packages/dnsmasq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:998e230e77c83e9f670ac2555525464bce3c1067
Branches Tags
packages:main
...
compare: packages:2d4da4293bb9cdb4f3e313189d214f3fc96a02d0
Branches Tags
packages:main

10 Commits
998e230e77 ... 2d4da4293b

Author SHA1 Message Date
openeuler-ci-bot
2d4da4293b
!142 Update DNS records after pruning DHCP leases;cache: Fix potential NULL deref in arcane situations.;Fix potential memory leak;Fix possible SIGSEGV in bpf.c;allow binding mac with ip6 
From: @ultra_planet 
Reviewed-by: @xiangyu2020 
Signed-off-by: @xiangyu2020
 2025-03-24 01:30:44 +00:00
lingsheng
9d395b57e5 Update DNS records after pruning DHCP leases;cache: Fix potential NULL deref in arcane situations.;Fix potential memory leak;Fix possible SIGSEGV in bpf.c;allow binding mac with ip6 2025-03-21 14:52:41 +08:00
openeuler-ci-bot
b5c4b0d77e
!134 [sync] PR-129: Fix out-of-bounds heap read in order_qsort().;Fix buffer overflow when configured lease-change script name 
From: @openeuler-sync-bot 
Reviewed-by: @xiangyu2020 
Signed-off-by: @xiangyu2020
 2024-12-17 06:38:01 +00:00
胡义臻
a682942dd5 Fix out-of-bounds heap read in order_qsort(). 
Fix buffer overflow when configured lease-change script name

(cherry picked from commit b580ae493fc991eab96d764efa6818568be9a47c)
 2024-12-17 10:40:34 +08:00
openeuler-ci-bot
03f3c072e3
!125 [sync] PR-121: 更新描述:Fix crash when reloading DHCP config on SIGHUP 
From: @openeuler-sync-bot 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2024-11-11 12:06:29 +00:00
胡义臻
e9cadc9913 update description 
(cherry picked from commit 17132022bd8b25d4707f762d5086533fe9eecbdc)
 2024-11-11 19:01:48 +08:00
openeuler-ci-bot
7f3a8cf999
!118 [sync] PR-116: Fix crash when reloading DHCP config on SIGHUP 
From: @openeuler-sync-bot 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2024-11-11 10:40:07 +00:00
胡义臻
9c6a3e1870 [Backport]dnsmasq: Fix crash when reloading DHCP config on SIGHUP 
Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=f006be7842104a9f86fbf419326b7aad08ade61d
Conflict:no
(cherry picked from commit d3f749809b3e2971f4e19198c7dac269da51c1fa)
 2024-11-11 16:41:25 +08:00
openeuler-ci-bot
c00fffe205
!99 升级到2.90版本 
From: @renmingshuai 
Reviewed-by: @gebidelidaye 
Signed-off-by: @gebidelidaye
 2024-02-23 02:50:01 +00:00
renmingshuai
b9eb052aaa Update to 2.90 2024-02-22 11:22:55 +00:00
20 changed files with 876 additions and 345 deletions
Show Stats Expand all files Collapse all files

