aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services/dnsmasq/patches
Commit message (Collapse)AuthorAgeFilesLines
* dnsmasq: backport fixesHauke Mehrtens2021-01-243-0/+96
| | | | | | | | | This should fix some error messages shown in the log like this one: dnsmasq[16020]: failed to send packet: Network unreachable dnsmasq[16020]: failed to send packet: Address family not supported by protocol Fixes: e87c0d934c54 ("dnsmasq: Update to version 2.83") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* dnsmasq: Backport some security updatesHauke Mehrtens2021-01-1913-2/+2279
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following security problems in dnsmasq: * CVE-2020-25681: Dnsmasq versions before 2.83 is susceptible to a heap-based buffer overflow in sort_rrset() when DNSSEC is used. This can allow a remote attacker to write arbitrary data into target device's memory that can lead to memory corruption and other unexpected behaviors on the target device. * CVE-2020-25682: Dnsmasq versions before 2.83 is susceptible to buffer overflow in extract_name() function due to missing length check, when DNSSEC is enabled. This can allow a remote attacker to cause memory corruption on the target device. * CVE-2020-25683: Dnsmasq version before 2.83 is susceptible to a heap-based buffer overflow when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap- allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in Dnsmasq, resulting in a Denial of Service. * CVE-2020-25684: A lack of proper address/port check implemented in Dnsmasq version < 2.83 reply_query function makes forging replies easier to an off-path attacker. * CVE-2020-25685: A lack of query resource name (RRNAME) checks implemented in Dnsmasq's versions before 2.83 reply_query function allows remote attackers to spoof DNS traffic that can lead to DNS cache poisoning. * CVE-2020-25686: Multiple DNS query requests for the same resource name (RRNAME) by Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS traffic, using a birthday attack (RFC 5452), that can lead to DNS cache poisoning. * CVE-2020-25687: Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of Service. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* dnsmasq: Fix potential dnsmasq crash with TCPHauke Mehrtens2020-01-061-0/+35
| | | | | | | | | | | | | | | | This is a backport from the dnsmasq master which should fix a bug which could cause a crash in dnsmasq. I saw the following crashes in my log: [522413.117215] do_page_fault(): sending SIGSEGV to dnsmasq for invalid read access from 2a001450 [522413.124464] epc = 004197f1 in dnsmasq[400000+23000] [522413.129459] ra = 004197ef in dnsmasq[400000+23000] This is happening in blockdata_write() when block->next is dereferenced, but I am not sure if this is related to this problem or if this is a different problem. I am unable to reproduce this problem. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 414d0541381d432e69190f394dfe2a6e8122d6bb)
* dnsmasq: use nettle ecc_curve access functionsHans Dedecker2019-09-041-0/+35
| | | | | | | Fixes compile issues with nettle 3.5.1 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (cherry picked from commit 63ced140484e072dddbba39bb729adc98d94d522)
* dnsmasq: latest pre-2.81 patchesKevin Darbyshire-Bryant2019-01-3131-33/+95
| | | | Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: backport latest pre2.81 patchesKevin Darbyshire-Bryant2019-01-1631-40/+4117
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | f52bb5b fix previous commit 18eac67 Fix entries in /etc/hosts disabling static leases. f8c77ed Fix removal of DHCP_CLIENT_MAC options from DHCPv6 relay replies. 4bf62f6 Tidy cache_blockdata_free() 9c0d445 Fix e7bfd556c079c8b5e7425aed44abc35925b24043 to actually work. 2896e24 Check for not(DS or DNSKEY) in is_outdated_cname_pointer() a90f09d Fix crash freeing negative SRV cache entries. 5b99eae Cache SRV records. 2daca52 Fix typo in ra-param man page section. 2c59473 File logic bug in cache-marshalling code. Introduced a couple of commits back. cc921df Remove nested struct/union in cache records and all_addr. ab194ed Futher address union tidying. 