cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0076-Fix-srk-induced-crash-in-new-tftp_no_fail-code.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0077-Note-CVE-2015-3294.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0078-Log-domain-when-reporting-DNSSEC-validation-failure.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0079-Check-IP-address-command-line-arg-in-dhcp_release.c.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0080-Revert-61b838dd574c51d96fef100285a0d225824534f9-and-.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0081-Handle-domain-names-with-.-or-000-within-labels.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0082-Tweaks-to-previous-DNS-label-charset-commit.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0083-Logs-in-DHCPv6-not-suppressed-by-dhcp6-quiet.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0084-Make-get-version-work-when-repo-is-a-git-submodule.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \
-e 's|/\* #define HAVE_IDN \*/|#define HAVE_IDN|g' \
--- /dev/null
+From a006eb7e1486023480ea40244720ef7aab51de71 Mon Sep 17 00:00:00 2001
+From: Moshe Levi <moshele@mellanox.com>
+Date: Sun, 19 Apr 2015 22:10:40 +0100
+Subject: [PATCH 79/84] Check IP address command line arg in dhcp_release.c
+
+---
+ contrib/wrt/dhcp_release.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/contrib/wrt/dhcp_release.c b/contrib/wrt/dhcp_release.c
+index 53f47dda3aec..a51f04b30cab 100644
+--- a/contrib/wrt/dhcp_release.c
++++ b/contrib/wrt/dhcp_release.c
+@@ -277,6 +277,11 @@ int main(int argc, char **argv)
+ exit(1);
+ }
+
++ if (inet_addr(argv[2]) == INADDR_NONE)
++ {
++ perror("invalid ip address");
++ exit(1);
++ }
+
+ lease.s_addr = inet_addr(argv[2]);
+ server = find_interface(lease, nl, if_nametoindex(argv[1]));
+--
+2.1.0
+
--- /dev/null
+From 338b340be9e7198f5c0f68133d070d6598a0814c Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 20 Apr 2015 21:34:05 +0100
+Subject: [PATCH 80/84] Revert 61b838dd574c51d96fef100285a0d225824534f9 and
+ just quieten log instead.
+
+---
+ src/rfc3315.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index c1ddc805988d..c45116a40a09 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -824,25 +824,21 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ }
+ else
+ {
+- /* Windows 8 always requests an address even if the Managed bit
+- in RA is 0 and it keeps retrying if it receives a reply
+- stating that no addresses are available. We solve this
+- by not replying at all if we're not configured to give any
+- addresses by DHCPv6. RFC 3315 17.2.1. appears to allow this. */
+-
+- for (c = state->context; c; c = c->current)
+- if (!(c->flags & CONTEXT_RA_STATELESS))
+- break;
+-
+- if (!c)
+- return 0;
+-
+ /* no address, return error */
+ o1 = new_opt6(OPTION6_STATUS_CODE);
+ put_opt6_short(DHCP6NOADDRS);
+ put_opt6_string(_("no addresses available"));
+ end_opt6(o1);
+- log6_packet(state, state->lease_allocate ? "DHCPREPLY" : "DHCPADVERTISE", NULL, _("no addresses available"));
++
++ /* Some clients will ask repeatedly when we're not giving
++ out addresses because we're in stateless mode. Avoid spamming
++ the log in that case. */
++ for (c = state->context; c; c = c->current)
++ if (!(c->flags & CONTEXT_RA_STATELESS))
++ {
++ log6_packet(state, state->lease_allocate ? "DHCPREPLY" : "DHCPADVERTISE", NULL, _("no addresses available"));
++ break;
++ }
+ }
+
+ break;
+--
+2.1.0
+
--- /dev/null
+From cbe379ad6b52a538a4416a7cd992817e5637ccf9 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Tue, 21 Apr 2015 22:57:06 +0100
+Subject: [PATCH 81/84] Handle domain names with '.' or /000 within labels.
+
+Only in DNSSEC mode, where we might need to validate or store
+such names. In none-DNSSEC mode, simply don't cache these, as before.