235
allow-binding-mac-with-ip6.patch Normal file
View File

@ -0,0 +1,235 @@
From 271510e5f7c2130ad4b7e33186e47daf0d3d2d30 Mon Sep 17 00:00:00 2001
From: huyizhen <huyizhen2@huawei.com>
Date: Fri, 28 Feb 2025 14:38:44 +0800
Subject: [PATCH] allow binding mac with ip6
Bind the IPv6 address to the MAC address of the client.
This command is used to solve the problem that the client cannot obtain an IPv6 address
after the system is reinstalled. If this parameter is not specified, the client duid changes
and cannot obtain the original IPv6 address. After this parameter is added, even if the DUID
of the client changes, the client can still obtain the bound IPv6 address.
Description:
This feature conflicts with the RFC 3315 standard and applies only to private networks.
In addition, all client MAC addresses and IPv6 addresses must be bound in one-to-one mode
using --dhcp-host.
Combine bugfix-allow-binding-mac-with-ipv6.patch
bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6.patch
to allow-binding-mac-with-ip6.patch
---
src/dnsmasq.c | 1 +
src/dnsmasq.h | 4 +++-
src/option.c | 3 +++
src/rfc3315.c | 61 ++++++++++++++++++++++++++++++++++++++++++---------
4 files changed, 58 insertions(+), 11 deletions(-)
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index f3d87cd..3609106 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -281,6 +281,7 @@ int main (int argc, char **argv)
{
daemon->doing_ra = option_bool(OPT_RA);
+ daemon->bind_mac_with_ip6 = option_bool(OPT_BIND_MAC_IP6);
for (context = daemon->dhcp6; context; context = context->next)
{
if (context->flags & CONTEXT_DHCP)
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index e455c3f..ef32f06 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -282,7 +282,8 @@ struct event_desc {
#define OPT_NO_IDENT 70
#define OPT_CACHE_RR 71
#define OPT_LOCALHOST_SERVICE 72
-#define OPT_LAST 73
+#define OPT_BIND_MAC_IP6 73
+#define OPT_LAST 74
#define OPTION_BITS (sizeof(unsigned int)*8)
#define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
@@ -1211,6 +1212,7 @@ extern struct daemon {
int override;
int enable_pxe;
int doing_ra, doing_dhcp6;
+ int bind_mac_with_ip6;
struct dhcp_netid_list *dhcp_ignore, *dhcp_ignore_names, *dhcp_gen_names;
struct dhcp_netid_list *force_broadcast, *bootp_dynamic;
struct hostsfile *dhcp_hosts_file, *dhcp_opts_file;
diff --git a/src/option.c b/src/option.c
index 9b5066e..7c316b9 100644
--- a/src/option.c
+++ b/src/option.c
@@ -192,6 +192,7 @@ struct myoption {
#define LOPT_NO_DHCP4 383
#define LOPT_MAX_PROCS 384
#define LOPT_DNSSEC_LIMITS 385
+#define LOPT_BIND_MAC_IP6 386
#ifdef HAVE_GETOPT_LONG
static const struct option opts[] =
@@ -388,6 +389,7 @@ static const struct myoption opts[] =
{ "use-stale-cache", 2, 0 , LOPT_STALE_CACHE },
{ "no-ident", 0, 0, LOPT_NO_IDENT },
{ "max-tcp-connections", 1, 0, LOPT_MAX_PROCS },
+ { "bind-mac-with-ip6", 0, 0 , LOPT_BIND_MAC_IP6 },
{ NULL, 0, 0, 0 }
};
@@ -591,6 +593,7 @@ static struct {
{ LOPT_NO_IDENT, OPT_NO_IDENT, NULL, gettext_noop("Do not add CHAOS TXT records."), NULL },
{ LOPT_CACHE_RR, ARG_DUP, "<RR-type>", gettext_noop("Cache this DNS resource record type."), NULL },
{ LOPT_MAX_PROCS, ARG_ONE, "<integer>", gettext_noop("Maximum number of concurrent tcp connections."), NULL },
+ { LOPT_BIND_MAC_IP6, OPT_BIND_MAC_IP6, NULL, gettext_noop("Bind mac with ipv6 address. This is an experimental feature and it conflicts with rfc3315."), NULL },
{ 0, 0, NULL, NULL, NULL }
};
diff --git a/src/rfc3315.c b/src/rfc3315.c
index 400d939..e579494 100644
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -48,8 +48,8 @@ static int build_ia(struct state *state, int *t1cntr);
static void end_ia(int t1cntr, unsigned int min_time, int do_fuzz);
static void mark_context_used(struct state *state, struct in6_addr *addr);
static void mark_config_used(struct dhcp_context *context, struct in6_addr *addr);
-static int check_address(struct state *state, struct in6_addr *addr);
-static int config_valid(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr, struct state *state, time_t now);
+static int check_address(struct dhcp_config *config, struct state *state, struct in6_addr *addr, time_t now, int preempte);
+static int config_valid(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr, struct state *state, time_t now, int preempte);
static struct addrlist *config_implies(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr);
static void add_address(struct state *state, struct dhcp_context *context, unsigned int lease_time, void *ia_option,
unsigned int *min_time, struct in6_addr *addr, time_t now);
@@ -699,7 +699,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
/* If the client asks for an address on the same network as a configured address,
offer the configured address instead, to make moving to newly-configured
addresses automatic. */
- if (!(c->flags & CONTEXT_CONF_USED) && config_valid(config, c, &addr, state, now))
+ if (!(c->flags & CONTEXT_CONF_USED) && config_valid(config, c, &addr, state, now, 0))
{
req_addr = addr;
mark_config_used(c, &addr);
@@ -708,7 +708,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
}
else if (!(c = address6_available(state->context, &req_addr, solicit_tags, plain_range)))
continue; /* not an address we're allowed */
- else if (!check_address(state, &req_addr))
+ else if (!check_address(config, state, &req_addr, now, 0))
continue; /* address leased elsewhere */
/* add address to output packet */
@@ -723,7 +723,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
for (c = state->context; c; c = c->current)
if (!(c->flags & CONTEXT_CONF_USED) &&
match_netid(c->filter, solicit_tags, plain_range) &&
- config_valid(config, c, &addr, state, now))
+ config_valid(config, c, &addr, state, now, 1))
{
mark_config_used(state->context, &addr);
if (have_config(config, CONFIG_TIME))
@@ -879,7 +879,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
put_opt6_string(_("address unavailable"));
end_opt6(o1);
}
- else if (!check_address(state, &req_addr))
+ else if (!check_address(config, state, &req_addr, now, 0))
{
/* Address leased to another DUID/IAID */
o1 = new_opt6(OPTION6_STATUS_CODE);
@@ -1075,12 +1075,32 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
case DHCP6CONFIRM:
{
int good_addr = 0, bad_addr = 0;
+ int find_bind = 0;
+ struct dhcp_config *find_config = NULL;
/* set reply message type */
outmsgtype = DHCP6REPLY;
log6_quiet(state, "DHCPCONFIRM", NULL, NULL);
-
+
+ if(daemon->bind_mac_with_ip6) {
+ if(state->mac) {
+ for (find_config = daemon->dhcp_conf; find_config; find_config = find_config->next)
+ if (config_has_mac(find_config, state->mac, state->mac_len, state->mac_type) && have_config(find_config, CONFIG_ADDR6)) {
+ find_bind = 1;
+ break;
+ }
+ }
+ /* requires all mac has binding ipv6 address. */
+ if (find_bind == 0) {
+ o1 = new_opt6(OPTION6_STATUS_CODE);
+ put_opt6_short(DHCP6NOTONLINK);
+ put_opt6_string(_("confirm failed, no binding found"));
+ end_opt6(o1);
+ return 1;
+ }
+ }
+
for (opt = state->packet_options; opt; opt = opt6_next(opt, state->end))
{
void *ia_option, *ia_end;
@@ -1104,6 +1124,16 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
good_addr = 1;
log6_quiet(state, "DHCPREPLY", &req_addr, state->hostname);
}
+
+ if(daemon->bind_mac_with_ip6) {
+ if (!is_same_net6(&req_addr, &find_config->addr6, 128)) {
+ o1 = new_opt6(OPTION6_STATUS_CODE);
+ put_opt6_short(DHCP6NOTONLINK);
+ put_opt6_string(_("confirm failed, not binding to this address"));
+ end_opt6(o1);
+ return 1;
+ }
+ }
}
}
@@ -1723,13 +1753,24 @@ static void mark_config_used(struct dhcp_context *context, struct in6_addr *addr
}
/* make sure address not leased to another CLID/IAID */
-static int check_address(struct state *state, struct in6_addr *addr)
+static int check_address(struct dhcp_config *config, struct state *state, struct in6_addr *addr, time_t now, int preempte)
{
struct dhcp_lease *lease;
if (!(lease = lease6_find_by_addr(addr, 128, 0)))
return 1;
+ if (preempte && daemon->bind_mac_with_ip6) {
+ // break rfc3315 here
+ // bind mac address with a lease
+ if ((state->mac) && !(config->flags & CONFIG_CLID) &&
+ config_has_mac(config, state->mac, state->mac_len, state->mac_type)) {
+ lease_prune(lease, now);
+ return 1;
+ }
+ }
+
+ // what rfc3315 do
if (lease->clid_len != state->clid_len ||
memcmp(lease->clid, state->clid, state->clid_len) != 0 ||
lease->iaid != state->iaid)
@@ -1769,7 +1810,7 @@ static struct addrlist *config_implies(struct dhcp_config *config, struct dhcp_c
return NULL;
}
-static int config_valid(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr, struct state *state, time_t now)
+static int config_valid(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr, struct state *state, time_t now, int preempte)
{
u64 addrpart, i, addresses;
struct addrlist *addr_list;
@@ -1803,7 +1844,7 @@ static int config_valid(struct dhcp_config *config, struct dhcp_context *context
{
setaddr6part(addr, addrpart+i);
- if (check_address(state, addr))
+ if (check_address(config, state, addr, now, preempte))
return 1;
}
}
--
2.33.0