65a01b7 Tidy address-union handling: move class into explicit argument. bde4647 Tidy all_addr union, merge log and rcode fields. e7bfd55 Alter DHCP address selection after DECLINE in consec-addr mode. Avoid offering the same address after a recieving a DECLINE message to stop an infinite protocol loop. This has long been done in default address allocation mode: this adds similar behaviour when allocaing addresses consecutively. The most relevant fix for openwrt is 18eac67 (& my own local f52bb5b which fixes a missing bracket silly) To quote the patch: It is possible for a config entry to have one address family specified by a dhcp-host directive and the other added from /etc/hosts. This is especially common on OpenWrt because it uses odhcpd for DHCPv6 and IPv6 leases are imported into dnsmasq via a hosts file. To handle this case there need to be separate *_HOSTS flags for IPv4 and IPv6. Otherwise when the hosts file is reloaded it will clear the CONFIG_ADDR(6) flag which was set by the dhcp-host directive. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: Fix dhcp-boot, dhcp-reply-delay and pxe-prompt regressionsKevin Darbyshire-Bryant2018-12-141-0/+40
| | | | | | | The above options were incorrectly changed to required tags. Make them optional again. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: fix ipv6 ipset bugKevin Darbyshire-Bryant2018-12-121-0/+21
| | | | | | | | | During upstream removal of conditional ipv6 support an order swap error was made in a ternary operator usage. This patch sent upstream. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: follow upstream dnsmasq pre-v2.81 v2Kevin Darbyshire-Bryant2018-12-1013-2/+4549
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Backport upstream commits. Most interesting 122392e which changes how SERVFAIL is handled especially in event of genuine server down/failure scenarios with multiple servers. a799ca0 also interesting in that answered received via TCP are now cached, DNSSEC typically using TCP meant until now answers weren't cached, hence reducing performance. 59e4703 Free config file values on parsing errors. 48d12f1 Remove the NO_FORK compile-time option, and support for uclinux. 122392e Revert 68f6312d4bae30b78daafcd6f51dc441b8685b1e 3a5a84c Fix Makefile lines generating UBUS linker config. 24b8760 Do not rely on dead code elimination, use array instead. Make options bits derived from size and count. Use size of option bits and last supported bit in computation. No new change would be required when new options are added. Just change OPT_LAST constant. 6f7812d Fix spurious AD flags in some DNS replies from local config. cbb5b17 Fix logging in cf5984367bc6a949e3803a576512c5a7bc48ebab cf59843 Don't forward *.bind/*.server queries upstream ee87504 Remove ability to compile without IPv6 support. a220545 Ensure that AD bit is reset on answers from --address=/<domain>/<address>. a799ca0 Impove cache behaviour for TCP connections. Along with an additional patch to fix compilation without DHCPv6, sent upstream. I've been running this for aaaages without obvious issue hence brave step of opening to wider openwrt community. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* Revert "dnsmasq: follow upstream dnsmasq pre-v2.81"Kevin Darbyshire-Bryant2018-12-1012-4522/+2
| | | | | | | | | | | | | This reverts commit a6a8fe0be5cd2edb1560bfc3f3094c3d34f2d2b0. buildbot found an error option.c: In function 'dhcp_context_free': option.c:1042:15: error: 'struct dhcp_context' has no member named 'template_interface' free(ctx->template_interface); revert for the moment Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: follow upstream dnsmasq pre-v2.81Kevin Darbyshire-Bryant2018-12-1012-2/+4522
| | | | | | | | | | | | | | | | | | | | | | | | | Backport upstream commits. Most interesting 122392e which changes how SERVFAIL is handled especially in event of genuine server down/failure scenarios with multiple servers. a799ca0 also interesting in that answered received via TCP are now cached, DNSSEC typically using TCP meant until now answers weren't cached, hence reducing performance. 59e4703 Free config file values on parsing errors. 48d12f1 Remove the NO_FORK compile-time option, and support for uclinux. 122392e Revert 68f6312d4bae30b78daafcd6f51dc441b8685b1e 3a5a84c Fix Makefile lines generating UBUS linker config. 