From 838a27f64f56e75aae98a3ab2556856224d48d8b Mon Sep 17 00:00:00 2001 From: Nathaniel Wesley Filardo Date: Sun, 18 Feb 2024 13:12:10 +0000 Subject: [PATCH] dnsmasq: version 2.90 Bump to 2.90 to get upstream's fix for DNSSEC KeyTrap (CVE-2023-50387, CVE-2023-50868) among many other goodies and fixes (notably, upstream 568fb024... fixes a UAF in cache_remove_uid that was routinely crashing dnsmasq in my deployment). Catch up our 200-ubus_dns.patch, too. Signed-off-by: Nathaniel Wesley Filardo --- package/network/services/dnsmasq/Makefile | 4 +- .../dnsmasq/patches/200-ubus_dns.patch | 118 +++++++++--------- 2 files changed, 64 insertions(+), 58 deletions(-) diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index e33d866304..d2de74d9da 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq -PKG_UPSTREAM_VERSION:=2.89 +PKG_UPSTREAM_VERSION:=2.90 PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION))) PKG_RELEASE:=8 PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz PKG_SOURCE_URL:=https://thekelleys.org.uk/dnsmasq/ -PKG_HASH:=02bd230346cf0b9d5909f5e151df168b2707103785eb616b56685855adebb609 +PKG_HASH:=8e50309bd837bfec9649a812e066c09b6988b73d749b7d293c06c57d46a109e4 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING diff --git a/package/network/services/dnsmasq/patches/200-ubus_dns.patch b/package/network/services/dnsmasq/patches/200-ubus_dns.patch index ccbe70ab9c..c1694d5551 100644 --- a/package/network/services/dnsmasq/patches/200-ubus_dns.patch +++ b/package/network/services/dnsmasq/patches/200-ubus_dns.patch @@ -1,6 +1,23 @@ +diff --git a/src/dnsmasq.c b/src/dnsmasq.c +index 30fb419..776351a 100644 +--- a/src/dnsmasq.c ++++ b/src/dnsmasq.c +@@ -2025,6 +2025,10 @@ static void check_dns_listeners(time_t now) + daemon->pipe_to_parent = pipefd[1]; + } + ++#ifdef HAVE_UBUS ++ drop_ubus_listeners(); ++#endif ++ + /* start with no upstream connections. */ + for (s = daemon->servers; s; s = s->next) + s->tcpfd = -1; +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index e455c3f..c84ba48 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h -@@ -1631,14 +1631,26 @@ void emit_dbus_signal(int action, struct +@@ -1673,14 +1673,26 @@ void emit_dbus_signal(int action, struct dhcp_lease *lease, char *hostname); /* ubus.c */ #ifdef HAVE_UBUS @@ -11,6 +28,7 @@ void set_ubus_listeners(void); void check_ubus_listeners(void); +void drop_ubus_listeners(void); ++int ubus_dns_notify_has_subscribers(void); +struct blob_buf *ubus_dns_notify_prepare(void); +int ubus_dns_notify(const char *type, ubus_dns_notify_cb cb, void *priv); void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface); @@ -19,14 +37,28 @@ void ubus_event_bcast_connmark_allowlist_resolved(u32 mark, const char *pattern, const char *ip, u32 ttl); # endif +#else -+struct blob_buf; -+static inline struct blob_buf *ubus_dns_notify_prepare(void) ++static inline int ubus_dns_notify_has_subscribers(void) +{ -+ return NULL; ++ return 0; +} #endif /* ipset.c */ +diff --git a/src/forward.c b/src/forward.c +index 32f37e4..3d28963 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -803,7 +803,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server + cache_secure = 0; + } + +- if (daemon->doctors && do_doctor(header, n, daemon->namebuff)) ++ if ((daemon->doctors || ubus_dns_notify_has_subscribers()) && do_doctor(header, n, daemon->namebuff)) + cache_secure = 0; + + /* check_for_bogus_wildcard() does it's own caching, so +diff --git a/src/rfc1035.c b/src/rfc1035.c +index 387d894..7bf7967 100644 --- a/src/rfc1035.c +++ b/src/rfc1035.c @@ -13,8 +13,10 @@ @@ -41,7 +73,7 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, char *name, int isExtract, int extrabytes) -@@ -394,9 +396,64 @@ static int private_net6(struct in6_addr +@@ -384,10 +386,65 @@ static int private_net6(struct in6_addr *a, int ban_localhost) ((u32 *)a)[0] == htonl(0x20010db8); /* RFC 6303 4.6 */ } @@ -100,14 +132,15 @@ +} +#endif + - static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *header, size_t qlen, int *doctored) + int do_doctor(struct dns_header *header, size_t qlen, char *namebuff) { + unsigned char *p; - int i, qtype, qclass, rdlen; + int i, qtype, qclass, rdlen, ttl; - - for (i = count; i != 0; i--) - { -@@ -405,7 +462,7 @@ static unsigned char *do_doctor(unsigned + int done = 0; + + if (!