hak5
/
openwrt-owl
mirror of https://github.com/hak5/openwrt-owl.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

dnsmasq: fix dnssec timestamp logic, backport crashfix 

Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45410
owl
Steven Barth 2015-04-13 07:49:29 +00:00
parent 33b93243ec
commit 3633523ba6
4 changed files with 174 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
package/network/services/dnsmasq/Makefile
View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
PKG_VERSION:=2.73rc4
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/release-candidates

11
package/network/services/dnsmasq/files/dnsmasq.init
View File

@ -15,6 +15,7 @@ ADD_LOCAL_HOSTNAME=1
CONFIGFILE="/var/etc/dnsmasq.conf"
HOSTFILE="/tmp/hosts/dhcp"
TRUSTANCHORSFILE="/usr/share/dnsmasq/trust-anchors.conf"
TIMESTAMPFILE="/etc/dnsmasq.time"
xappend() {
local value="$1"
@ -205,7 +206,7 @@ dnsmasq() {
[ "$dnssec" -gt 0 ] && {
xappend "--conf-file=$TRUSTANCHORSFILE"
xappend "--dnssec"
xappend "--dnssec-timestamp=/etc/dnsmasq.time"
xappend "--dnssec-timestamp=$TIMESTAMPFILE"
append_bool "$cfg" dnsseccheckunsigned "--dnssec-check-unsigned"
}
@ -556,7 +557,7 @@ start_service() {
procd_add_jail dnsmasq ubus log
procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE /etc/passwd /dev/urandom /etc/dnsmasq.conf /tmp/dnsmasq.d /tmp/resolv.conf.auto /etc/hosts /etc/ethers
procd_add_jail_mount_rw /var/run/dnsmasq/ /tmp/dhcp.leases /etc/dnsmasq.time
procd_add_jail_mount_rw /var/run/dnsmasq/ /tmp/dhcp.leases $TIMESTAMPFILE
procd_close_instance
@ -566,9 +567,9 @@ start_service() {
mkdir -p /var/lib/misc
touch /tmp/dhcp.leases
if [ ! -f /etc/dnsmasq.time ]; then
touch -t 197001010000 /etc/dnsmasq.time
chmod 0777 /etc/dnsmasq.time
if [ ! -f "$TIMESTAMPFILE" ]; then
touch "$TIMESTAMPFILE"
chown nobody.nogroup "$TIMESTAMPFILE"
fi
echo "# auto-generated config file from /etc/config/dhcp" > $CONFIGFILE

113
package/network/services/dnsmasq/patches/001-fix-crash-in-auth-code.patch Normal file
View File