45
backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patch
View File

@ -1,45 +0,0 @@
From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 7 Mar 2023 22:07:46 +0000
Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232.
http://www.dnsflagday.net/2020/ refers.
Thanks to Xiang Li for the prompt.
Conflict:NA
Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f
---
man/dnsmasq.8 | 3 ++-
src/config.h | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 41e2e04..5acb935 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -183,7 +183,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
.TP
.B \-P, --edns-packet-max=<size>
Specify the largest EDNS.0 UDP packet which is supported by the DNS
-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
+forwarder. Defaults to 1232, which is the recommended size following the
+DNS flag day in 2020. Only increase if you know what you are doing.
.TP
.B \-Q, --query-port=<query_port>
Send outbound DNS queries from, and listen for their replies on, the
diff --git a/src/config.h b/src/config.h
index 1e7b30f..37b374e 100644
--- a/src/config.h
+++ b/src/config.h
@@ -19,7 +19,7 @@
#define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
#define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
#define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */
-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */
#define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see https://dnsflagday.net/2020/ */
#define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
#define DNSSEC_WORK 50 /* Max number of queries to validate one question */
--
2.23.0

32
backport-Fix-buffer-overflow-when-configured-lease-change-scr.patch Normal file
View File

@ -0,0 +1,32 @@
From ae85ea38581e97445622d2dad79cd09775cb201a Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 21 Nov 2024 15:42:49 +0000
Subject: [PATCH] Fix buffer overflow when configured lease-change script name
is too long.
Thanks to Daniel Rhea for finding this one.
Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=ae85ea38581e97445622d2dad79cd09775cb201a
Conflict:NA
---
src/lease.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/lease.c b/src/lease.c
index 1a9f1c6..a944fbb 100644
--- a/src/lease.c
+++ b/src/lease.c
@@ -155,6 +155,10 @@ void lease_init(time_t now)
#ifdef HAVE_SCRIPT
if (daemon->lease_change_command)
{
+ /* 6 == strlen(" init") plus terminator */
+ if (strlen(daemon->lease_change_command) + 6 > DHCP_BUFF_SZ)
+ die(_("lease-change script name is too long"), NULL, EC_FILE);
+
strcpy(daemon->dhcp_buff, daemon->lease_change_command);
strcat(daemon->dhcp_buff, " init");
leasestream = popen(daemon->dhcp_buff, "r");
--
2.33.0

50
backport-Fix-crash-when-reloading-DHCP-config-on-SIGHUP.patch Normal file
View File

@ -0,0 +1,50 @@
From f006be7842104a9f86fbf419326b7aad08ade61d Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 4 Oct 2024 16:59:14 +0100
Subject: [PATCH] Fix crash when reloading DHCP config on SIGHUP.
Confusion in the code to free old DHCP configuration when it's
being reloaded causes invalid pointers to be followed and a crash.
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q4/017764.html
has a more complete explanation of the problem.
Conflict:NA
Reference:https://github.com/rhuijben/dnsmasq/commit/f006be7842104a9f86fbf419326b7aad08ade61d
---
src/option.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/option.c b/src/option.c
index f4ff7c0..ed0d9e1 100644
--- a/src/option.c
+++ b/src/option.c
@@ -1336,7 +1336,7 @@ static void dhcp_netid_free(struct dhcp_netid *nid)
/* Parse one or more tag:s before parameters.
* Moves arg to the end of tags. */
-static struct dhcp_netid * dhcp_tags(char **arg)
+static struct dhcp_netid *dhcp_tags(char **arg)
{
struct dhcp_netid *id = NULL;
@@ -1360,7 +1360,13 @@ static void dhcp_netid_list_free(struct dhcp_netid_list *netid)
{
struct dhcp_netid_list *tmplist = netid;
netid = netid->next;
- dhcp_netid_free(tmplist->list);
+ /* Note: don't use dhcp_netid_free() here, since that
+ frees a list linked on netid->next. Where a netid_list
+ is used that's because the the ->next pointers in the
+ netids are being used to temporarily construct
+ a list of valid tags. */
+ free(tmplist->list->net);
+ free(tmplist->list);
free(tmplist);
}
}
--
2.33.0

39
backport-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch Normal file
View File

@ -0,0 +1,39 @@
From ccff85ad72d2f858d9743d40525128e4f62d41a8 Mon Sep 17 00:00:00 2001
From: renmingshuai <renmingshuai@huawei.com>
Date: Wed, 21 Feb 2024 00:24:25 +0000
Subject: [PATCH] [PATCH] Fix error introduced in
51471cafa5a4fa44d6fe490885d9910bd72a5907
Signed-off-by: renmingshuai <renmingshuai@huawei.com>
Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=ccff85ad72d2f858d9743d40525128e4f62d41a8
Conflict:NA
---
src/dnssec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/dnssec.c b/src/dnssec.c
index ed2f53f..291b43f 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1547,7 +1547,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
nsecs[i] = NULL; /* Speculative, will be restored if OK. */
if (!(p = skip_name(nsec3p, header, plen, 15)))
- return 0; /* bad packet */
+ return DNSSEC_FAIL_BADPACKET; /* bad packet */
p += 10; /* type, class, TTL, rdlen */
@@ -1640,7 +1640,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
if (!wildname)
{
if (!(wildcard = strchr(next_closest, '.')) || wildcard == next_closest)
- return 0;
+ return DNSSEC_FAIL_NONSEC;
wildcard--;
*wildcard = '*';
--
2.33.0

48
backport-Fix-memory-leak-when-using-dhcp-optsfile-with-DHCPv6.patch
View File

@ -1,48 +0,0 @@
From d16b995756dc079b1fdc2e63665793979f766a26 Mon Sep 17 00:00:00 2001
From: renmingshuai <renmingshuai@huawei.com>
Date: Sat, 30 Sep 2023 23:31:08 +0100
Subject: [PATCH] Fix memory leak when using --dhcp-optsfile with DHCPv6
options.
Conflict:NA
Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=d16b995756dc079b1fdc2e63665793979f766a26
---
src/option.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/option.c b/src/option.c
index 8322725..286f06b 100644
--- a/src/option.c
+++ b/src/option.c
@@ -5734,11 +5734,11 @@ static void clear_dynamic_conf(void)
}
}
-static void clear_dynamic_opt(void)
+static void clear_dhcp_opt(struct dhcp_opt **dhcp_opts)
{
struct dhcp_opt *opts, *cp, **up;
- for (up = &daemon->dhcp_opts, opts = daemon->dhcp_opts; opts; opts = cp)
+ for (up = dhcp_opts, opts = *dhcp_opts; opts; opts = cp)
{
cp = opts->next;
@@ -5752,6 +5752,14 @@ static void clear_dynamic_opt(void)
}
}
+static void clear_dynamic_opt(void)
+{
+ clear_dhcp_opt(&daemon->dhcp_opts);
+#ifdef HAVE_DHCP6
+ clear_dhcp_opt(&daemon->dhcp_opts6);
+#endif
+}
+
void reread_dhcp(void)
{
struct hostsfile *hf;
--
2.23.0

35
backport-Fix-out-of-bounds-heap-read-in-order_qsort.patch Normal file
View File