24b8760 Do not rely on dead code elimination, use array instead. Make options bits derived from size and count. Use size of option bits and last supported bit in computation. No new change would be required when new options are added. Just change OPT_LAST constant. 6f7812d Fix spurious AD flags in some DNS replies from local config. cbb5b17 Fix logging in cf5984367bc6a949e3803a576512c5a7bc48ebab cf59843 Don't forward *.bind/*.server queries upstream ee87504 Remove ability to compile without IPv6 support. a220545 Ensure that AD bit is reset on answers from --address=/<domain>/<address>. a799ca0 Impove cache behaviour for TCP connections. I've been running this for aaaages without obvious issue hence brave step of opening to wider openwrt community. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: drop dnssec timestamp file patchKevin Darbyshire-Bryant2018-12-101-47/+0
| | | | | | | | | | | | Openwrt no longer uses and has not used since 5acfe55d71 Jun 2016 the timestamp file (/etc/dnsmasq.time) method of resolving the dnssec/ntp dnslookup chicken/egg problem, having used signals from ntp since that change. Drop the 'dnssec-improve-timestamp-heuristic' patch since it is neither used nor sent upstream. One less thing to refresh & maintain. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to v2.80rc1Kevin Darbyshire-Bryant2018-10-161-28/+0
| | | | | | | | | | | | 53792c9 fix typo df07182 Update German translation. Remove local patch 001-fix-typo which is a backport of the above 53792c9 There is no practical difference between our test8 release and this rc release, but this does at least say 'release candidate' Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: fix compile issueHans Dedecker2018-10-151-0/+28
| | | | | | Fix compile issue in case HAVE_BROKEN_RTC is enabled Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: bump to v2.80test7Kevin Darbyshire-Bryant2018-09-272-99/+0
| | | | | | | | | | | | | | | | | | | Bump to latest test release: 3a610a0 Finesse allocation of memory for "struct crec" cache entries. 48b090c Fix b6f926fbefcd2471699599e44f32b8d25b87b471 to not SEGV on startup (rarely). 4139298 Change behavior when RD bit unset in queries. 51cc10f Add warning about 0.0.0.0 and :: addresses to man page. ea6cc33 Handle memory allocation failure in make_non_terminals() ad03967 Add debian/tmpfiles.conf f4fd07d Debian bugfix. e3c08a3 Debian packaging fix. (restorecon) 118011f Debian packaging fix. (tmpfiles.d) Delete our own backports of ea6cc33 & 4139298, so the only real changes here, since we don't care about the Debian stuff are 48b090c & 3a610a0 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: Change behavior when RD bit unset in queries.Kevin Darbyshire-Bryant2018-09-211-0/+54
| | | | | | | | | | | Backport upstream commit Change anti cache-snooping behaviour with queries with the recursion-desired bit unset. Instead to returning SERVFAIL, we now always forward, and never answer from the cache. This allows "dig +trace" command to work. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: Handle memory allocation failure in make_non_terminals()Kevin Darbyshire-Bryant2018-09-191-0/+45
| | | | | | | | Backport upstream commit: ea6cc33 Handle memory allocation failure in make_non_terminals() Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to dnsmasq 2.80test6Hans Dedecker2018-09-091-1/+1
| | | | | | | | | | | | | | | | Refresh patches Changes since latest bump: af3bd07 Man page typo. d682099 Picky changes to 47b45b2967c931fed3c89a2e6a8df9f9183a5789 47b45b2 Fix lengths of interface names 2b38e38 Minor improvements in lease-tools 282eab7 Mark die function as never returning c346f61 Handle ANY queries in context of da8b6517decdac593e7ce24bde2824dd841725c8 03212e5 Manpage typo. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: bump to dnsmasq v2.80test5Hans Dedecker2018-09-062-129/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refresh patches Remove 240-ubus patch as upstream accepted. Add uci option ubus which allows to enable/disable ubus support (enabled by default) Upstream commits since last bump: da8b651 Implement --address=/example.com/# c5db8f9 Tidy 7f876b64c22b2b18412e2e3d8506ee33e42db7c 974a6d0 Add --caa-record b758b67 Improve logging of RRs from --dns-rr. 9bafdc6 Tidy up file parsing code. 97f876b Properly deal with unaligned addresses in DHCPv6 packets. cbfbd17 Fix broken DNSSEC records in previous. b6f926f Don't return NXDOMAIN to empty non-terminals. c822620 Add --dhcp-name-match 397c050 Handle case of --auth-zone but no --auth-server. 