webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-26 02:42:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

dnsmasq: Import latest fixes from upstream

Browse Source
This commit is contained in:
Michael Tremer
2015-04-27 18:10:34 +02:00
parent e0c923f424
commit 6ac0a1a38f
7 changed files with 512 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lfs/dnsmasq
View File

@@ -151,6 +151,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0076-Fix-srk-induced-crash-in-new-tftp_no_fail-code.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0077-Note-CVE-2015-3294.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0078-Log-domain-when-reporting-DNSSEC-validation-failure.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0079-Check-IP-address-command-line-arg-in-dhcp_release.c.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0080-Revert-61b838dd574c51d96fef100285a0d225824534f9-and-.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0081-Handle-domain-names-with-.-or-000-within-labels.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0082-Tweaks-to-previous-DNS-label-charset-commit.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0083-Logs-in-DHCPv6-not-suppressed-by-dhcp6-quiet.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0084-Make-get-version-work-when-repo-is-a-git-submodule.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \
-e 's|/\* #define HAVE_IDN \*/|#define HAVE_IDN|g' \

28
src/patches/dnsmasq/0079-Check-IP-address-command-line-arg-in-dhcp_release.c.patch Normal file
View File

@@ -0,0 +1,28 @@
From a006eb7e1486023480ea40244720ef7aab51de71 Mon Sep 17 00:00:00 2001
From: Moshe Levi <moshele@mellanox.com>
Date: Sun, 19 Apr 2015 22:10:40 +0100
Subject: [PATCH 79/84] Check IP address command line arg in dhcp_release.c
---
contrib/wrt/dhcp_release.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/contrib/wrt/dhcp_release.c b/contrib/wrt/dhcp_release.c
index 53f47dda3aec..a51f04b30cab 100644
--- a/contrib/wrt/dhcp_release.c
+++ b/contrib/wrt/dhcp_release.c
@@ -277,6 +277,11 @@ int main(int argc, char **argv)
exit(1);
}
+ if (inet_addr(argv[2]) == INADDR_NONE)
+ {
+ perror("invalid ip address");
+ exit(1);
+ }
lease.s_addr = inet_addr(argv[2]);
server = find_interface(lease, nl, if_nametoindex(argv[1]));
--
2.1.0

53
src/patches/dnsmasq/0080-Revert-61b838dd574c51d96fef100285a0d225824534f9-and-.patch Normal file
View File

@@ -0,0 +1,53 @@
From 338b340be9e7198f5c0f68133d070d6598a0814c Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 20 Apr 2015 21:34:05 +0100
Subject: [PATCH 80/84] Revert 61b838dd574c51d96fef100285a0d225824534f9 and
just quieten log instead.
---
src/rfc3315.c | 24 ++++++++++--------------
1 file changed, 10 insertions(+), 14 deletions(-)
diff --git a/src/rfc3315.c b/src/rfc3315.c
index c1ddc805988d..c45116a40a09 100644
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -824,25 +824,21 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
}
else
{
- /* Windows 8 always requests an address even if the Managed bit
- in RA is 0 and it keeps retrying if it receives a reply
- stating that no addresses are available. We solve this
- by not replying at all if we're not configured to give any
- addresses by DHCPv6. RFC 3315 17.2.1. appears to allow this. */
-
- for (c = state->context; c; c = c->current)
- if (!(c->flags & CONTEXT_RA_STATELESS))
- break;
-
- if (!c)
- return 0;
-
/* no address, return error */
o1 = new_opt6(OPTION6_STATUS_CODE);
put_opt6_short(DHCP6NOADDRS);
put_opt6_string(_("no addresses available"));
end_opt6(o1);
- log6_packet(state, state->lease_allocate ? "DHCPREPLY" : "DHCPADVERTISE", NULL, _("no addresses available"));
+
+ /* Some clients will ask repeatedly when we're not giving
+ out addresses because we're in stateless mode. Avoid spamming
+ the log in that case. */
+ for (c = state->context; c; c = c->current)
+ if (!(c->flags & CONTEXT_RA_STATELESS))
+ {
+ log6_packet(state, state->lease_allocate ? "DHCPREPLY" : "DHCPADVERTISE", NULL, _("no addresses available"));
+ break;
+ }
}
break;
--
2.1.0