@ -0,0 +1,35 @@
From b087cf4a6c3dd4c323a099770a44c24812381bf4 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 21 Nov 2024 15:28:31 +0000
Subject: [PATCH] Fix out-of-bounds heap read in order_qsort().
We only need to order two server records on the ->serial field.
Literal address records are smaller and don't have
this field and don't need to be ordered on it.
To actually provoke this bug seems to need the same server-literal
to be repeated twice, eg --address=/a/1.1.1.1 --address-/a/1.1.1.1
which is clearly rare in the wild, but if it did exist it could
provoke a SIGSEV. Thanks to Daniel Rhea for fuzzing this one.
Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=b087cf4a6c3dd4c323a099770a44c24812381bf4
Conflict:NA
---
src/domain-match.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/domain-match.c b/src/domain-match.c
index e0f4313..d79967f 100644
--- a/src/domain-match.c
+++ b/src/domain-match.c
@@ -540,7 +540,7 @@ static int order_qsort(const void *a, const void *b)
/* Finally, order by appearance in /etc/resolv.conf etc, for --strict-order */
if (rc == 0)
- if (!(s1->flags & SERV_LITERAL_ADDRESS))
+ if (!(s1->flags & SERV_IS_LOCAL) && !(s2->flags & SERV_IS_LOCAL))
rc = s1->serial - s2->serial;
return rc;
--
2.33.0

215
backport-Fix-possible-SIGSEGV-in-bpf.c.patch Normal file
View File

@ -0,0 +1,215 @@
From 535be2f5d355d61332043c7fdc06e095e52a3937 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 8 Feb 2025 22:58:42 +0000
Subject: [PATCH] Fix possible SIGSEGV in bpf.c
Conflict:Context adaptation
Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=535be2f5d355d61332043c7fdc06e095e52a3937
---
src/bpf.c | 170 ++++++++++++++++++++++++++----------------------------
1 file changed, 83 insertions(+), 87 deletions(-)
diff --git a/src/bpf.c b/src/bpf.c
index 15c42fc..4620b3f 100644
--- a/src/bpf.c
+++ b/src/bpf.c
@@ -126,112 +126,108 @@ int iface_enumerate(int family, void *parm, int (*callback)())
for (addrs = head; addrs; addrs = addrs->ifa_next)
{
- if (addrs->ifa_addr->sa_family == family)
- {
- int iface_index = if_nametoindex(addrs->ifa_name);
-
- if (iface_index == 0 || !addrs->ifa_addr ||
- (!addrs->ifa_netmask && family != AF_LINK))
- continue;
+ int iface_index = if_nametoindex(addrs->ifa_name);
- if (family == AF_INET)
- {
- struct in_addr addr, netmask, broadcast;
- addr = ((struct sockaddr_in *) addrs->ifa_addr)->sin_addr;
+ if (iface_index == 0 || !addrs->ifa_addr ||
+ addrs->ifa_addr->sa_family != family ||
+ (!addrs->ifa_netmask && family != AF_LINK))
+ continue;
+ if (family == AF_INET)
+ {
+ struct in_addr addr, netmask, broadcast;
+ addr = ((struct sockaddr_in *) addrs->ifa_addr)->sin_addr;
#ifdef HAVE_BSD_NETWORK
- if (del_family == AF_INET && del_addr.addr4.s_addr == addr.s_addr)
- continue;
+ if (del_family == AF_INET && del_addr.addr4.s_addr == addr.s_addr)
+ continue;
#endif
- netmask = ((struct sockaddr_in *) addrs->ifa_netmask)->sin_addr;
- if (addrs->ifa_broadaddr)
- broadcast = ((struct sockaddr_in *) addrs->ifa_broadaddr)->sin_addr;
- else
- broadcast.s_addr = 0;
- if (!((*callback)(addr, iface_index, NULL, netmask, broadcast, parm)))
- goto err;
- }
- else if (family == AF_INET6)
- {
- struct in6_addr *addr = &((struct sockaddr_in6 *) addrs->ifa_addr)->sin6_addr;
- unsigned char *netmask = (unsigned char *) &((struct sockaddr_in6 *) addrs->ifa_netmask)->sin6_addr;
- int scope_id = ((struct sockaddr_in6 *) addrs->ifa_addr)->sin6_scope_id;
- int i, j, prefix = 0;
- u32 valid = 0xffffffff, preferred = 0xffffffff;
- int flags = 0;
+ netmask = ((struct sockaddr_in *) addrs->ifa_netmask)->sin_addr;
+ if (addrs->ifa_broadaddr)
+ broadcast = ((struct sockaddr_in *) addrs->ifa_broadaddr)->sin_addr;
+ else
+ broadcast.s_addr = 0;
+ if (!callback.af_inet(addr, iface_index, NULL, netmask, broadcast, parm))
+ goto err;
+ }
+ else if (family == AF_INET6)
+ {
+ struct in6_addr *addr = &((struct sockaddr_in6 *) addrs->ifa_addr)->sin6_addr;
+ unsigned char *netmask = (unsigned char *) &((struct sockaddr_in6 *) addrs->ifa_netmask)->sin6_addr;
+ int scope_id = ((struct sockaddr_in6 *) addrs->ifa_addr)->sin6_scope_id;
+ int i, j, prefix = 0;
+ u32 valid = 0xffffffff, preferred = 0xffffffff;
+ int flags = 0;
#ifdef HAVE_BSD_NETWORK
- if (del_family == AF_INET6 && IN6_ARE_ADDR_EQUAL(&del_addr.addr6, addr))
- continue;
+ if (del_family == AF_INET6 && IN6_ARE_ADDR_EQUAL(&del_addr.addr6, addr))
+ continue;
#endif
#if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
- struct in6_ifreq ifr6;
-
- memset(&ifr6, 0, sizeof(ifr6));
- safe_strncpy(ifr6.ifr_name, addrs->ifa_name, sizeof(ifr6.ifr_name));
+ struct in6_ifreq ifr6;
+
+ memset(&ifr6, 0, sizeof(ifr6));
+ safe_strncpy(ifr6.ifr_name, addrs->ifa_name, sizeof(ifr6.ifr_name));
+
+ ifr6.ifr_addr = *((struct sockaddr_in6 *) addrs->ifa_addr);
+ if (fd != -1 && ioctl(fd, SIOCGIFAFLAG_IN6, &ifr6) != -1)
+ {
+ if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_TENTATIVE)
+ flags |= IFACE_TENTATIVE;
- ifr6.ifr_addr = *((struct sockaddr_in6 *) addrs->ifa_addr);
- if (fd != -1 && ioctl(fd, SIOCGIFAFLAG_IN6, &ifr6) != -1)
- {
- if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_TENTATIVE)
- flags |= IFACE_TENTATIVE;
-
- if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DEPRECATED)
- flags |= IFACE_DEPRECATED;
+ if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DEPRECATED)
+ flags |= IFACE_DEPRECATED;
#ifdef IN6_IFF_TEMPORARY
- if (!(ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_AUTOCONF | IN6_IFF_TEMPORARY)))
- flags |= IFACE_PERMANENT;
+ if (!(ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_AUTOCONF | IN6_IFF_TEMPORARY)))
+ flags |= IFACE_PERMANENT;
#endif
#ifdef IN6_IFF_PRIVACY
- if (!(ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_AUTOCONF | IN6_IFF_PRIVACY)))
- flags |= IFACE_PERMANENT;
-#endif
- }
-
- ifr6.ifr_addr = *((struct sockaddr_in6 *) addrs->ifa_addr);
- if (fd != -1 && ioctl(fd, SIOCGIFALIFETIME_IN6, &ifr6) != -1)
- {
- valid = ifr6.ifr_ifru.ifru_lifetime.ia6t_vltime;
- preferred = ifr6.ifr_ifru.ifru_lifetime.ia6t_pltime;
- }
+ if (!(ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_AUTOCONF | IN6_IFF_PRIVACY)))
+ flags |= IFACE_PERMANENT;
#endif
-
- for (i = 0; i < IN6ADDRSZ; i++, prefix += 8)
- if (netmask[i] != 0xff)
- break;
-
- if (i != IN6ADDRSZ && netmask[i])
- for (j = 7; j > 0; j--, prefix++)
- if ((netmask[i] & (1 << j)) == 0)
- break;
-
- /* voodoo to clear interface field in address */
- if (!option_bool(OPT_NOWILD) && IN6_IS_ADDR_LINKLOCAL(addr))
- {
- addr->s6_addr[2] = 0;
- addr->s6_addr[3] = 0;
- }
-
- if (!((*callback)(addr, prefix, scope_id, iface_index, flags,
- (int) preferred, (int)valid, parm)))
- goto err;
- }
-#ifdef HAVE_DHCP6
- else if (family == AF_LINK)
- {
- /* Assume ethernet again here */
- struct sockaddr_dl *sdl = (struct sockaddr_dl *) addrs->ifa_addr;
- if (sdl->sdl_alen != 0 &&
- !((*callback)(iface_index, ARPHRD_ETHER, LLADDR(sdl), sdl->sdl_alen, parm)))
- goto err;
+ ifr6.ifr_addr = *((struct sockaddr_in6 *) addrs->ifa_addr);
+ if (fd != -1 && ioctl(fd, SIOCGIFALIFETIME_IN6, &ifr6) != -1)
+ {
+ valid = ifr6.ifr_ifru.ifru_lifetime.ia6t_vltime;
+ preferred = ifr6.ifr_ifru.ifru_lifetime.ia6t_pltime;
}
-#endif
+#endif
+
+ for (i = 0; i < IN6ADDRSZ; i++, prefix += 8)
+ if (netmask[i] != 0xff)
+ break;
+
+ if (i != IN6ADDRSZ && netmask[i])
+ for (j = 7; j > 0; j--, prefix++)
+ if ((netmask[i] & (1 << j)) == 0)
+ break;
+
+ /* voodoo to clear interface field in address */
+ if (!option_bool(OPT_NOWILD) && IN6_IS_ADDR_LINKLOCAL(addr))
+ {
+ addr->s6_addr[2] = 0;
+ addr->s6_addr[3] = 0;
+ }
+
+ if (!callback.af_inet6(addr, prefix, scope_id, iface_index, flags,
+ (unsigned int) preferred, (unsigned int)valid, parm))
+ goto err;
+ }
+
+#ifdef HAVE_DHCP6
+ else if (family == AF_LINK)
+ {
+ /* Assume ethernet again here */
+ struct sockaddr_dl *sdl = (struct sockaddr_dl *) addrs->ifa_addr;
+ if (sdl->sdl_alen != 0 &&
+ !callback.af_local(iface_index, ARPHRD_ETHER, LLADDR(sdl), sdl->sdl_alen, parm))
+ goto err;
}
+#endif
}
ret = 1;
-
+
err:
errsave = errno;
freeifaddrs(head);
--
2.33.0

