From d945d7d647a27a0950812a10d62bd9e3381f6f9f Mon Sep 17 00:00:00 2001 From: Steven Barth Date: Mon, 22 Dec 2014 09:52:19 +0000 Subject: [PATCH] dnsmasq: also add the actual patches... Signed-off-by: Steven Barth SVN-Revision: 43759 --- .../patches/001-fix-dnssec-crash.patch | 83 +++++++++++++++++++ .../002-fix-dnssec-edns0-handling.patch | 27 ++++++ 2 files changed, 110 insertions(+) create mode 100644 package/network/services/dnsmasq/patches/001-fix-dnssec-crash.patch create mode 100644 package/network/services/dnsmasq/patches/002-fix-dnssec-edns0-handling.patch diff --git a/package/network/services/dnsmasq/patches/001-fix-dnssec-crash.patch b/package/network/services/dnsmasq/patches/001-fix-dnssec-crash.patch new file mode 100644 index 0000000000..e41f295772 --- /dev/null +++ b/package/network/services/dnsmasq/patches/001-fix-dnssec-crash.patch @@ -0,0 +1,83 @@ +From 094b5c3d904bae9aeb3206d9f3b8348926b84975 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Sun, 21 Dec 2014 16:11:52 +0000 +Subject: [PATCH] Fix crash in DNSSEC code when attempting to verify large RRs. + +--- + src/dnssec.c | 27 +++++++++++++++++++-------- + +diff --git a/src/dnssec.c b/src/dnssec.c +index 69bfc29..3208ac7 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -456,16 +456,27 @@ static u16 *get_desc(int type) + + /* Return bytes of canonicalised rdata, when the return value is zero, the remaining + data, pointed to by *p, should be used raw. */ +-static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, char *buff, ++static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, char *buff, int bufflen, + unsigned char **p, u16 **desc) + { + int d = **desc; + +- (*desc)++; +- + /* No more data needs mangling */ + if (d == (u16)-1) +- return 0; ++ { ++ /* If there's more data than we have space for, just return what fits, ++ we'll get called again for more chunks */ ++ if (end - *p > bufflen) ++ { ++ memcpy(buff, *p, bufflen); ++ *p += bufflen; ++ return bufflen; ++ } ++ ++ return 0; ++ } ++ ++ (*desc)++; + + if (d == 0 && extract_name(header, plen, p, buff, 1, 0)) + /* domain-name, canonicalise */ +@@ -560,7 +571,7 @@ static void sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int + if (left1 != 0) + memmove(buff1, buff1 + len1 - left1, left1); + +- if ((len1 = get_rdata(header, plen, end1, buff1 + left1, &p1, &dp1)) == 0) ++ if ((len1 = get_rdata(header, plen, end1, buff1 + left1, MAXDNAME - left1, &p1, &dp1)) == 0) + { + quit = 1; + len1 = end1 - p1; +@@ -571,7 +582,7 @@ static void sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int + if (left2 != 0) + memmove(buff2, buff2 + len2 - left2, left2); + +- if ((len2 = get_rdata(header, plen, end2, buff2 + left2, &p2, &dp2)) == 0) ++ if ((len2 = get_rdata(header, plen, end2, buff2 + left2, MAXDNAME - left2, &p2, &dp2)) == 0) + { + quit = 1; + len2 = end2 - p2; +@@ -808,7 +819,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + /* canonicalise rdata and calculate length of same, use name buffer as workspace */ + cp = p; + dp = rr_desc; +- for (len = 0; (seg = get_rdata(header, plen, end, name, &cp, &dp)) != 0; len += seg); ++ for (len = 0; (seg = get_rdata(header, plen, end, name, MAXDNAME, &cp, &dp)) != 0; len += seg); + len += end - cp; + len = htons(len); + hash->update(ctx, 2, (unsigned char *)&len); +@@ -816,7 +827,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + /* Now canonicalise again and digest. */ + cp = p; + dp = rr_desc; +- while ((seg = get_rdata(header, plen, end, name, &cp, &dp))) ++ while ((seg = get_rdata(header, plen, end, name, MAXDNAME, &cp, &dp))) + hash->update(ctx, seg, (unsigned char *)name); + if (cp != end) + hash->update(ctx, end - cp, cp); +-- +2.1.3 + diff --git a/package/network/services/dnsmasq/patches/002-fix-dnssec-edns0-handling.patch b/package/network/services/dnsmasq/patches/002-fix-dnssec-edns0-handling.patch new file mode 100644 index 0000000000..9133c62d92 --- /dev/null +++ b/package/network/services/dnsmasq/patches/002-fix-dnssec-edns0-handling.patch @@ -0,0 +1,27 @@ +From 800c5cc1e7438818fd80f08c2d472df249a6942d Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Mon, 15 Dec 2014 17:50:15 +0000 +Subject: [PATCH] Remove floor on EDNS0 packet size with DNSSEC. + +--- + src/dnsmasq.c | 5 ----- + +diff --git a/src/dnsmasq.c b/src/dnsmasq.c +index bf2e25a..5c7750d 100644 +--- a/src/dnsmasq.c ++++ b/src/dnsmasq.c +@@ -87,11 +87,6 @@ int main (int argc, char **argv) + + if (daemon->edns_pktsz < PACKETSZ) + daemon->edns_pktsz = PACKETSZ; +-#ifdef HAVE_DNSSEC +- /* Enforce min packet big enough for DNSSEC */ +- if (option_bool(OPT_DNSSEC_VALID) && daemon->edns_pktsz < EDNS_PKTSZ) +- daemon->edns_pktsz = EDNS_PKTSZ; +-#endif + + daemon->packet_buff_sz = daemon->edns_pktsz > DNSMASQ_PACKETSZ ? + daemon->edns_pktsz : DNSMASQ_PACKETSZ; +-- +2.1.3 + -- 2.34.1