215
src/patches/dnsmasq/0081-Handle-domain-names-with-.-or-000-within-labels.patch Normal file
View File

@@ -0,0 +1,215 @@
From cbe379ad6b52a538a4416a7cd992817e5637ccf9 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 21 Apr 2015 22:57:06 +0100
Subject: [PATCH 81/84] Handle domain names with '.' or /000 within labels.
Only in DNSSEC mode, where we might need to validate or store
such names. In none-DNSSEC mode, simply don't cache these, as before.
---
src/dns-protocol.h | 4 ++++
src/dnsmasq.c | 15 +++++++++++++--
src/dnssec.c | 40 +++++++++++++++++++++++++++++++---------
src/rfc1035.c | 16 +++++++++++++++-
src/util.c | 9 ++++++++-
5 files changed, 71 insertions(+), 13 deletions(-)
diff --git a/src/dns-protocol.h b/src/dns-protocol.h
index 16fade33d98c..7f5d686bb150 100644
--- a/src/dns-protocol.h
+++ b/src/dns-protocol.h
@@ -142,3 +142,7 @@ struct dns_header {
#define ADD_RDLEN(header, pp, plen, len) \
(!CHECK_LEN(header, pp, plen, len) ? 0 : (((pp) += (len)), 1))
+
+/* Escape character in our presentation format for names.
+ Cannot be '.' or /000 and must be !isprint() */
+#define NAME_ESCAPE 1
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 20b15c05103a..19a6428b09e8 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -102,8 +102,19 @@ int main (int argc, char **argv)
#ifdef HAVE_DNSSEC
if (option_bool(OPT_DNSSEC_VALID))
{
- daemon->keyname = safe_malloc(MAXDNAME);
- daemon->workspacename = safe_malloc(MAXDNAME);
+ /* Note that both /000 and '.' are allowed within labels. These get
+ represented in presentation format using NAME_ESCAPE as an escape
+ character when in DNSSEC mode.
+ In theory, if all the characters in a name were /000 or
+ '.' or NAME_ESCAPE then all would have to be escaped, so the
+ presentation format would be twice as long as the spec.
+
+ daemon->namebuff was previously allocated by the option-reading
+ code before we knew if we're in DNSSEC mode, so reallocate here. */
+ free(daemon->namebuff);
+ daemon->namebuff = safe_malloc(MAXDNAME * 2);
+ daemon->keyname = safe_malloc(MAXDNAME * 2);
+ daemon->workspacename = safe_malloc(MAXDNAME * 2);
}
#endif
diff --git a/src/dnssec.c b/src/dnssec.c
index 05e0983cb251..c116a7b5f6f4 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -321,10 +321,18 @@ static int verify(struct blockdata *key_data, unsigned int key_len, unsigned cha
thus generating names in canonical form.
Calling to_wire followed by from_wire is almost an identity,
except that the UC remains mapped to LC.
+
+ Note that both /000 and '.' are allowed within labels. These get
+ represented in presentation format using NAME_ESCAPE as an escape
+ character. In theory, if all the characters in a name were /000 or
+ '.' or NAME_ESCAPE then all would have to be escaped, so the
+ presentation format would be twice as long as the spec (1024).
+ The buffers are all delcared as 2049 (allowing for the trailing zero)
+ for this reason.
*/
static int to_wire(char *name)
{
- unsigned char *l, *p, term;
+ unsigned char *l, *p, *q, term;
int len;
for (l = (unsigned char*)name; *l != 0; l = p)
@@ -332,7 +340,10 @@ static int to_wire(char *name)
for (p = l; *p != '.' && *p != 0; p++)
if (*p >= 'A' && *p <= 'Z')
*p = *p - 'A' + 'a';
-
+ else if (*p == NAME_ESCAPE)
+ for (q = p; *q; q++)
+ *q = *(q+1);
+
term = *p;
if ((len = p - l) != 0)
@@ -351,13 +362,23 @@ static int to_wire(char *name)
