From 3c6cc6fa06b724c9559d7eb32d50c7d1089faa78 Mon Sep 17 00:00:00 2001 From: Steven Barth Date: Mon, 13 Apr 2015 07:49:29 +0000 Subject: dnsmasq: fix dnssec timestamp logic, backport crashfix Signed-off-by: Steven Barth git-svn-id: svn://svn.openwrt.org/openwrt/trunk@45410 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- package/network/services/dnsmasq/Makefile | 2 +- .../network/services/dnsmasq/files/dnsmasq.init | 11 +- .../patches/001-fix-crash-in-auth-code.patch | 113 +++++++++++++++++++++ .../210-dnssec-improve-timestamp-heuristic.patch | 54 ++++++++++ 4 files changed, 174 insertions(+), 6 deletions(-) create mode 100644 package/network/services/dnsmasq/patches/001-fix-crash-in-auth-code.patch create mode 100644 package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index dc94d341bd..9c90e0fc28 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq PKG_VERSION:=2.73rc4 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/release-candidates diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index b2dfb979bc..b0a5fbc04f 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -15,6 +15,7 @@ ADD_LOCAL_HOSTNAME=1 CONFIGFILE="/var/etc/dnsmasq.conf" HOSTFILE="/tmp/hosts/dhcp" TRUSTANCHORSFILE="/usr/share/dnsmasq/trust-anchors.conf" +TIMESTAMPFILE="/etc/dnsmasq.time" xappend() { local value="$1" @@ -205,7 +206,7 @@ dnsmasq() { [ "$dnssec" -gt 0 ] && { xappend "--conf-file=$TRUSTANCHORSFILE" xappend "--dnssec" - xappend "--dnssec-timestamp=/etc/dnsmasq.time" + xappend "--dnssec-timestamp=$TIMESTAMPFILE" append_bool "$cfg" dnsseccheckunsigned "--dnssec-check-unsigned" } @@ -556,7 +557,7 @@ start_service() { procd_add_jail dnsmasq ubus log procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE /etc/passwd /dev/urandom /etc/dnsmasq.conf /tmp/dnsmasq.d /tmp/resolv.conf.auto /etc/hosts /etc/ethers - procd_add_jail_mount_rw /var/run/dnsmasq/ /tmp/dhcp.leases /etc/dnsmasq.time + procd_add_jail_mount_rw /var/run/dnsmasq/ /tmp/dhcp.leases $TIMESTAMPFILE procd_close_instance @@ -566,9 +567,9 @@ start_service() { mkdir -p /var/lib/misc touch /tmp/dhcp.leases - if [ ! -f /etc/dnsmasq.time ]; then - touch -t 197001010000 /etc/dnsmasq.time - chmod 0777 /etc/dnsmasq.time + if [ ! -f "$TIMESTAMPFILE" ]; then + touch "$TIMESTAMPFILE" + chown nobody.nogroup "$TIMESTAMPFILE" fi echo "# auto-generated config file from /etc/config/dhcp" > $CONFIGFILE diff --git a/package/network/services/dnsmasq/patches/001-fix-crash-in-auth-code.patch b/package/network/services/dnsmasq/patches/001-fix-crash-in-auth-code.patch new file mode 100644 index 0000000000..9cba0ccbae --- /dev/null +++ b/package/network/services/dnsmasq/patches/001-fix-crash-in-auth-code.patch @@ -0,0 +1,113 @@ +From 38440b204db65f9be16c4c3daa7e991e4356f6ed Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Sun, 12 Apr 2015 21:52:47 +0100 +Subject: [PATCH] Fix crash in auth code with odd configuration. + +--- + CHANGELOG | 32 +++++++++++++++++++++----------- + src/auth.c | 13 ++++++++----- + 2 files changed, 29 insertions(+), 16 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 9af6170..f2142c7 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -68,18 +68,31 @@ version 2.73 + Fix broken DNSSEC validation of ECDSA signatures. + + Add --dnssec-timestamp option, which provides an automatic +- way to detect when the system time becomes valid after boot +- on systems without an RTC, whilst allowing DNS queries before the +- clock is valid so that NTP can run. Thanks to +- Kevin Darbyshire-Bryant for developing this idea. ++ way to detect when the system time becomes valid after ++ boot on systems without an RTC, whilst allowing DNS ++ queries before the clock is valid so that NTP can run. ++ Thanks to Kevin Darbyshire-Bryant for developing this idea. + + Add --tftp-no-fail option. Thanks to Stefan Tomanek for + the patch. + +- Fix crash caused by looking up servers.bind, CHAOS text record, +- when more than about five --servers= lines are in the dnsmasq +- config. This causes memory corruption which causes a crash later. +- Thanks to Matt Coddington for sterling work chasing this down. ++ Fix crash caused by looking up servers.bind, CHAOS text ++ record, when more than about five --servers= lines are ++ in the dnsmasq