1682d15 Add missing EDNS0 section. EDNS0 section missing in replies to EDNS0-containing queries where answer generated from --local=/<domain>/ dd33e98 Fix crash parsing a --synth-domain with no prefix. Problem introduced in 2.79/6b2b564ac34cb3c862f168e6b1457f9f0b9ca69c c16d966 Add copyright to src/metrics.h 1dfed16 Remove C99 only code. 6f835ed Format fixes - ubus.c 9d6fd17 dnsmasq.c fix OPT_UBUS option usage 8c1b6a5 New metrics and ubus files. 8dcdb33 Add --enable-ubus option. aba8bbb Add collection of metrics caf4d57 Add OpenWRT ubus patch Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: bump to dnsmasq v2.80test3Kevin Darbyshire-Bryant2018-07-2819-1562/+3
| | | | | | | | | | | | | | | | | Refresh patches Upstream commits since last bump: 3b6eb19 Log DNSSEC trust anchors at startup. f3e5787 Trivial comment change. c851c69 Log failure to confirm an address in DHCPv6. a3bd7e7 Fix missing fatal errors when parsing some command-line/config options. ab5ceaf Document the --help option in the french manual 1f2f69d Fix recurrent minor spelling mistake in french manual f361b39 Fix some mistakes in french translation of the manual eb1fe15 When replacing cache entries, preserve CNAMES which target them. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to latest patches on 2.80rc2Kevin Darbyshire-Bryant2018-07-0318-10/+405
| | | | | | | | | | | | | | | Refresh patches and backport upstream to current HEAD: a997ca0 Fix sometimes missing DNSSEC RRs when DNSSEC validation not enabled. 51e4eee Fix address-dependent domains for IPv6. 05ff659 Fix stupid infinite loop introduced by preceding commit. db0f488 Handle some corner cases in RA contructed interfaces with addresses changing interface. 7dcca6c Warn about the impact of cache-size on performance. 090856c Allow zone transfer in authoritative mode whenever auth-peer is specified. cc5cc8f Sane error message when pcap file header is wrong. c488b68 Handle standard and contructed dhcp-ranges on the same interface. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to 2.80test2Kevin Darbyshire-Bryant2018-05-1211-4/+1168
| | | | | | | | | | | | | | | | | | | Refresh patches and backport upstream to current HEAD: 1f1873a Log warning on very large cachesize config, instead of truncating it. 0a496f0 Do unsolicited RAs for interfaces which appear after dnsmasq startup. e27825b Fix logging in previous. 1f60a18 Retry SERVFAIL DNSSEC queries to a different server, if possible. a0088e8 Handle query retry on REFUSED or SERVFAIL for DNSSEC-generated queries. 34e26e1 Retry query to other servers on receipt of SERVFAIL rcode. 6b17335 Add packet-dump debugging facility. 07ed585 Add logging for DNS error returns from upstream and local configuration. 0669ee7 Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip are set. f84e674 Be persistent with broken-upstream-DNSSEC warnings. Compile & run tested: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to 2.79rc1Kevin Darbyshire-Bryant2018-02-185-372/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1721453 Remove special handling of A-for-A queries. 499d8dd Fix boundary for test introduced in 3e3f1029c9ec6c63e430ff51063a6301d4b2262 6f1cbfd Fix debian/readme typo. 55ecde7 Inotify: Ignore backup files created by editors 6b54d69 Make failure to chown() pidfile a warning. 246a31c Change ownership of pid file, to keep systemd happy. 83e4b73 Remove confusion between --user and --script-user. 6340ca7 Tweak heuristic for initial DNSSEC memory allocation. baf553d Default min-port to 1024 to avoid reserved ports. 486bcd5 Simplify and correct bindtodevice(). be9a74d Close Debian bug for CVE-2017-15107. ffcbc0f Example config typo fixes. a969ba6 Special case NSEC processing for root DS record, to avoid spurious BOGUS. f178172 Add homepage to Debian control file. cd7df61 Fix DNSSEC validation errors introduced in 4fe6744a220eddd3f1749b40cac3dfc510787de6 c1a4e25 Try to be a little more clever at falling back to smaller DNS packet sizes. 4fe6744 DNSSEC fix for wildcard NSEC records. CVE-2017-15107 applies. 3bd4c47 Remove limit on length of command-line options. 98196c4 Typo fix. 22cd860 Allow more than one --bridge-interface option to refer to an interface. 