+---
+ src/dns-protocol.h | 4 ++++
+ src/dnsmasq.c | 15 +++++++++++++--
+ src/dnssec.c | 40 +++++++++++++++++++++++++++++++---------
+ src/rfc1035.c | 16 +++++++++++++++-
+ src/util.c | 9 ++++++++-
+ 5 files changed, 71 insertions(+), 13 deletions(-)
+
+diff --git a/src/dns-protocol.h b/src/dns-protocol.h
+index 16fade33d98c..7f5d686bb150 100644
+--- a/src/dns-protocol.h
++++ b/src/dns-protocol.h
+@@ -142,3 +142,7 @@ struct dns_header {
+
+ #define ADD_RDLEN(header, pp, plen, len) \
+ (!CHECK_LEN(header, pp, plen, len) ? 0 : (((pp) += (len)), 1))
++
++/* Escape character in our presentation format for names.
++ Cannot be '.' or /000 and must be !isprint() */
++#define NAME_ESCAPE 1
+diff --git a/src/dnsmasq.c b/src/dnsmasq.c
+index 20b15c05103a..19a6428b09e8 100644
+--- a/src/dnsmasq.c
++++ b/src/dnsmasq.c
+@@ -102,8 +102,19 @@ int main (int argc, char **argv)
+ #ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID))
+ {
+- daemon->keyname = safe_malloc(MAXDNAME);
+- daemon->workspacename = safe_malloc(MAXDNAME);
++ /* Note that both /000 and '.' are allowed within labels. These get
++ represented in presentation format using NAME_ESCAPE as an escape
++ character when in DNSSEC mode.
++ In theory, if all the characters in a name were /000 or
++ '.' or NAME_ESCAPE then all would have to be escaped, so the
++ presentation format would be twice as long as the spec.
++
++ daemon->namebuff was previously allocated by the option-reading
++ code before we knew if we're in DNSSEC mode, so reallocate here. */
++ free(daemon->namebuff);
++ daemon->namebuff = safe_malloc(MAXDNAME * 2);
++ daemon->keyname = safe_malloc(MAXDNAME * 2);
++ daemon->workspacename = safe_malloc(MAXDNAME * 2);
+ }
+ #endif
+
+diff --git a/src/dnssec.c b/src/dnssec.c
+index 05e0983cb251..c116a7b5f6f4 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -321,10 +321,18 @@ static int verify(struct blockdata *key_data, unsigned int key_len, unsigned cha
+ thus generating names in canonical form.
+ Calling to_wire followed by from_wire is almost an identity,
+ except that the UC remains mapped to LC.
++
++ Note that both /000 and '.' are allowed within labels. These get
++ represented in presentation format using NAME_ESCAPE as an escape
++ character. In theory, if all the characters in a name were /000 or
++ '.' or NAME_ESCAPE then all would have to be escaped, so the
++ presentation format would be twice as long as the spec (1024).
++ The buffers are all delcared as 2049 (allowing for the trailing zero)
++ for this reason.
+ */
+ static int to_wire(char *name)
+ {
+- unsigned char *l, *p, term;
++ unsigned char *l, *p, *q, term;
+ int len;
+
+ for (l = (unsigned char*)name; *l != 0; l = p)
+@@ -332,7 +340,10 @@ static int to_wire(char *name)
+ for (p = l; *p != '.' && *p != 0; p++)
+ if (*p >= 'A' && *p <= 'Z')
+ *p = *p - 'A' + 'a';
+-
++ else if (*p == NAME_ESCAPE)
++ for (q = p; *q; q++)
++ *q = *(q+1);
++
+ term = *p;
+
+ if ((len = p - l) != 0)
+@@ -351,13 +362,23 @@ static int to_wire(char *name)
+ /* Note: no compression allowed in input. */
+ static void from_wire(char *name)
+ {
+- unsigned char *l;
++ unsigned char *l, *p, *last;
+ int len;
+-
++
++ for (last = (unsigned char *)name; *last != 0; last += *last+1);
++
+ for (l = (unsigned char *)name; *l != 0; l += len+1)
+ {
+ len = *l;
+ memmove(l, l+1, len);
++ for (p = l; p < l + len; p++)
++ if (*p == '.' || *p == 0 || *p == NAME_ESCAPE)