61
backport-Fix-potential-memory-leak.patch Normal file
View File

@ -0,0 +1,61 @@
From efb8f104502c0d8efcd45101a767225042ef21d3 Mon Sep 17 00:00:00 2001
From: Brian Haley <haleyb.dev@gmail.com>
Date: Thu, 23 Jan 2025 18:26:45 -0500
Subject: [PATCH] Fix potential memory leak
When a new IPv6 address is being added to a dhcp_config
struct, if there is anything invalid regarding the prefix
it looks like there is a potential memory leak.
ret_err_free() should be used to free it.
Also, the new addrlist struct is being linked into
the existing addr6 list in the dhcp_config before the
validity check, it is best to defer this insertion
until later so an invalid entry is not present, since
the CONFIG_ADDR6 flag might not have been set yet.
Signed-off-by: Brian Haley <haleyb.dev@gmail.com>
Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=efb8f104502c0d8efcd45101a767225042ef21d3
Conflict:NA
---
src/option.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/option.c b/src/option.c
index 16afb13..f3dee87 100644
--- a/src/option.c
+++ b/src/option.c
@@ -4043,10 +4043,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
}
new_addr = opt_malloc(sizeof(struct addrlist));
- new_addr->next = new->addr6;
new_addr->flags = 0;
new_addr->addr.addr6 = in6;
- new->addr6 = new_addr;
if (pref)
{
@@ -4057,7 +4055,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
((((u64)1<<(128-new_addr->prefixlen))-1) & addrpart) != 0)
{
dhcp_config_free(new);
- ret_err(_("bad IPv6 prefix"));
+ ret_err_free(_("bad IPv6 prefix"), new_addr);
}
new_addr->flags |= ADDRLIST_PREFIX;
@@ -4071,6 +4069,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
if (i == 8)
new_addr->flags |= ADDRLIST_WILDCARD;
+ new_addr->next = new->addr6;
+ new->addr6 = new_addr;
new->flags |= CONFIG_ADDR6;
}
#endif
--
2.33.0

53
backport-Fix-spurious-resource-limit-exceeded-messages.patch Normal file
View File

@ -0,0 +1,53 @@
From 1ed783b8d7343c42910a61f12a8fc6237eb80417 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 19 Feb 2024 12:22:43 +0000
Subject: [PATCH] Fix spurious "resource limit exceeded" messages.
Replies from upstream with a REFUSED rcode can result in
log messages stating that a resource limit has been exceeded,
which is not the case.
Thanks to Dominik Derigs and the Pi-hole project for
spotting this.
Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=1ed783b8d7343c42910a61f12a8fc6237eb80417
Conflict:NA
---
CHANGELOG | 5 +++++
src/forward.c | 6 +++---
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index 713b785..f318ac0 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,8 @@
+version 2.91
+ Fix spurious "resource limit exceeded messages". Thanks to
+ Dominik Derigs for the bug report.
+
+
version 2.90
Fix reversion in --rev-server introduced in 2.88 which
caused breakage if the prefix length is not exactly divisible
diff --git a/src/forward.c b/src/forward.c
index 32f37e4..10e7496 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -937,10 +937,10 @@ static void dnssec_validate(struct frec *forward, struct dns_header *header,
status = dnssec_validate_reply(now, header, plen, daemon->namebuff, daemon->keyname, &forward->class,
!option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC),
NULL, NULL, NULL, &orig->validate_counter);
- }
- if (STAT_ISEQUAL(status, STAT_ABANDONED))
- log_resource = 1;
+ if (STAT_ISEQUAL(status, STAT_ABANDONED))
+ log_resource = 1;
+ }
/* Can't validate, as we're missing key data. Put this
answer aside, whilst we get that. */
--
2.33.0

