aboutsummaryrefslogtreecommitdiffstats
path: root/package
diff options
context:
space:
mode:
authorSteven Barth <cyrus@openwrt.org>2015-04-10 10:19:17 +0000
committerSteven Barth <cyrus@openwrt.org>2015-04-10 10:19:17 +0000
commit747c33859b10388e0eb1d37ff2a58ee7837a6f7a (patch)
treedfd1c3d8e07fa364c6f8230081ef236045733589 /package
parent9d6e04a4f171cbf6acb8ad33b5a58fb39c9cab30 (diff)
downloadupstream-747c33859b10388e0eb1d37ff2a58ee7837a6f7a.tar.gz
upstream-747c33859b10388e0eb1d37ff2a58ee7837a6f7a.tar.bz2
upstream-747c33859b10388e0eb1d37ff2a58ee7837a6f7a.zip
dnsmasq: bump to 2.73rc4
Fix crash caused by malformed DNS requests Improved DNSSEC handling Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 45354
Diffstat (limited to 'package')
-rw-r--r--package/network/services/dnsmasq/Makefile10
-rw-r--r--package/network/services/dnsmasq/files/dnsmasq.init7
-rw-r--r--package/network/services/dnsmasq/patches/001-fix-dnssec-crash.patch83
-rw-r--r--package/network/services/dnsmasq/patches/002-fix-dnssec-edns0-handling.patch27
-rw-r--r--package/network/services/dnsmasq/patches/120-add-tftp-no-fail-to-ignore-missing-tftp-root.patch193
-rw-r--r--package/network/services/dnsmasq/patches/200-fix-dhcpv6-solicit-handling.patch38
-rw-r--r--package/network/services/dnsmasq/patches/200-let-makefile-be-aware-of-config-changes.patch42
7 files changed, 49 insertions, 351 deletions
diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
index dcbb63a0f3..dc94d341bd 100644
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
-PKG_VERSION:=2.72
-PKG_RELEASE:=4
+PKG_VERSION:=2.73rc4
+PKG_RELEASE:=1
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq
-PKG_MD5SUM:=cf82f81cf09ad3d47612985012240483
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/release-candidates
+PKG_MD5SUM:=24569c7605059aee175b1776201afa93
PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING
diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index 20333c810a..b2dfb979bc 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -205,6 +205,7 @@ dnsmasq() {
[ "$dnssec" -gt 0 ] && {
xappend "--conf-file=$TRUSTANCHORSFILE"
xappend "--dnssec"
+ xappend "--dnssec-timestamp=/etc/dnsmasq.time"
append_bool "$cfg" dnsseccheckunsigned "--dnssec-check-unsigned"
}
@@ -555,7 +556,7 @@ start_service() {
procd_add_jail dnsmasq ubus log
procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE /etc/passwd /dev/urandom /etc/dnsmasq.conf /tmp/dnsmasq.d /tmp/resolv.conf.auto /etc/hosts /etc/ethers
- procd_add_jail_mount_rw /var/run/dnsmasq/ /tmp/dhcp.leases
+ procd_add_jail_mount_rw /var/run/dnsmasq/ /tmp/dhcp.leases /etc/dnsmasq.time
procd_close_instance
@@ -565,6 +566,10 @@ start_service() {
mkdir -p /var/lib/misc
touch /tmp/dhcp.leases
+ if [ ! -f /etc/dnsmasq.time ]; then
+ touch -t 197001010000 /etc/dnsmasq.time
+ chmod 0777 /etc/dnsmasq.time
+ fi
echo "# auto-generated config file from /etc/config/dhcp" > $CONFIGFILE
echo "# auto-generated config file from /etc/config/dhcp" > $HOSTFILE
diff --git a/package/network/services/dnsmasq/patches/001-fix-dnssec-crash.patch b/package/network/services/dnsmasq/patches/001-fix-dnssec-crash.patch
deleted file mode 100644
index e41f295772..0000000000
--- a/package/network/services/dnsmasq/patches/001-fix-dnssec-crash.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 094b5c3d904bae9aeb3206d9f3b8348926b84975 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Sun, 21 Dec 2014 16:11:52 +0000
-Subject: [PATCH] Fix crash in DNSSEC code when attempting to verify large RRs.