/* Note: no compression allowed in input. */
static void from_wire(char *name)
{
- unsigned char *l;
+ unsigned char *l, *p, *last;
int len;
-
+
+ for (last = (unsigned char *)name; *last != 0; last += *last+1);
+
for (l = (unsigned char *)name; *l != 0; l += len+1)
{
len = *l;
memmove(l, l+1, len);
+ for (p = l; p < l + len; p++)
+ if (*p == '.' || *p == 0 || *p == NAME_ESCAPE)
+ {
+ memmove(p+1, p, 1 + last - p);
+ len++;
+ *p++ = NAME_ESCAPE;
+ }
+
l[len] = '.';
}
@@ -645,7 +666,7 @@ static void sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int
if (left1 != 0)
memmove(buff1, buff1 + len1 - left1, left1);
- if ((len1 = get_rdata(header, plen, end1, buff1 + left1, MAXDNAME - left1, &p1, &dp1)) == 0)
+ if ((len1 = get_rdata(header, plen, end1, buff1 + left1, (MAXDNAME * 2) - left1, &p1, &dp1)) == 0)
{
quit = 1;
len1 = end1 - p1;
@@ -656,7 +677,7 @@ static void sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int
if (left2 != 0)
memmove(buff2, buff2 + len2 - left2, left2);
- if ((len2 = get_rdata(header, plen, end2, buff2 + left2, MAXDNAME - left2, &p2, &dp2)) == 0)
+ if ((len2 = get_rdata(header, plen, end2, buff2 + left2, (MAXDNAME *2) - left2, &p2, &dp2)) == 0)
{
quit = 1;
len2 = end2 - p2;
@@ -902,10 +923,11 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
end = p + rdlen;
- /* canonicalise rdata and calculate length of same, use name buffer as workspace */
+ /* canonicalise rdata and calculate length of same, use name buffer as workspace.
+ Note that name buffer is twice MAXDNAME long in DNSSEC mode. */
cp = p;
dp = rr_desc;
- for (len = 0; (seg = get_rdata(header, plen, end, name, MAXDNAME, &cp, &dp)) != 0; len += seg);
+ for (len = 0; (seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp)) != 0; len += seg);
len += end - cp;
len = htons(len);
hash->update(ctx, 2, (unsigned char *)&len);
@@ -913,7 +935,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
/* Now canonicalise again and digest. */
cp = p;
dp = rr_desc;
- while ((seg = get_rdata(header, plen, end, name, MAXDNAME, &cp, &dp)))
+ while ((seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp)))
hash->update(ctx, seg, (unsigned char *)name);
if (cp != end)
hash->update(ctx, end - cp, cp);
diff --git a/src/rfc1035.c b/src/rfc1035.c
index a995ab50d74a..19fecc818c06 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -128,6 +128,15 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
if (isExtract)
{
unsigned char c = *p;
+#ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID))
+ {
+ if (c == 0 || c == '.' || c == NAME_ESCAPE)
+ *cp++ = NAME_ESCAPE;
+ *cp++ = c;
+ }
+ else
+#endif
if (c != 0 && c != '.')
*cp++ = c;
else
@@ -144,9 +153,14 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
cp++;
if (c1 >= 'A' && c1 <= 'Z')
c1 += 'a' - 'A';
+#ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID) && c1 == NAME_ESCAPE)
+ c1 = *cp++;
+#endif
+
if (c2 >= 'A' && c2 <= 'Z')
c2 += 'a' - 'A';
-
+
if (c1 != c2)
retvalue = 2;
}
diff --git a/src/util.c b/src/util.c
index 648bc4d4b428..0c1a48b4700a 100644
--- a/src/util.c
+++ b/src/util.c
@@ -226,7 +226,14 @@ unsigned char *do_rfc1035_name(unsigned char *p, char *sval)
{
unsigned char *cp = p++;
for (j = 0; *sval && (*sval != '.'); sval++, j++)
- *p++ = *sval;
+ {
+#ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE)
+ *p++ = *(++sval);
+ else
+#endif
+ *p++ = *sval;
+ }
*cp = j;
if (*sval)
sval++;
--
2.1.0