++ {
++ memmove(p+1, p, 1 + last - p);
++ len++;
++ *p++ = NAME_ESCAPE;
++ }
++
+ l[len] = '.';
+ }
+
+@@ -645,7 +666,7 @@ static void sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int
+ if (left1 != 0)
+ memmove(buff1, buff1 + len1 - left1, left1);
+
+- if ((len1 = get_rdata(header, plen, end1, buff1 + left1, MAXDNAME - left1, &p1, &dp1)) == 0)
++ if ((len1 = get_rdata(header, plen, end1, buff1 + left1, (MAXDNAME * 2) - left1, &p1, &dp1)) == 0)
+ {
+ quit = 1;
+ len1 = end1 - p1;
+@@ -656,7 +677,7 @@ static void sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int
+ if (left2 != 0)
+ memmove(buff2, buff2 + len2 - left2, left2);
+
+- if ((len2 = get_rdata(header, plen, end2, buff2 + left2, MAXDNAME - left2, &p2, &dp2)) == 0)
++ if ((len2 = get_rdata(header, plen, end2, buff2 + left2, (MAXDNAME *2) - left2, &p2, &dp2)) == 0)
+ {
+ quit = 1;
+ len2 = end2 - p2;
+@@ -902,10 +923,11 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
+
+ end = p + rdlen;
+
+- /* canonicalise rdata and calculate length of same, use name buffer as workspace */
++ /* canonicalise rdata and calculate length of same, use name buffer as workspace.
++ Note that name buffer is twice MAXDNAME long in DNSSEC mode. */
+ cp = p;
+ dp = rr_desc;
+- for (len = 0; (seg = get_rdata(header, plen, end, name, MAXDNAME, &cp, &dp)) != 0; len += seg);
++ for (len = 0; (seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp)) != 0; len += seg);
+ len += end - cp;
+ len = htons(len);
+ hash->update(ctx, 2, (unsigned char *)&len);
+@@ -913,7 +935,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
+ /* Now canonicalise again and digest. */
+ cp = p;
+ dp = rr_desc;
+- while ((seg = get_rdata(header, plen, end, name, MAXDNAME, &cp, &dp)))
++ while ((seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp)))
+ hash->update(ctx, seg, (unsigned char *)name);
+ if (cp != end)
+ hash->update(ctx, end - cp, cp);
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index a995ab50d74a..19fecc818c06 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -128,6 +128,15 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
+ if (isExtract)
+ {
+ unsigned char c = *p;
++#ifdef HAVE_DNSSEC
++ if (option_bool(OPT_DNSSEC_VALID))
++ {
++ if (c == 0 || c == '.' || c == NAME_ESCAPE)
++ *cp++ = NAME_ESCAPE;
++ *cp++ = c;
++ }
++ else
++#endif
+ if (c != 0 && c != '.')
+ *cp++ = c;
+ else
+@@ -144,9 +153,14 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
+ cp++;
+ if (c1 >= 'A' && c1 <= 'Z')
+ c1 += 'a' - 'A';
++#ifdef HAVE_DNSSEC
++ if (option_bool(OPT_DNSSEC_VALID) && c1 == NAME_ESCAPE)
++ c1 = *cp++;
++#endif
++
+ if (c2 >= 'A' && c2 <= 'Z')
+ c2 += 'a' - 'A';
+-
++
+ if (c1 != c2)
+ retvalue = 2;
+ }
+diff --git a/src/util.c b/src/util.c
+index 648bc4d4b428..0c1a48b4700a 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -226,7 +226,14 @@ unsigned char *do_rfc1035_name(unsigned char *p, char *sval)
+ {
+ unsigned char *cp = p++;
+ for (j = 0; *sval && (*sval != '.'); sval++, j++)
+- *p++ = *sval;
++ {
++#ifdef HAVE_DNSSEC
++ if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE)
++ *p++ = *(++sval);
++ else
++#endif
++ *p++ = *sval;
++ }
+ *cp = j;
+ if (*sval)
+ sval++;
+--
+2.1.0
+
--- /dev/null
+From b8f16556d36924cd8dc7663cb4129d7b1f3fc2be Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 22 Apr 2015 21:14:31 +0100
+Subject: [PATCH 82/84] Tweaks to previous, DNS label charset commit.