config. This causes memory corruption ++ which causes a crash later. Thanks to Matt Coddington for ++ sterling work chasing this down. ++ ++ Fix crash on receipt of certain malformed DNS requests. ++ Thanks to Nick Sampanis for spotting the problem. ++ ++ Fix crash in authoritative DNS code, if a .arpa zone ++ is declared as authoritative, and then a PTR query which ++ is not to be treated as authoritative arrived. Normally, ++ directly declaring .arpa zone as authoritative is not ++ done, so this crash wouldn't be seen. Instead the ++ relevant .arpa zone should be specified as a subnet ++ in the auth-zone declaration. Thanks to Johnny S. Lee ++ for the bugreport and initial patch. + + + version 2.72 +@@ -125,10 +138,7 @@ version 2.72 + Fix problem with --local-service option on big-endian platforms + Thanks to Richard Genoud for the patch. + +- Fix crash on receipt of certain malformed DNS requests. Thanks +- to Nick Sampanis for spotting the problem. + +- + version 2.71 + Subtle change to error handling to help DNSSEC validation + when servers fail to provide NODATA answers for +diff --git a/src/auth.c b/src/auth.c +index 15721e5..4a5c39f 100644 +--- a/src/auth.c ++++ b/src/auth.c +@@ -141,7 +141,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n + for (zone = daemon->auth_zones; zone; zone = zone->next) + if ((subnet = find_subnet(zone, flag, &addr))) + break; +- ++ + if (!zone) + { + auth = 0; +@@ -186,7 +186,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n + + if (intr) + { +- if (in_zone(zone, intr->name, NULL)) ++ if (local_query || in_zone(zone, intr->name, NULL)) + { + found = 1; + log_query(flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL); +@@ -208,8 +208,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n + *p = 0; /* must be bare name */ + + /* add external domain */ +- strcat(name, "."); +- strcat(name, zone->domain); ++ if (zone) ++ { ++ strcat(name, "."); ++ strcat(name, zone->domain); ++ } + log_query(flag | F_DHCP | F_REVERSE, name, &addr, record_source(crecp->uid)); + found = 1; + if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, +@@ -217,7 +220,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n + T_PTR, C_IN, "d", name)) + anscount++; + } +- else if (crecp->flags & (F_DHCP | F_HOSTS) && in_zone(zone, name, NULL)) ++ else if (crecp->flags & (F_DHCP | F_HOSTS) && (local_query || in_zone(zone, name, NULL))) + { + log_query(crecp->flags & ~F_FORWARD, name, &addr, record_source(crecp->uid)); + found = 1; +-- +2.1.4 + diff --git a/package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch b/package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch new file mode 100644 index 0000000000..f4acd7c6e5 --- /dev/null +++ b/package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch @@ -0,0 +1,54 @@ +From 79e60e145f8a595bca5a784c00b437216d51de68 Mon Sep 17 00:00:00 2001 +From: Steven Barth +Date: Mon, 13 Apr 2015 09:45:20 +0200 +Subject: [PATCH] dnssec: improve timestamp heuristic + +Signed-off-by: Steven Barth +--- + src/dnssec.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/src/dnssec.c b/src/dnssec.c +index 05e0983..9c02548 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -408,17 +408,24 @@ static int back_to_the_future; + int setup_timestamp(void) + { + struct stat statbuf; +- ++ time_t now; ++ time_t base = 1420070400; /* 1-1-2015 */ ++ + back_to_the_future = 0; + + if (!daemon->timestamp_file) + return 0; +- ++ ++ now = time(NULL); ++ ++ if (!stat("/proc/self/exe", &statbuf) && difftime(statbuf.st_mtime, base) > 0) ++ base = statbuf.st_mtime; ++ + if (stat(daemon->timestamp_file, &statbuf) != -1) + { + timestamp_time = statbuf.st_mtime; + check_and_exit: +- if (difftime(timestamp_time, time(0)) <= 0) ++ if (difftime(now, base) >= 0 && difftime(timestamp_time, now) <= 0) + { + /* time already OK, update timestamp, and do key checking from the start. */ + if (utime(daemon->timestamp_file, NULL) == -1) +@@ -439,7 +446,7 @@ int setup_timestamp(void) + + close(fd); + +- timestamp_time = timbuf.actime = timbuf.modtime = 1420070400; /* 1-1-2015 */ ++ timestamp_time = timbuf.actime = timbuf.modtime = base; + if (utime(daemon->timestamp_file, &timbuf) == 0) + goto check_and_exit; + } +-- +2.1.4 + -- cgit v1.2.3