3c973ad Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC time validation. faaf306 Spelling fixes. c7e6aea Change references to gPXE to iPXE. Development of EtherBoot gPXE was always development of iPXE core developer Michael Brown. e541245 Handle duplicate RRs in DNSSEC validation. 84a01be Bump year in Debian copyright notice. d1ced3a Update copyrights to 2018. a6cee69 Fix exit code from dhcp_release6. 0039920 Severely fix code formating of contrib/lease-tools/dhcp_release6.c 39d8550 Run Debian startup regex in "C" locale. ef3d137 Fix infinite retries in strict-order mode. 8c707e1 Make 373e91738929a3d416e6292e65824184ba8428a6 compile without DNSSEC. 373e917 Fix a6004d7f17687ac2455f724d0b57098c413f128d to cope with >256 RRs in answer section. 74f0f9a Commment language tweaks. ed6bdb0 Man page typos. c88af04 Modify doc.html to mention git-over-http is now available. ae0187d Fix trust-anchor regexp in Debian init script. 0c50e3d Bump version in Debian package. 075366a Open inotify socket only when used. 8e8b2d6 Release notes update. 087eb76 Always return a SERVFAIL response to DNS queries with RD=0. ebedcba Typo in printf format string added in 22dee512f3738f87539a79aeb52b9e670b3bd104 0954a97 Remove RSA/MD5 DNSSEC algorithm. b77efc1 Tidy DNSSEC algorithm table use. 3b0cb34 Fix manpage which said ZSK but meant KSK. aa6f832 Add a few DNS RRs to the table. ad9c6f0 Add support for Ed25519 DNSSEC signature algorithm. a6004d7 Fix caching logic for validated answers. c366717 Tidy up add_resource_record() buffer size checks. 22dee51 Log DNS server max packet size reduction. 6fd5d79 Fix logic on EDNS0 headers. 9d6918d Use IP[V6]_UNICAST_IF socket option instead of SO_BINDTODEVICE for DNS. a49c5c2 Fix search_servers() segfault with DNSSEC. 30858e3 Spaces in CNAME options break parsing. Refresh patches. Remove upstreamed patches: 250-Fix-infinite-retries-in-strict-order-mode.patch 260-dnssec-SIGINT.patch 270-dnssec-wildcards.patch Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: backport validation fix in dnssec security fixKevin Darbyshire-Bryant2018-01-201-1/+1
| | | | | | | | A DNSSEC validation error was introduced in the fix for CVE-2017-15107 Backport the upstream fix to the fix (a simple typo) Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: backport dnssec security fixKevin Darbyshire-Bryant2018-01-191-0/+202
| | | | | | | | | | | | | | | | | | | | | | | | | CVE-2017-15107 An interesting problem has turned up in DNSSEC validation. It turns out that NSEC records expanded from wildcards are allowed, so a domain can include an NSEC record for *.example.org and an actual query reply could expand that to anything in example.org and still have it signed by the signature for the wildcard. So, for example !.example.org NSEC zz.example.org is fine. The problem is that most implementers (your author included, but also the Google public DNS people, powerdns and Unbound) then took that record to prove the nothing exists between !.example.org and zz.example.org, whereas in fact it only provides that proof between *.example.org and zz.example.org. This gives an attacker a way to prove that anything between !.example.org and *.example.org doesn't exists, when it may well do so. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: use SIGINT for dnssec time validKevin Darbyshire-Bryant2018-01-151-0/+120
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Dnsmasq used SIGHUP to do too many things: 1) set dnssec time validation enabled, 2) bump SOA zone serial, 3) clear dns cache, 4) reload hosts files, 5) reload resolvers/servers files. Many subsystems within LEDE can send SIGHUP to dnsmasq: 1) ntpd hotplug (to indicate time is valid for dnssec) 2) odhcpd (to indicate a new/removed host - typically DHCPv6 leases) 3) procd on interface state changes 4) procd on system config state changes, 5) service reload. If dnssec time validation is enabled before the system clock has been set to a sensible time, name resolution will fail. Because name resolution fails, ntpd is unable to resolve time server names to addresses, so is unable to set time. Classic chicken/egg. Since commits 23bba9cb330cd298739a16e350b0029ed9429eef (service reload) & 4f02285d8b4a66359a8fa46f22a3efde391b5419 (system config) make it more likely a SIGHUP will be sent for events other than 'ntpd has set time' it is more likely that an errant 'name resolution is failing for everything' situation will be encountered. Fortunately the upstream dnsmasq people agree and have moved 'check dnssec timestamp enable' from SIGHUP handler to SIGINT. Backport the upstream patch to use SIGINT. ntpd hotplug script updated to use SIGINT. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: backport infinite dns retries fixHans Dedecker2017-12-062-2/+47