-
----
- src/dnssec.c | 27 +++++++++++++++++++--------
-
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 69bfc29..3208ac7 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -456,16 +456,27 @@ static u16 *get_desc(int type)
-
- /* Return bytes of canonicalised rdata, when the return value is zero, the remaining
- data, pointed to by *p, should be used raw. */
--static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, char *buff,
-+static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, char *buff, int bufflen,
- unsigned char **p, u16 **desc)
- {
- int d = **desc;
-
-- (*desc)++;
--
- /* No more data needs mangling */
- if (d == (u16)-1)
-- return 0;
-+ {
-+ /* If there's more data than we have space for, just return what fits,
-+ we'll get called again for more chunks */
-+ if (end - *p > bufflen)
-+ {
-+ memcpy(buff, *p, bufflen);
-+ *p += bufflen;
-+ return bufflen;
-+ }
-+
-+ return 0;
-+ }
-+
-+ (*desc)++;
-
- if (d == 0 && extract_name(header, plen, p, buff, 1, 0))
- /* domain-name, canonicalise */
-@@ -560,7 +571,7 @@ static void sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int
- if (left1 != 0)
- memmove(buff1, buff1 + len1 - left1, left1);
-
-- if ((len1 = get_rdata(header, plen, end1, buff1 + left1, &p1, &dp1)) == 0)
-+ if ((len1 = get_rdata(header, plen, end1, buff1 + left1, MAXDNAME - left1, &p1, &dp1)) == 0)
- {
- quit = 1;
- len1 = end1 - p1;
-@@ -571,7 +582,7 @@ static void sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int
- if (left2 != 0)
- memmove(buff2, buff2 + len2 - left2, left2);
-
-- if ((len2 = get_rdata(header, plen, end2, buff2 + left2, &p2, &dp2)) == 0)
-+ if ((len2 = get_rdata(header, plen, end2, buff2 + left2, MAXDNAME - left2, &p2, &dp2)) == 0)
- {
- quit = 1;
- len2 = end2 - p2;
-@@ -808,7 +819,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
- /* canonicalise rdata and calculate length of same, use name buffer as workspace */
- cp = p;
- dp = rr_desc;
-- for (len = 0; (seg = get_rdata(header, plen, end, name, &cp, &dp)) != 0; len += seg);
-+ for (len = 0; (seg = get_rdata(header, plen, end, name, MAXDNAME, &cp, &dp)) != 0; len += seg);
- len += end - cp;
- len = htons(len);
- hash->update(ctx, 2, (unsigned char *)&len);
-@@ -816,7 +827,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
- /* Now canonicalise again and digest. */
- cp = p;
- dp = rr_desc;
-- while ((seg = get_rdata(header, plen, end, name, &cp, &dp)))
-+ while ((seg = get_rdata(header, plen, end, name, MAXDNAME, &cp, &dp)))
- hash->update(ctx, seg, (unsigned char *)name);
- if (cp != end)
- hash->update(ctx, end - cp, cp);
---
-2.1.3
-
diff --git a/package/network/services/dnsmasq/patches/002-fix-dnssec-edns0-handling.patch b/package/network/services/dnsmasq/patches/002-fix-dnssec-edns0-handling.patch
deleted file mode 100644
index 9133c62d92..0000000000
--- a/package/network/services/dnsmasq/patches/002-fix-dnssec-edns0-handling.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 800c5cc1e7438818fd80f08c2d472df249a6942d Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Mon, 15 Dec 2014 17:50:15 +0000
-Subject: [PATCH] Remove floor on EDNS0 packet size with DNSSEC.
-
----
- src/dnsmasq.c | 5 -----
-
-diff --git a/src/dnsmasq.c b/src/dnsmasq.c
-index bf2e25a..5c7750d 100644
---- a/src/dnsmasq.c
-+++ b/src/dnsmasq.c
-@@ -87,11 +87,6 @@ int main (int argc, char **argv)
-
- if (daemon->edns_pktsz < PACKETSZ)
- daemon->edns_pktsz = PACKETSZ;
--#ifdef HAVE_DNSSEC
-- /* Enforce min packet big enough for DNSSEC */
-- if (option_bool(OPT_DNSSEC_VALID) && daemon->edns_pktsz < EDNS_PKTSZ)
-- daemon->edns_pktsz = EDNS_PKTSZ;
--#endif
-
- daemon->packet_buff_sz = daemon->edns_pktsz > DNSMASQ_PACKETSZ ?