(p = skip_questions(header, qlen))) +@@ -404,7 +461,7 @@ int do_doctor(struct dns_header *header, size_t qlen, char *namebuff) GETSHORT(qtype, p); GETSHORT(qclass, p); @@ -116,53 +149,36 @@ GETSHORT(rdlen, p); if (qclass == C_IN && qtype == T_A) -@@ -416,6 +473,9 @@ static unsigned char *do_doctor(unsigned +@@ -415,6 +472,9 @@ int do_doctor(struct dns_header *header, size_t qlen, char *namebuff) if (!CHECK_LEN(header, p, qlen, INADDRSZ)) - return 0; + return done; + if (ubus_dns_doctor(daemon->namebuff, ttl, p, AF_INET)) -+ *doctored = 1; ++ header->hb3 &= ~HB3_AA; + /* alignment */ - memcpy(&addr, p, INADDRSZ); + memcpy(&addr.addr4, p, INADDRSZ); -@@ -433,13 +493,22 @@ static unsigned char *do_doctor(unsigned - addr.s_addr &= ~doctor->mask.s_addr; - addr.s_addr |= (doctor->out.s_addr & doctor->mask.s_addr); - /* Since we munged the data, the server it came from is no longer authoritative */ -- header->hb3 &= ~HB3_AA; - *doctored = 1; - memcpy(p, &addr, INADDRSZ); +@@ -444,6 +504,14 @@ int do_doctor(struct dns_header *header, size_t qlen, char *namebuff) break; } } -- + else if (qclass == C_IN && qtype == T_AAAA) + { + if (!CHECK_LEN(header, p, qlen, IN6ADDRSZ)) + return 0; + + if (ubus_dns_doctor(daemon->namebuff, ttl, p, AF_INET6)) -+ *doctored = 1; ++ header->hb3 &= ~HB3_AA; + } -+ -+ if (*doctored) -+ header->hb3 &= ~HB3_AA; + if (!ADD_RDLEN(header, p, qlen, rdlen)) - return 0; /* bad packet */ - } -@@ -570,7 +639,7 @@ int extract_addresses(struct dns_header - cache_start_insert(); - - /* find_soa is needed for dns_doctor side effects, so don't call it lazily if there are any. */ -- if (daemon->doctors || option_bool(OPT_DNSSEC_VALID)) -+ if (daemon->doctors || option_bool(OPT_DNSSEC_VALID) || ubus_dns_notify_prepare()) - { - searched_soa = 1; - ttl = find_soa(header, qlen, doctored); + return done; /* bad packet */ +diff --git a/src/ubus.c b/src/ubus.c +index a5758e7..f2a75a8 100644 --- a/src/ubus.c +++ b/src/ubus.c -@@ -72,6 +72,13 @@ static struct ubus_object ubus_object = +@@ -72,6 +72,13 @@ static struct ubus_object ubus_object = { .subscribe_cb = ubus_subscribe_cb, }; @@ -176,7 +192,7 @@ static void ubus_subscribe_cb(struct ubus_context *ctx, struct ubus_object *obj) { (void)ctx; -@@ -105,13 +112,21 @@ static void ubus_disconnect_cb(struct ub +@@ -105,13 +112,21 @@ static void ubus_disconnect_cb(struct ubus_context *ubus) char *ubus_init() { struct ubus_context *ubus = NULL; @@ -216,15 +232,18 @@ static int ubus_handle_metrics(struct ubus_context *ctx, struct ubus_object *obj, struct ubus_request_data *req, const char *method, struct blob_attr *msg) -@@ -328,6 +354,50 @@ fail: +@@ -328,6 +354,53 @@ fail: } \ } while (0) ++int ubus_dns_notify_has_subscribers(void) ++{ ++ return (daemon->ubus && ubus_dns_object.has_subscribers); ++} ++ +struct blob_buf *ubus_dns_notify_prepare(void) +{ -+ struct ubus_context *ubus = (struct ubus_context *)daemon->ubus; -+ -+ if (!ubus || !ubus_dns_object.has_subscribers) ++ if (!ubus_dns_notify_has_subscribers()) + return NULL; + + blob_buf_init(&b, 0); @@ -267,16 +286,3 @@ void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface) { struct ubus_context *ubus = (struct ubus_context *)daemon->ubus; ---- a/src/dnsmasq.c -+++ b/src/dnsmasq.c -@@ -2003,6 +2003,10 @@ static void check_dns_listeners(time_t n - daemon->pipe_to_parent = pipefd[1]; - } - -+#ifdef HAVE_UBUS -+ drop_ubus_listeners(); -+#endif -+ - /* start with no upstream connections. */ - for (s = daemon->servers; s; s = s->next) - s->tcpfd = -1;