| | | | | | | | | | If all configured dns servers return refused in response to a query in strict mode; dnsmasq will end up in an infinite loop retransmitting the dns query resulting into high CPU load. Problem is fixed by checking for the end of a dns server list iteration in strict mode. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: add interface to ubus notificationBorja Salazar2017-11-291-5/+7
| | | | Signed-off-by: Borja Salazar <borja.salazar@fon.com>
* dnsmasq: fix swapped ubus args mac and ipJaroslav Safka2017-11-131-2/+2
| | | | | | | Fix swapped arguments "mac" and "ip" when calling function "ubus_event_bcast". Signed-off-by: Jaroslav Safka <devel@safka.org>
* dnsmasq: bump to v2.78Kevin Darbyshire-Bryant2017-10-027-245/+15
| | | | | | Fixes CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, 2017-CVE-14495, 2017-CVE-14496 Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* dnsmasq: backport arcount edns0 fixKevin Darbyshire-Bryant2017-09-081-0/+44
| | | | | | | | | Don't return arcount=1 if EDNS0 RR won't fit in the packet. Omitting the EDNS0 RR but setting arcount gives a malformed packet. Also, don't accept UDP packet size less than 512 in received EDNS0. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: backport official fix for CVE-2017-13704Kevin Darbyshire-Bryant2017-09-072-37/+94
| | | | | | | | | Remove LEDE partial fix for CVE-2017-13704. Backport official fix from upstream. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
* dnsmasq: forward.c: fix CVE-2017-13704Kevin Darbyshire-Bryant2017-08-301-0/+37
| | | | | | | | | | | | | | | | Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset() is called with header & limit pointing at the same address and thus tries to clear memory from before the buffer begins. answer_request() is called with an invalid edns packet size provided by the client. Ensure the udp_size provided by the client is bounded by 512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512 MUST be treated as equal to 512" The client that exposed the problem provided a payload udp size of 0. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Acked-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: add ubus notifications for new leasesJohn Crispin2017-08-221-0/+134
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* dnsmasq: backport remove ping check of configured dhcp addressHans Dedecker2017-07-181-0/+28
| | | | | | | Remove ping check in DHCPDISCOVER case as too many buggy clients leave an interface in configured state causing the ping check to fail. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: backport patch fixing DNS failover (FS#841)Hans Dedecker2017-06-281-0/+31
| | | | | | | Backport upstream dnsmasq patch fixing DNS failover when first servers returns REFUSED in strict mode; fixes issue FS#841. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: backport tweak ICMP ping logic for DHCPv4Hans Dedecker2017-06-261-0/+25
| | | | | | | | | | Don't start ping-check of address in DHCP discover if there already exists a lease for the address. It has been reported under some circumstances android and netbooted windows devices can reply to ICMP pings if they have a lease and thus block the allocation of the IP address the device already has during boot. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: bump to 2.77rc3Kevin Darbyshire-Bryant2017-05-121-6/+6
| | | | | | Fix [FS#766] Intermittent SIGSEGV crash of dnsmasq-full Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* dnsmasq: bump to dnsmasq v2.77test4Kevin Darbyshire-Bryant2017-02-222-215/+0
| | | | | | | | | | | | | | --bogus-priv now applies to IPv6 prefixes as specified in RFC6303 - this is significantly friendlier to upstream servers. CNAME fix in auth mode - A domain can only have a CNAME if it has no other records Drop 2 patches now included upstream. Compile & run tested Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* dnsmasq: bump to dnsmasq v2.77test3Kevin Darbyshire-Bryant2017-02-204-129/+215