- daemon->edns_pktsz : DNSMASQ_PACKETSZ;
---
-2.1.3
-
diff --git a/package/network/services/dnsmasq/patches/120-add-tftp-no-fail-to-ignore-missing-tftp-root.patch b/package/network/services/dnsmasq/patches/120-add-tftp-no-fail-to-ignore-missing-tftp-root.patch
deleted file mode 100644
index c85e4e6513..0000000000
--- a/package/network/services/dnsmasq/patches/120-add-tftp-no-fail-to-ignore-missing-tftp-root.patch
+++ /dev/null
@@ -1,193 +0,0 @@
-From 56920681eaf2c5eb08fc75baee4939d15d03b0ea Mon Sep 17 00:00:00 2001
-From: Stefan Tomanek <stefan.tomanek+dnsmasq@wertarbyte.de>
-Date: Tue, 31 Mar 2015 22:32:11 +0100
-Subject: [PATCH] add --tftp-no-fail to ignore missing tftp root
-
-(cherry picked from commit 30d0879ed55cb67b1b735beab3d93f3bb3ef1dd2)
-
-Conflicts:
- CHANGELOG
- src/dnsmasq.c
- src/dnsmasq.h
- src/option.c
----
- dnsmasq.conf.example | 3 +++
- man/dnsmasq.8 | 3 +++
- src/dnsmasq.c | 42 +++++++++++++++++++++++++++++++-----------
- src/dnsmasq.h | 4 +++-
- src/option.c | 3 +++
- 5 files changed, 43 insertions(+), 12 deletions(-)
-
-diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
-index 1bd305d..67be99a 100644
---- a/dnsmasq.conf.example
-+++ b/dnsmasq.conf.example
-@@ -486,6 +486,9 @@
- # Set the root directory for files available via FTP.
- #tftp-root=/var/ftpd
-
-+# Do not abort if the tftp-root is unavailable
-+#tftp-no-fail
-+
- # Make the TFTP server more secure: with this set, only files owned by
- # the user dnsmasq is running as will be send over the net.
- #tftp-secure
-diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
-index 0b8e04f..2ff4b96 100644
---- a/man/dnsmasq.8
-+++ b/man/dnsmasq.8
-@@ -1670,6 +1670,9 @@ Absolute paths (starting with /) are allowed, but they must be within
- the tftp-root. If the optional interface argument is given, the
- directory is only used for TFTP requests via that interface.
- .TP
-+.B --tftp-no-fail
-+Do not abort startup if specified tftp root directories are inaccessible.
-+.TP
- .B --tftp-unique-root
- Add the IP address of the TFTP client as a path component on the end
- of the TFTP-root (in standard dotted-quad format). Only valid if a
-diff --git a/src/dnsmasq.c b/src/dnsmasq.c
-index 5c7750d..b6fa285 100644
---- a/src/dnsmasq.c
-+++ b/src/dnsmasq.c
-@@ -58,6 +58,9 @@ int main (int argc, char **argv)
- struct dhcp_context *context;
- struct dhcp_relay *relay;
- #endif
-+#ifdef HAVE_TFTP
-+ int tftp_prefix_missing = 0;
-+#endif
-
- #ifdef LOCALEDIR
- setlocale(LC_ALL, "");
-@@ -623,7 +626,7 @@ int main (int argc, char **argv)
- #endif
-
- #ifdef HAVE_TFTP
-- if (option_bool(OPT_TFTP))
-+ if (option_bool(OPT_TFTP))
- {
- DIR *dir;
- struct tftp_prefix *p;
-@@ -632,24 +635,33 @@ int main (int argc, char **argv)
- {
- if (!((dir = opendir(daemon->tftp_prefix))))
- {
-- send_event(err_pipe[1], EVENT_TFTP_ERR, errno, daemon->tftp_prefix);
-- _exit(0);
-+ tftp_prefix_missing = 1;
-+ if (!option_bool(OPT_TFTP_NO_FAIL))
-+ {
-+ send_event(err_pipe[1], EVENT_TFTP_ERR, errno, daemon->tftp_prefix);
-+ _exit(0);
-+ }
- }
- closedir(dir);
- }
--
-+
- for (p = daemon->if_prefix; p; p = p->next)
- {
-+ p->missing = 0;
- if (!((dir = opendir(p->prefix))))
-- {
-- send_event(err_pipe[1], EVENT_TFTP_ERR, errno, p->prefix);
-- _exit(0);
-- }
-+ {
-+ p->missing = 1;
-+ if (!option_bool(OPT_TFTP_NO_FAIL))
-+ {
-+ send_event(err_pipe[1], EVENT_TFTP_ERR, errno, p->prefix);
-+ _exit(0);
-+ }
-+ }
- closedir(dir);
- }
- }
- #endif
--
-+
- if (daemon->port == 0)
- my_syslog(LOG_INFO, _("started, version %s DNS disabled"), VERSION);
- else if (daemon->cachesize != 0)
-@@ -743,8 +755,9 @@ int main (int argc, char **argv)
- #endif
-
- #ifdef HAVE_TFTP