34
backport-Update-DNS-records-after-pruning-DHCP-leases.patch Normal file
View File

@ -0,0 +1,34 @@
From 80498fab01342243707a482f9b42c38a7c564026 Mon Sep 17 00:00:00 2001
From: Erik Karlsson <erik.karlsson@iopsys.eu>
Date: Mon, 29 Apr 2024 20:44:13 +0200
Subject: [PATCH] Update DNS records after pruning DHCP leases
Not doing so can result in a use after free since the name for DHCP
derived DNS records is represented as a pointer into the DHCP lease
table. Update will only happen when necessary since lease_update_dns
tests internally on dns_dirty and the force argument is zero.
Signed-off-by: Erik Karlsson <erik.karlsson@iopsys.eu>
Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=80498fab01342243707a482f9b42c38a7c564026
Conflict:NA
---
src/dnsmasq.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index c14240e..48e402f 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -1517,6 +1517,7 @@ static void async_event(int pipe, time_t now)
{
lease_prune(NULL, now);
lease_update_file(now);
+ lease_update_dns(0);
}
#ifdef HAVE_DHCP6
else if (daemon->doing_ra)
--
2.33.0

28
backport-cache-Fix-potential-NULL-deref-in-arcane-situations.patch Normal file
View File

@ -0,0 +1,28 @@
From f162d344c03bc9db125084a8f05c9cd7c0c1f4de Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Sun, 29 Dec 2024 22:02:21 +0100
Subject: [PATCH] cache: Fix potential NULL deref in arcane situations.
Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=f162d344c03bc9db125084a8f05c9cd7c0c1f4de
Conflict:NA
---
src/cache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cache.c b/src/cache.c
index 4395fee..f2aecca 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -479,7 +479,7 @@ static struct crec *cache_scan_free(char *name, union all_addr *addr, unsigned s
if ((crecp->flags & F_FORWARD) && hostname_isequal(cache_get_name(crecp), name))
{
int rrmatch = 0;
- if (crecp->flags & flags & F_RR)
+ if (addr && (crecp->flags & flags & F_RR))
{
unsigned short rrc = (crecp->flags & F_KEYTAG) ? crecp->addr.rrblock.rrtype : crecp->addr.rrdata.rrtype;
unsigned short rra = (flags & F_KEYTAG) ? addr->rrblock.rrtype : addr->rrdata.rrtype;
--
2.33.0

24
backport-dnsmasq-2.77-underflow.patch
View File

@ -1,18 +1,20 @@
From 0e581ae7b2d3b181f22f71d5a0b7ace0bf90089f Mon Sep 17 00:00:00 2001
From 6fda9cd7cba519a8aa96b43ebc34cb6c46b3bfe7 Mon Sep 17 00:00:00 2001
From: Doran Moppert <dmoppert@redhat.com>
Date: Tue, 26 Sep 2017 14:48:20 +0930
Subject: [PATCH] google patch hand-applied
Reference:
https://src.fedoraproject.org/rpms/dnsmasq/blob/f40/dnsmasq-2.77-underflow.patch
---
src/edns0.c | 10 +++++-----
src/rfc1035.c | 3 +++
2 files changed, 8 insertions(+), 5 deletions(-)
src/rfc1035.c | 5 ++++-
2 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/src/edns0.c b/src/edns0.c
index c498eb1..0eb3873 100644
index 598478f..72127e5 100644
--- a/src/edns0.c
+++ b/src/edns0.c
@@ -212,11 +212,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
@@ -209,11 +209,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
/* Copy back any options */
if (buff)
{
@ -30,19 +32,21 @@ index c498eb1..0eb3873 100644
free(buff);
p += rdlen;
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 5c0df56..7e01459 100644
index 387d894..7fb1468 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1425,6 +1425,9 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
@@ -1581,7 +1581,10 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
size_t len;
int rd_bit = (header->hb3 & HB3_RD);
int count = 255; /* catch loops */
-
+
+ // Make sure we do not underflow here too.
+ if (qlen > (limit - ((char *)header))) return 0;
+
if (stale)
*stale = 0;
--
2.38.1
2.43.0

32
backport-dnsmasq-2.78-fips.patch
View File

@ -1,26 +1,38 @@
From 8c8ca24806d5ebfe5018279ec84538a17014a918 Mon Sep 17 00:00:00 2001
From: xiaoweiwei <xiaoweiwei5@huawei.com>
Date: Tue, 28 Jul 2020 10:57:56 +0800
Subject: [PATCH] fips
From 7b1cce1d0bdb61c09946978d4bdeb05a3cd4202a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Fri, 2 Mar 2018 13:17:04 +0100
Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
has no proper FIPS 140-2 compliant implementation.
Reference:https://src.fedoraproject.org/rpms/dnsmasq/blob/f40/dnsmasq-2.78-fips.patch
---
src/dnsmasq.c | 3 +++
1 file changed, 3 insertions(+)
src/dnsmasq.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 2306c48..bfad87f 100644
index 480c5f9..5fd229e 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -877,6 +877,9 @@ int main (int argc, char **argv)
@@ -187,6 +187,7 @@ int main (int argc, char **argv)
if (daemon->cachesize < CACHESIZ)
die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);
+
#else
die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF);
#endif
@@ -786,7 +787,10 @@ int main (int argc, char **argv)
my_syslog(LOG_INFO, _("DNSSEC validation enabled but all unsigned answers are trusted"));
else
my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
-
+
+ if (access("/etc/system-fips", F_OK) == 0)
+ my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant"));
+
daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until receipt of SIGINT"));
--
1.8.3.1
2.14.4