136
src/patches/dnsmasq/0082-Tweaks-to-previous-DNS-label-charset-commit.patch Normal file
View File

@@ -0,0 +1,136 @@
From b8f16556d36924cd8dc7663cb4129d7b1f3fc2be Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 22 Apr 2015 21:14:31 +0100
Subject: [PATCH 82/84] Tweaks to previous, DNS label charset commit.
---
src/dns-protocol.h | 6 +++++-
src/dnssec.c | 9 ++++++---
src/rfc1035.c | 25 ++++++++++++++++++-------
src/util.c | 2 +-
4 files changed, 30 insertions(+), 12 deletions(-)
diff --git a/src/dns-protocol.h b/src/dns-protocol.h
index 7f5d686bb150..4b71746f8d26 100644
--- a/src/dns-protocol.h
+++ b/src/dns-protocol.h
@@ -144,5 +144,9 @@ struct dns_header {
(!CHECK_LEN(header, pp, plen, len) ? 0 : (((pp) += (len)), 1))
/* Escape character in our presentation format for names.
- Cannot be '.' or /000 and must be !isprint() */
+ Cannot be '.' or /000 and must be !isprint().
+ Note that escaped chars are stored as
+ <NAME_ESCAPE> <orig-char+1>
+ to ensure that the escaped form of /000 doesn't include /000
+*/
#define NAME_ESCAPE 1
diff --git a/src/dnssec.c b/src/dnssec.c
index c116a7b5f6f4..a9e12153ccf2 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -341,9 +341,11 @@ static int to_wire(char *name)
if (*p >= 'A' && *p <= 'Z')
*p = *p - 'A' + 'a';
else if (*p == NAME_ESCAPE)
- for (q = p; *q; q++)
+ {
+ for (q = p; *q; q++)
*q = *(q+1);
-
+ (*p)--;
+ }
term = *p;
if ((len = p - l) != 0)
@@ -376,7 +378,8 @@ static void from_wire(char *name)
{
memmove(p+1, p, 1 + last - p);
len++;
- *p++ = NAME_ESCAPE;
+ *p++ = NAME_ESCAPE;
+ (*p)++;
}
l[len] = '.';
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 19fecc818c06..32df31ad603c 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -20,7 +20,7 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
char *name, int isExtract, int extrabytes)
{
unsigned char *cp = (unsigned char *)name, *p = *pp, *p1 = NULL;
- unsigned int j, l, hops = 0;
+ unsigned int j, l, namelen = 0, hops = 0;
int retvalue = 1;
if (isExtract)
@@ -94,9 +94,15 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
count = 256;
digs = ((count-1)>>2)+1;
- /* output is \[x<hex>/siz]. which is digs+9 chars */
- if (cp - (unsigned char *)name + digs + 9 >= MAXDNAME)
+ /* output is \[x<hex>/siz]. which is digs+6/7/8 chars */
+ namelen += digs+6;
+ if (count > 9)
+ namelen++;
+ if (count > 99)
+ namelen++;
+ if (namelen+1 >= MAXDNAME)
return 0;
+
if (!CHECK_LEN(header, p, plen, (count-1)>>3))
return 0;
@@ -119,7 +125,8 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
}
else
{ /* label_type = 0 -> label. */
- if (cp - (unsigned char *)name + l + 1 >= MAXDNAME)
+ namelen += l;
+ if (namelen+1 >= MAXDNAME)
return 0;
if (!CHECK_LEN(header, p, plen, l))
return 0;
@@ -132,8 +139,12 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
if (option_bool(OPT_DNSSEC_VALID))
{
if (c == 0 || c == '.' || c == NAME_ESCAPE)
- *cp++ = NAME_ESCAPE;
- *cp++ = c;
+ {
+ *cp++ = NAME_ESCAPE;
+ *cp++ = c+1;
+ }
+ else
+ *cp++ = c;
}
else
#endif
@@ -155,7 +166,7 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
c1 += 'a' - 'A';
#ifdef HAVE_DNSSEC
if (option_bool(OPT_DNSSEC_VALID) && c1 == NAME_ESCAPE)
- c1 = *cp++;
+ c1 = (*cp++)-1;
#endif
if (c2 >= 'A' && c2 <= 'Z')
diff --git a/src/util.c b/src/util.c
index 0c1a48b4700a..9299703c6d30 100644
--- a/src/util.c
+++ b/src/util.c
@@ -229,7 +229,7 @@ unsigned char *do_rfc1035_name(unsigned char *p, char *sval)
{
#ifdef HAVE_DNSSEC
if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE)
- *p++ = *(++sval);
+ *p++ = (*(++sval))-1;
else
#endif
*p++ = *sval;
--
2.1.0