-- if (option_bool(OPT_TFTP))
-- {
-+ if (option_bool(OPT_TFTP))
-+ {
-+ struct tftp_prefix *p;
- #ifdef FD_SETSIZE
- if (FD_SETSIZE < (unsigned)max_fd)
- max_fd = FD_SETSIZE;
-@@ -754,7 +767,14 @@ int main (int argc, char **argv)
- daemon->tftp_prefix ? _("root is ") : _("enabled"),
- daemon->tftp_prefix ? daemon->tftp_prefix: "",
- option_bool(OPT_TFTP_SECURE) ? _("secure mode") : "");
-+
-+ if (tftp_prefix_missing)
-+ my_syslog(MS_TFTP | LOG_WARNING, _("warning: %s inaccessible"), daemon->tftp_prefix);
-
-+ for (p = daemon->if_prefix; p; p = p->next)
-+ if (p->missing)
-+ my_syslog(MS_TFTP | LOG_WARNING, _("warning: TFTP directory %s inaccessible"), p->prefix);
-+
- /* This is a guess, it assumes that for small limits,
- disjoint files might be served, but for large limits,
- a single file will be sent to may clients (the file only needs
-diff --git a/src/dnsmasq.h b/src/dnsmasq.h
-index 1dd61c5..086cb67 100644
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -238,7 +238,8 @@ struct event_desc {
- #define OPT_DNSSEC_NO_SIGN 48
- #define OPT_LOCAL_SERVICE 49
- #define OPT_LOOP_DETECT 50
--#define OPT_LAST 51
-+#define OPT_TFTP_NO_FAIL 51
-+#define OPT_LAST 52
-
- /* extra flags for my_syslog, we use a couple of facilities since they are known
- not to occupy the same bits as priorities, no matter how syslog.h is set up. */
-@@ -888,6 +889,7 @@ struct addr_list {
- struct tftp_prefix {
- char *interface;
- char *prefix;
-+ int missing;
- struct tftp_prefix *next;
- };
-
-diff --git a/src/option.c b/src/option.c
-index 209fa69..fa5e4d3 100644
---- a/src/option.c
-+++ b/src/option.c
-@@ -147,6 +147,7 @@ struct myoption {
- #define LOPT_LOCAL_SERVICE 335
- #define LOPT_DNSSEC_TIME 336
- #define LOPT_LOOP_DETECT 337
-+#define LOPT_TFTP_NO_FAIL 338
-
- #ifdef HAVE_GETOPT_LONG
- static const struct option opts[] =
-@@ -227,6 +228,7 @@ static const struct myoption opts[] =
- { "dhcp-ignore-names", 2, 0, LOPT_NO_NAMES },
- { "enable-tftp", 2, 0, LOPT_TFTP },
- { "tftp-secure", 0, 0, LOPT_SECURE },
-+ { "tftp-no-fail", 0, 0, LOPT_TFTP_NO_FAIL },
- { "tftp-unique-root", 0, 0, LOPT_APREF },
- { "tftp-root", 1, 0, LOPT_PREFIX },
- { "tftp-max", 1, 0, LOPT_TFTP_MAX },
-@@ -402,6 +404,7 @@ static struct {
- { LOPT_PREFIX, ARG_DUP, "<dir>[,<iface>]", gettext_noop("Export files by TFTP only from the specified subtree."), NULL },
- { LOPT_APREF, OPT_TFTP_APREF, NULL, gettext_noop("Add client IP address to tftp-root."), NULL },
- { LOPT_SECURE, OPT_TFTP_SECURE, NULL, gettext_noop("Allow access only to files owned by the user running dnsmasq."), NULL },
-+ { LOPT_TFTP_NO_FAIL, OPT_TFTP_NO_FAIL, NULL, gettext_noop("Do not terminate the service if TFTP directories are inaccessible."), NULL },
- { LOPT_TFTP_MAX, ARG_ONE, "<integer>", gettext_noop("Maximum number of conncurrent TFTP transfers (defaults to %s)."), "#" },
- { LOPT_NOBLOCK, OPT_TFTP_NOBLOCK, NULL, gettext_noop("Disable the TFTP blocksize extension."), NULL },
- { LOPT_TFTP_LC, OPT_TFTP_LC, NULL, gettext_noop("Convert TFTP filenames to lowercase"), NULL },
---
-2.1.4
-
diff --git a/package/network/services/dnsmasq/patches/200-fix-dhcpv6-solicit-handling.patch b/package/network/services/dnsmasq/patches/200-fix-dhcpv6-solicit-handling.patch
new file mode 100644
index 0000000000..7c900287e4
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/200-fix-dhcpv6-solicit-handling.patch
@@ -0,0 +1,38 @@
+From 35042c3ef61b3bc07f0f9418dff6be6ed78f4aa1 Mon Sep 17 00:00:00 2001
+From: Steven Barth <steven@midlink.org>
+Date: Fri, 10 Apr 2015 10:46:57 +0200
+Subject: [PATCH] Revert "Don't reply to DHCPv6 SOLICIT messages when not
+ configured for statefull DHCPv6."