38
backport-dnsmasq-2.81-configuration.patch
View File

@ -1,4 +1,4 @@
From 194e7521399048e37c5c2cff18b9c8d442b893ae Mon Sep 17 00:00:00 2001
From cba77f08dbded8af45de2ee985200b12de7c8d13 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 30 Jun 2020 18:06:29 +0200
Subject: [PATCH] Modify upstream configuration to safe defaults
@ -6,12 +6,14 @@ Subject: [PATCH] Modify upstream configuration to safe defaults
Most important change would be to listen only on localhost. Default
configuration should not listen to request from remote hosts. Match also
user and paths to directories shipped in Fedora.
Reference:https://src.fedoraproject.org/rpms/dnsmasq/blob/f40/dnsmasq-2.81-configuration.patch
---
dnsmasq.conf.example | 29 ++++++++++++++++++++++++-----
1 file changed, 24 insertions(+), 5 deletions(-)
dnsmasq.conf.example | 28 ++++++++++++++++++++++++----
1 file changed, 24 insertions(+), 4 deletions(-)
diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
index bf19424..8b85f44 100644
index 0cbf572..6c47c3c 100644
--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
@@ -22,7 +22,7 @@
@ -23,7 +25,7 @@ index bf19424..8b85f44 100644
#dnssec
# Replies which are not DNSSEC signed may be legitimate, because the domain
@@ -96,14 +96,16 @@
@@ -106,8 +106,8 @@
# If you want dnsmasq to change uid and gid to something other
# than the default, edit the following lines.
@ -34,36 +36,30 @@ index bf19424..8b85f44 100644
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
#interface=
+# Listen only on localhost by default
+interface=lo
# Or you can specify which interface _not_ to listen on
#except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if
@@ -114,6 +116,10 @@
@@ -124,6 +124,14 @@
# disable DHCP and TFTP on it.
#no-dhcp-interface=
+# Serve DNS and DHCP only to networks directly connected to this machine.
+# Any interface= line will override it.
+#local-service
+# Accept queries in default configuration only from localhost
+# Comment out following option or explicitly configure interfaces or
+# listen-address
+local-service=host
+
# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
@@ -121,7 +127,16 @@
@@ -131,7 +139,15 @@
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
-#bind-interfaces
+#
+# To listen only on localhost and do not receive packets on other
+# interfaces, bind only to lo device. Comment out to bind on single
+# wildcard socket.
+bind-interfaces
+
#bind-interfaces
+# Comment out above line and uncoment following 2 lines.
+# Update interface name, use ip link to get its name.
+#bind-dynamic
@ -71,7 +67,7 @@ index bf19424..8b85f44 100644
# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
@@ -535,7 +550,7 @@
@@ -545,7 +561,7 @@
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
@ -80,7 +76,7 @@ index bf19424..8b85f44 100644
# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
@@ -673,7 +688,11 @@
@@ -683,7 +699,11 @@
# Include all files in a directory which end in .conf
#conf-dir=/etc/dnsmasq.d/,*.conf
@ -93,5 +89,5 @@ index bf19424..8b85f44 100644
#dhcp-ignore-names=tag:wpad-ignore
+
--
2.31.1
2.43.0

136
bugfix-allow-binding-mac-with-ipv6.patch
View File

@ -1,136 +0,0 @@
From 53e1a09a06e11317bbde0e236837e5daa8d40593 Mon Sep 17 00:00:00 2001
From: liaichun <liaichun@huawei.com>
Date: Mon, 20 Apr 2020 16:06:51 +0800
---
src/dnsmasq.c | 1 +
src/dnsmasq.h | 4 +++-
src/option.c | 3 +++
src/rfc3315.c | 35 ++++++++++++++++++++++++++++++++++-
4 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 9f326ed..70ea6fa 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -292,6 +292,7 @@ int main (int argc, char **argv)
{
daemon->doing_ra = option_bool(OPT_RA);
+ daemon->bind_mac_with_ip6 = option_bool(OPT_BIND_MAC_IP6);
for (context = daemon->dhcp6; context; context = context->next)
{
if (context->flags & CONTEXT_DHCP)
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index fe9aa07..dbbeab1 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -282,7 +282,8 @@ struct event_desc {
#define OPT_STRIP_MAC 70
#define OPT_NORR 71
#define OPT_NO_IDENT 72
-#define OPT_LAST 73
+#define OPT_BIND_MAC_IP6 73
+#define OPT_LAST 74
#define OPTION_BITS (sizeof(unsigned int)*8)
#define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
@@ -1180,6 +1181,7 @@ extern struct daemon {
int override;
int enable_pxe;
int doing_ra, doing_dhcp6;
+ int bind_mac_with_ip6;
struct dhcp_netid_list *dhcp_ignore, *dhcp_ignore_names, *dhcp_gen_names;
struct dhcp_netid_list *force_broadcast, *bootp_dynamic;
struct hostsfile *dhcp_hosts_file, *dhcp_opts_file;
diff --git a/src/option.c b/src/option.c
index e4810fd..8efd687 100644
--- a/src/option.c
+++ b/src/option.c
@@ -186,6 +186,7 @@ struct myoption {
#define LOPT_STALE_CACHE 377
#define LOPT_NORR 378
#define LOPT_NO_IDENT 379
+#define LOPT_BIND_MAC_IP6 380
#ifdef HAVE_GETOPT_LONG
static const struct option opts[] =
@@ -376,6 +377,7 @@ static const struct myoption opts[] =
{ "fast-dns-retry", 2, 0, LOPT_FAST_RETRY },
{ "use-stale-cache", 2, 0 , LOPT_STALE_CACHE },
{ "no-ident", 0, 0, LOPT_NO_IDENT },
+ { "bind-mac-with-ip6", 0, 0 , LOPT_BIND_MAC_IP6 },
{ NULL, 0, 0, 0 }
};
@@ -573,6 +575,7 @@ static struct {
{ LOPT_QUIET_TFTP, OPT_QUIET_TFTP, NULL, gettext_noop("Do not log routine TFTP."), NULL },
{ LOPT_NORR, OPT_NORR, NULL, gettext_noop("Suppress round-robin ordering of DNS records."), NULL },
{ LOPT_NO_IDENT, OPT_NO_IDENT, NULL, gettext_noop("Do not add CHAOS TXT records."), NULL },
+ { LOPT_BIND_MAC_IP6, OPT_BIND_MAC_IP6, NULL, gettext_noop("Bind mac with ipv6 address. This is an experimental feature and it conflicts with rfc3315."), NULL },
{ 0, 0, NULL, NULL, NULL }
};
diff --git a/src/rfc3315.c b/src/rfc3315.c
index 8754481..f093a5c 100644
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -49,6 +49,7 @@ static void end_ia(int t1cntr, unsigned int min_time, int do_fuzz);
static void mark_context_used(struct state *state, struct in6_addr *addr);
static void mark_config_used(struct dhcp_context *context, struct in6_addr *addr);
static int check_address(struct state *state, struct in6_addr *addr);
+static int check_and_try_preempte_address(struct state *state, struct in6_addr *addr, time_t now, struct dhcp_config *config);
static int config_valid(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr, struct state *state, time_t now);
static struct addrlist *config_implies(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr);
static void add_address(struct state *state, struct dhcp_context *context, unsigned int lease_time, void *ia_option,
@@ -704,7 +705,8 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
for (c = state->context; c; c = c->current)
if (!(c->flags & CONTEXT_CONF_USED) &&
match_netid(c->filter, solicit_tags, plain_range) &&
- config_valid(config, c, &addr, state, now))
+ config_valid(config, c, &addr, state, now) &&
+ check_and_try_preempte_address(state, &addr, now, config))
{
mark_config_used(state->context, &addr);
if (have_config(config, CONFIG_TIME))
@@ -1289,6 +1291,37 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
}
+static int check_and_try_preempte_address(struct state *state, struct in6_addr *addr, time_t now, struct dhcp_config *config)
+{
+ struct dhcp_lease *lease;
+
+ if (!(lease = lease6_find_by_addr(addr, 128, 0)))
+ {
+ return 1;
+ }
+
+
+ if(daemon->bind_mac_with_ip6) {
+ // break rfc3315 here
+ // bind mac address with a lease
+ if ((state->mac) && !(config->flags & CONFIG_CLID) &&
+ config_has_mac(config, state->mac, state->mac_len, state->mac_type)) {
+ lease_prune(lease, now);
+ return 1;
+ }
+ }
+
+ // what rfc3315 do
+ if (lease->clid_len != state->clid_len ||
+ memcmp(lease->clid, state->clid, state->clid_len) != 0 ||
+ lease->iaid != state->iaid)
+ {
+ return 0;
+ }
+
+ return 1;
+}
+
static struct dhcp_netid *add_options(struct state *state, int do_refresh)
{
void *oro;
--
2.23.0