46
src/patches/dnsmasq/0083-Logs-in-DHCPv6-not-suppressed-by-dhcp6-quiet.patch Normal file
View File

@@ -0,0 +1,46 @@
From a5ae1f85873829efe473075ad77806cc02792622 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 25 Apr 2015 21:46:10 +0100
Subject: [PATCH 83/84] Logs in DHCPv6 not suppressed by dhcp6-quiet.
---
CHANGELOG | 6 +++++-
src/rfc3315.c | 4 ++--
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index 7f2b1e002e9e..af2b22cf8f73 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -103,7 +103,11 @@ version 2.73
Previously we provided correct answers to PTR queries
in such zones (including NS and SOA) but not direct
NS and SOA queries. Thanks to Johnny S. Lee for
- pointing out the problem.
+ pointing out the problem.
+
+ Fix logging of DHCPREPLY which should be suppressed
+ by quiet-dhcp6. Thanks to J. Pablo Abonia for
+ spotting the problem.
version 2.72
diff --git a/src/rfc3315.c b/src/rfc3315.c
index c45116a40a09..b4f5dd2db61f 100644
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -1047,9 +1047,9 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
{
preferred_time = valid_time = 0;
message = _("address invalid");
- }
+ }
- if (message)
+ if (message && (message != state->hostname))
log6_packet(state, "DHCPREPLY", req_addr, message);
else
log6_quiet(state, "DHCPREPLY", req_addr, message);
--
2.1.0

28
src/patches/dnsmasq/0084-Make-get-version-work-when-repo-is-a-git-submodule.patch Normal file
View File

@@ -0,0 +1,28 @@
From 8efd731cc4ed2baa42aa69d0a9d336392e9987cb Mon Sep 17 00:00:00 2001
From: "Johnny S. Lee" <_@jsl.io>
Date: Sun, 26 Apr 2015 22:23:57 +0100
Subject: [PATCH 84/84] Make get-version work when repo is a git submodule.
---
bld/get-version | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/bld/get-version b/bld/get-version
index 7ab75db729ac..5372869c0852 100755
--- a/bld/get-version
+++ b/bld/get-version
@@ -11,8 +11,9 @@
# If there is more than one v[0-9].* tag, sort them and use the
# first. This favours, eg v2.63 over 2.63rc6.
-if which git >/dev/null 2>&1 && [ -d $1/.git ]; then
- cd $1; git describe | sed 's/^v//'
+if which git >/dev/null 2>&1 && \
+ ([ -d $1/.git ] || grep '^gitdir:' $1/.git >/dev/null 2>&1); then
+ cd $1; git describe | sed 's/^v//'
elif grep '\$Format:%d\$' $1/VERSION >/dev/null 2>&1; then
# unsubstituted VERSION, but no git available.
echo UNKNOWN
--
2.1.0