+
+This reverts commit 61b838dd574c51d96fef100285a0d225824534f9.
+---
+ src/rfc3315.c | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index c1ddc80..50131d8 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -824,19 +824,6 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ }
+ else
+ {
+- /* Windows 8 always requests an address even if the Managed bit
+- in RA is 0 and it keeps retrying if it receives a reply
+- stating that no addresses are available. We solve this
+- by not replying at all if we're not configured to give any
+- addresses by DHCPv6. RFC 3315 17.2.1. appears to allow this. */
+-
+- for (c = state->context; c; c = c->current)
+- if (!(c->flags & CONTEXT_RA_STATELESS))
+- break;
+-
+- if (!c)
+- return 0;
+-
+ /* no address, return error */
+ o1 = new_opt6(OPTION6_STATUS_CODE);
+ put_opt6_short(DHCP6NOADDRS);
+--
+2.1.4
+
diff --git a/package/network/services/dnsmasq/patches/200-let-makefile-be-aware-of-config-changes.patch b/package/network/services/dnsmasq/patches/200-let-makefile-be-aware-of-config-changes.patch
deleted file mode 100644
index 663f0e9ed3..0000000000
--- a/package/network/services/dnsmasq/patches/200-let-makefile-be-aware-of-config-changes.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-Index: dnsmasq-2.72/Makefile
-===================================================================
---- dnsmasq-2.72.orig/Makefile 2014-12-30 19:46:10.484921940 +0800
-+++ dnsmasq-2.72/Makefile 2014-12-30 19:56:39.712926794 +0800
-@@ -74,6 +74,10 @@
- hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
- dns-protocol.h radv-protocol.h ip6addr.h
-
-+COPT_CONF = $(top)/.copt_$(shell $(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/config.h | \
-+ ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' ')
-+COPT_CONF_WILD = $(top)/.copt_*
-+
- all : $(BUILDDIR)
- @cd $(BUILDDIR) && $(MAKE) \
- top="$(top)" \
-@@ -83,7 +87,7 @@
-
- mostly_clean :
- rm -f $(BUILDDIR)/*.mo $(BUILDDIR)/*.pot
-- rm -f $(BUILDDIR)/.configured $(BUILDDIR)/*.o $(BUILDDIR)/dnsmasq.a $(BUILDDIR)/dnsmasq
-+ rm -f $(BUILDDIR)/$(COPT_CONF_WILD) $(BUILDDIR)/*.o $(BUILDDIR)/dnsmasq.a $(BUILDDIR)/dnsmasq
-
- clean : mostly_clean
- rm -f $(BUILDDIR)/dnsmasq_baseline
-@@ -139,7 +143,7 @@
-
- # rules below are targets in recusive makes with cwd=$(BUILDDIR)
-
--.configured: $(hdrs)
-+$(COPT_CONF): $(hdrs)
- @rm -f *.o
- @touch $@
-
-@@ -149,7 +153,7 @@
- .c.o:
- $(CC) $(CFLAGS) $(COPTS) $(i18n) $(build_cflags) $(RPM_OPT_FLAGS) -c $<
-
--dnsmasq : .configured $(hdrs) $(objs)
-+dnsmasq : $(COPT_CONF) $(hdrs) $(objs)
- $(CC) $(LDFLAGS) -o $@ $(objs) $(build_libs) $(LIBS)
-
- dnsmasq.pot : $(objs:.o=.c) $(hdrs)