix crash when an A or AAAA record is defined locally,
++	    in a hosts file, and an upstream server sends a reply
++	    that the same name is empty. Thanks to Edwin Török for
++	    the patch.
++
+ 	
+ version 2.75
+             Fix reversion on 2.74 which caused 100% CPU use when a 
+diff --git a/src/cache.c b/src/cache.c
+index 178d654..1b76b67 100644
+--- a/src/cache.c
++++ b/src/cache.c
+@@ -481,7 +481,7 @@ struct crec *cache_insert(char *name, struct all_addr *addr,
+ 	 existing record is for an A or AAAA and
+ 	 the record we're trying to insert is the same, 
+ 	 just drop the insert, but don't error the whole process. */
+-      if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD))
++      if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD) && addr)
+ 	{
+ 	  if ((flags & F_IPV4) && (new->flags & F_IPV4) &&
+ 	      new->addr.addr.addr.addr4.s_addr == addr->addr.addr4.s_addr)
+-- 
+1.7.10.4
+

src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch

@@ -0,0 +1,39 @@
+From 67ab3285b5d9a1b1e20e034cf272867fdab8a0f9 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 20 Nov 2015 23:20:47 +0000
+Subject: [PATCH] Handle unknown DS hash algos correctly.
+
+When we can validate a DS RRset, but don't speak the hash algo it
+contains, treat that the same as an NSEC/3 proving that the DS
+doesn't exist. 4025 5.2
+---
+ src/dnssec.c |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/dnssec.c b/src/dnssec.c
+index 67ce486..b4dc14e 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -1005,6 +1005,19 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
+   if (crecp->flags & F_NEG)
+     return STAT_INSECURE_DS;
+   
++  /* 4035 5.2 
++     If the validator does not support any of the algorithms listed in an
++     authenticated DS RRset, then the resolver has no supported
++     authentication path leading from the parent to the child.  The
++     resolver should treat this case as it would the case of an
++     authenticated NSEC RRset proving that no DS RRset exists,  */
++  for (recp1 = crecp; recp1; recp1 = cache_find_by_name(recp1, name, now, F_DS))
++    if (hash_find(ds_digest_name(recp1->addr.ds.digest)))
++      break;
++  
++  if (!recp1)
++    return STAT_INSECURE_DS;
++
+   /* NOTE, we need to find ONE DNSKEY which matches the DS */
+   for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--) 
+     {
+-- 
+1.7.10.4
+

src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch

@@ -0,0 +1,38 @@
+From 0007ee90646a5a78a96ee729932e89d31c69513a Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Sat, 21 Nov 2015 21:47:41 +0000
+Subject: [PATCH] Fix crash at start up with conf-dir=/path,*
+
+Thanks to Brian Carpenter and American Fuzzy Lop for finding the bug.
+---
+ src/option.c |   14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/option.c b/src/option.c
+index 746cd11..71beb98 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -1515,10 +1515,16 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ 		li = opt_malloc(sizeof(struct list));
+ 		if (*arg == '*')
+ 		  {
+-		    li->next = match_suffix;
+-		    match_suffix = li;
+-		    /* Have to copy: buffer is overwritten */
+-		    li->suffix = opt_string_alloc(arg+1);
++		    /* "*" with no suffix is a no-op */
++		    if (arg[1] == 0)
++		      free(li);
++		    else
++		      {
++			li->next = match_suffix;
++			match_suffix = li;
++			/* Have to copy: buffer is overwritten */
++			li->suffix = opt_string_alloc(arg+1);
++		      }
+ 		  }
+ 		else
+ 		  {
+-- 
+1.7.10.4
+