69
bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6.patch
View File

@ -1,69 +0,0 @@
From 068fe05737fe86185b5d55da7de6ea6b2668c911 Mon Sep 17 00:00:00 2001
From: liaichun <liaichun@huawei.com>
Date: Mon, 20 Apr 2020 16:17:24 +0800
Subject: [PATCH] bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6
Conflict: NA
Reference: NA
---
src/rfc3315.c | 32 ++++++++++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
diff --git a/src/rfc3315.c b/src/rfc3315.c
index f093a5c..7ec4e8a 100644
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -1058,12 +1058,32 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
case DHCP6CONFIRM:
{
int good_addr = 0;
+ int find_bind = 0;
+ struct dhcp_config *find_config = NULL;
/* set reply message type */
outmsgtype = DHCP6REPLY;
log6_quiet(state, "DHCPCONFIRM", NULL, NULL);
-
+
+ if(daemon->bind_mac_with_ip6) {
+ if(state->mac) {
+ for (find_config = daemon->dhcp_conf; find_config; find_config = find_config->next)
+ if (config_has_mac(find_config, state->mac, state->mac_len, state->mac_type) && have_config(find_config, CONFIG_ADDR6)) {
+ find_bind = 1;
+ break;
+ }
+ }
+ /* requires all mac has binding ipv6 address. */
+ if (find_bind == 0) {
+ o1 = new_opt6(OPTION6_STATUS_CODE);
+ put_opt6_short(DHCP6NOTONLINK);
+ put_opt6_string(_("confirm failed, no binding found"));
+ end_opt6(o1);
+ return 1;
+ }
+ }
+
for (opt = state->packet_options; opt; opt = opt6_next(opt, state->end))
{
void *ia_option, *ia_end;
@@ -1086,7 +1106,15 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
log6_quiet(state, "DHCPREPLY", &req_addr, _("confirm failed"));
return 1;
}
-
+ if(daemon->bind_mac_with_ip6) {
+ if (!is_same_net6(&req_addr, &find_config->addr6, 128)) {
+ o1 = new_opt6(OPTION6_STATUS_CODE);
+ put_opt6_short(DHCP6NOTONLINK);
+ put_opt6_string(_("confirm failed, not binding to this address"));
+ end_opt6(o1);
+ return 1;
+ }
+ }
good_addr = 1;
log6_quiet(state, "DHCPREPLY", &req_addr, state->hostname);
}
--
2.23.0

BIN
dnsmasq-2.89.tar.xz
View File

Binary file not shown.

BIN
dnsmasq-2.90.tar.xz Normal file
View File

Binary file not shown.

47
dnsmasq.spec
View File

@ -1,6 +1,6 @@
Name: dnsmasq
Version: 2.89
Release: 2
Version: 2.90
Release: 4
Summary: Dnsmasq provides network infrastructure for small networks
License: GPLv2 or GPLv3
URL: http://www.thekelleys.org.uk/dnsmasq/
@ -11,10 +11,17 @@ Source2: dnsmasq-systemd-sysusers.conf
Patch1: backport-dnsmasq-2.77-underflow.patch
Patch2: backport-dnsmasq-2.81-configuration.patch
Patch3: backport-dnsmasq-2.78-fips.patch
Patch4: backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patch
Patch5: bugfix-allow-binding-mac-with-ipv6.patch
Patch6: bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6.patch
Patch7: backport-Fix-memory-leak-when-using-dhcp-optsfile-with-DHCPv6.patch
Patch4: backport-Fix-spurious-resource-limit-exceeded-messages.patch
Patch5: backport-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch
Patch6: backport-Fix-crash-when-reloading-DHCP-config-on-SIGHUP.patch
Patch7: backport-Fix-out-of-bounds-heap-read-in-order_qsort.patch
Patch8: backport-Fix-buffer-overflow-when-configured-lease-change-scr.patch
Patch9: backport-Update-DNS-records-after-pruning-DHCP-leases.patch
Patch10: backport-cache-Fix-potential-NULL-deref-in-arcane-situations.patch
Patch11: backport-Fix-potential-memory-leak.patch
Patch12: backport-Fix-possible-SIGSEGV-in-bpf.c.patch
Patch9000: allow-binding-mac-with-ip6.patch
BuildRequires: gcc
BuildRequires: dbus-devel pkgconfig libidn2-devel nettle-devel systemd
@ -104,6 +111,34 @@ install -Dpm644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysusersdir}/dnsmasq.conf
%{_mandir}/man8/dnsmasq*
%changelog
* Thu Mar 20 2025 lingsheng <lingsheng1@h-partners.com> - 2.90-4
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:Update DNS records after pruning DHCP leases
cache: Fix potential NULL deref in arcane situations.
Fix potential memory leak
Fix possible SIGSEGV in bpf.c
allow binding mac with ip6
* Thu Dec 12 2024 huyizhen <huyizhen2@huawei.com> - 2.90-3
- Type:bugfix
- CVE:
- SUG:NA
- DESC:backport upstream patches
* Sat Oct 12 2024 huyizhen <huyizhen2@huawei.com> - 2.90-2
- Type:bugfix
- CVE:
- SUG:NA
- DESC:Fix crash when reloading DHCP config on SIGHUP
* Thu Feb 22 2024 renmingshuai <renmingshuai@huawei.com> - 2.90-1
- Type:requirement
- Id:NA
- SUG:NA
- DESC:Update to 2.90
* Wed Nov 22 2023 renmingshuai <renmingshuai@huawei.com> - 2.89-2
- Type:bugfix
- Id:NA