@ -0,0 +1,113 @@
From 38440b204db65f9be16c4c3daa7e991e4356f6ed Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 12 Apr 2015 21:52:47 +0100
Subject: [PATCH] Fix crash in auth code with odd configuration.
---
CHANGELOG | 32 +++++++++++++++++++++-----------
src/auth.c | 13 ++++++++-----
2 files changed, 29 insertions(+), 16 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index 9af6170..f2142c7 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -68,18 +68,31 @@ version 2.73
Fix broken DNSSEC validation of ECDSA signatures.
Add --dnssec-timestamp option, which provides an automatic
- way to detect when the system time becomes valid after boot
- on systems without an RTC, whilst allowing DNS queries before the
- clock is valid so that NTP can run. Thanks to
- Kevin Darbyshire-Bryant for developing this idea.
+ way to detect when the system time becomes valid after
+ boot on systems without an RTC, whilst allowing DNS
+ queries before the clock is valid so that NTP can run.
+ Thanks to Kevin Darbyshire-Bryant for developing this idea.
Add --tftp-no-fail option. Thanks to Stefan Tomanek for
the patch.
- Fix crash caused by looking up servers.bind, CHAOS text record,
- when more than about five --servers= lines are in the dnsmasq
- config. This causes memory corruption which causes a crash later.
- Thanks to Matt Coddington for sterling work chasing this down.
+ Fix crash caused by looking up servers.bind, CHAOS text
+ record, when more than about five --servers= lines are
+ in the dnsmasq config. This causes memory corruption
+ which causes a crash later. Thanks to Matt Coddington for
+ sterling work chasing this down.
+
+ Fix crash on receipt of certain malformed DNS requests.
+ Thanks to Nick Sampanis for spotting the problem.
+
+ Fix crash in authoritative DNS code, if a .arpa zone
+ is declared as authoritative, and then a PTR query which
+ is not to be treated as authoritative arrived. Normally,
+ directly declaring .arpa zone as authoritative is not
+ done, so this crash wouldn't be seen. Instead the
+ relevant .arpa zone should be specified as a subnet
+ in the auth-zone declaration. Thanks to Johnny S. Lee
+ for the bugreport and initial patch.
version 2.72
@@ -125,10 +138,7 @@ version 2.72
Fix problem with --local-service option on big-endian platforms
Thanks to Richard Genoud for the patch.
- Fix crash on receipt of certain malformed DNS requests. Thanks
- to Nick Sampanis for spotting the problem.
-
version 2.71
Subtle change to error handling to help DNSSEC validation
when servers fail to provide NODATA answers for
diff --git a/src/auth.c b/src/auth.c
index 15721e5..4a5c39f 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -141,7 +141,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
for (zone = daemon->auth_zones; zone; zone = zone->next)
if ((subnet = find_subnet(zone, flag, &addr)))
break;
-
+
if (!zone)
{
auth = 0;
@@ -186,7 +186,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
if (intr)
{
- if (in_zone(zone, intr->name, NULL))
+ if (local_query || in_zone(zone, intr->name, NULL))
{
found = 1;
log_query(flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL);
@@ -208,8 +208,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
*p = 0; /* must be bare name */
/* add external domain */
- strcat(name, ".");
- strcat(name, zone->domain);
+ if (zone)
+ {
+ strcat(name, ".");
+ strcat(name, zone->domain);
+ }
log_query(flag | F_DHCP | F_REVERSE, name, &addr, record_source(crecp->uid));
found = 1;
if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
@@ -217,7 +220,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
T_PTR, C_IN, "d", name))
anscount++;
}
- else if (crecp->flags & (F_DHCP | F_HOSTS) && in_zone(zone, name, NULL))
+ else if (crecp->flags & (F_DHCP | F_HOSTS) && (local_query || in_zone(zone, name, NULL)))
{
log_query(crecp->flags & ~F_FORWARD, name, &addr, record_source(crecp->uid));
found = 1;
--
2.1.4

54
package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch Normal file
View File

@ -0,0 +1,54 @@
From 79e60e145f8a595bca5a784c00b437216d51de68 Mon Sep 17 00:00:00 2001
From: Steven Barth <steven@midlink.org>
Date: Mon, 13 Apr 2015 09:45:20 +0200
Subject: [PATCH] dnssec: improve timestamp heuristic
Signed-off-by: Steven Barth <steven@midlink.org>
---
src/dnssec.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/src/dnssec.c b/src/dnssec.c
index 05e0983..9c02548 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -408,17 +408,24 @@ static int back_to_the_future;
int setup_timestamp(void)
{
struct stat statbuf;
-
+ time_t now;
+ time_t base = 1420070400; /* 1-1-2015 */
+
back_to_the_future = 0;
if (!daemon->timestamp_file)
return 0;
-
+
+ now = time(NULL);
+
+ if (!stat("/proc/self/exe", &statbuf) && difftime(statbuf.st_mtime, base) > 0)
+ base = statbuf.st_mtime;
+
if (stat(daemon->timestamp_file, &statbuf) != -1)
{
timestamp_time = statbuf.st_mtime;
check_and_exit:
- if (difftime(timestamp_time, time(0)) <= 0)
+ if (difftime(now, base) >= 0 && difftime(timestamp_time, now) <= 0)
{
/* time already OK, update timestamp, and do key checking from the start. */
if (utime(daemon->timestamp_file, NULL) == -1)
@@ -439,7 +446,7 @@ int setup_timestamp(void)
close(fd);
- timestamp_time = timbuf.actime = timbuf.modtime = 1420070400; /* 1-1-2015 */
+ timestamp_time = timbuf.actime = timbuf.modtime = base;
if (utime(daemon->timestamp_file, &timbuf) == 0)
goto check_and_exit;
}
--
2.1.4