| | | | | | | | | | | | | | | | New test release (since test1) includes 2 LEDE patches that are upstream and may be dropped, along with many spelling fixes. Add forthcoming 2017 root zone trust anchor to trust-anchors.conf. Backport 2 patches that just missed test3: Reduce logspam of those domains handled locally 'local addresses only' Implement RFC-6842 (Client-ids in DHCP replies) Compile & run tested Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* dnsmasq: update to dnsmasq 2.77test1Kevin Darbyshire-Bryant2017-02-055-253/+141
| | | | | | | | | | | | | | | | | | | | | | | Bump to dnsmasq 2.77test1 - this includes a number of fixes since 2.76 and allows dropping of 2 LEDE carried patches. Notable fix in rrfilter code when talking to Nominum's DNS servers especially with DNSSEC. A patch to switch dnsmasq back to 'soft fail' for SERVFAIL responses from dns servers is also included. This mean dnsmasq tries all configured servers before giving up. A 'localise queries' enhancement has also been backported (it will appear in test2/rc'n') this is especially important if using the recently imported to LEDE 'use dnsmasq standalone' feature 9525743c I have been following dnsmasq HEAD ever since 2.76 release. Compile & Run tested: ar71xx, Archer C7 v2 Tested-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* dnsmasq: Don't expose *.bind data incl versionKevin Darbyshire-Bryant2016-09-081-0/+149
| | | | | | | | | | | | | Don't expose dnsmasq version & other data to clients via the *.bind pseudo domain. This uses a new 'NO_ID' compile time option which has been discussed and submitted upstream. This is an alternate to replacing version with 'unknown' which affects the version reported to syslog and 'dnsmasq --version' Run time tested with & without NO_ID on Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* dnsmasq: update to dnsmasq v2.76Kevin Darbyshire-Bryant2016-05-243-7/+25
| | | | | | | Update to dnsmasq2.76. Refresh patches. Add new patch to fix musl 'poll.h' location warning. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* dnsmasq: Bump to dnsmasq2.74Steven Barth2015-07-302-11/+9
| | | | | | | | Bump to dnsmasq2.74 & refresh patches to fix fuzz Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> SVN-Revision: 46522
* dnsmasq: bump to 2.73rc6Steven Barth2015-04-233-158/+2
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 45572
* dnsmasq: fix dnssec timestamp logic, backport crashfixSteven Barth2015-04-132-0/+167
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 45410
* dnsmasq: bump to 2.73rc4Steven Barth2015-04-105-345/+38
| | | | | | | | | Fix crash caused by malformed DNS requests Improved DNSSEC handling Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 45354
* dnsmasq: backport --tftp-no-fail to ignore missing tftp rootJohn Crispin2015-04-011-0/+193
| | | | | | | | | | | This patch backports the option --tftp-no-fail to dnsmasq and prevents the service from aborting if the specified TFTP root directory is not available; this might be the case if TFTP files are located on external media that might occasionally not be present at startup. Signed-off-by: Stefan Tomanek <stefan.tomanek+openwrt@wertarbyte.de> SVN-Revision: 45213
* dnsmasq: fix dependency problems of the dnsmasq-full variant.Felix Fietkau2015-01-051-0/+42
| | | | | | | | | | | | | | | | | | | | This patch tries to - Let the DHCPv6 feature depend on CONFIG_IPV6. - Conditionally select libnettle, kmod-ipv6, kmod-ipt-ipset only if the corresponding features are enabled. - Install `trust-anchors.conf` only if DNSSEC is selected. - Add PKG_CONFIG_DEPENDS for the configurable options. - Add a patch to let the Makefile of dnsmasq be aware of changes in COPTS variable. Big thanks goes to Frank Schäfer <fschaefer.oss@googlemail.com> for providing necessary information on connections and dependency relations between these CONFIGs and packages. Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> SVN-Revision: 43851
* dnsmasq: also add the actual patches...Steven Barth2014-12-222-0/+110
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 43759