+
+---
+ src/dns-protocol.h | 6 +++++-
+ src/dnssec.c | 9 ++++++---
+ src/rfc1035.c | 25 ++++++++++++++++++-------
+ src/util.c | 2 +-
+ 4 files changed, 30 insertions(+), 12 deletions(-)
+
+diff --git a/src/dns-protocol.h b/src/dns-protocol.h
+index 7f5d686bb150..4b71746f8d26 100644
+--- a/src/dns-protocol.h
++++ b/src/dns-protocol.h
+@@ -144,5 +144,9 @@ struct dns_header {
+ (!CHECK_LEN(header, pp, plen, len) ? 0 : (((pp) += (len)), 1))
+
+ /* Escape character in our presentation format for names.
+- Cannot be '.' or /000 and must be !isprint() */
++ Cannot be '.' or /000 and must be !isprint().
++ Note that escaped chars are stored as
++ <NAME_ESCAPE> <orig-char+1>
++ to ensure that the escaped form of /000 doesn't include /000
++*/
+ #define NAME_ESCAPE 1
+diff --git a/src/dnssec.c b/src/dnssec.c
+index c116a7b5f6f4..a9e12153ccf2 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -341,9 +341,11 @@ static int to_wire(char *name)
+ if (*p >= 'A' && *p <= 'Z')
+ *p = *p - 'A' + 'a';
+ else if (*p == NAME_ESCAPE)
+- for (q = p; *q; q++)
++ {
++ for (q = p; *q; q++)
+ *q = *(q+1);
+-
++ (*p)--;
++ }
+ term = *p;
+
+ if ((len = p - l) != 0)
+@@ -376,7 +378,8 @@ static void from_wire(char *name)
+ {
+ memmove(p+1, p, 1 + last - p);
+ len++;
+- *p++ = NAME_ESCAPE;
++ *p++ = NAME_ESCAPE;
++ (*p)++;
+ }
+
+ l[len] = '.';
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 19fecc818c06..32df31ad603c 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -20,7 +20,7 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
+ char *name, int isExtract, int extrabytes)
+ {
+ unsigned char *cp = (unsigned char *)name, *p = *pp, *p1 = NULL;
+- unsigned int j, l, hops = 0;
++ unsigned int j, l, namelen = 0, hops = 0;
+ int retvalue = 1;
+
+ if (isExtract)
+@@ -94,9 +94,15 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
+ count = 256;
+ digs = ((count-1)>>2)+1;
+
+- /* output is \[x<hex>/siz]. which is digs+9 chars */
+- if (cp - (unsigned char *)name + digs + 9 >= MAXDNAME)
++ /* output is \[x<hex>/siz]. which is digs+6/7/8 chars */
++ namelen += digs+6;
++ if (count > 9)
++ namelen++;
++ if (count > 99)
++ namelen++;
++ if (namelen+1 >= MAXDNAME)
+ return 0;
++
+ if (!CHECK_LEN(header, p, plen, (count-1)>>3))
+ return 0;
+
+@@ -119,7 +125,8 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
+ }
+ else
+ { /* label_type = 0 -> label. */
+- if (cp - (unsigned char *)name + l + 1 >= MAXDNAME)
++ namelen += l;
++ if (namelen+1 >= MAXDNAME)
+ return 0;
+ if (!CHECK_LEN(header, p, plen, l))
+ return 0;
+@@ -132,8 +139,12 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
+ if (option_bool(OPT_DNSSEC_VALID))
+ {
+ if (c == 0 || c == '.' || c == NAME_ESCAPE)
+- *cp++ = NAME_ESCAPE;
+- *cp++ = c;
++ {
++ *cp++ = NAME_ESCAPE;
++ *cp++ = c+1;
++ }
++ else
++ *cp++ = c;
+ }
+ else
+ #endif
+@@ -155,7 +166,7 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
+ c1 += 'a' - 'A';
+ #ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID) && c1 == NAME_ESCAPE)
+- c1 = *cp++;
++ c1 = (*cp++)-1;
+ #endif
+
+ if (c2 >= 'A' && c2 <= 'Z')
+diff --git a/src/util.c b/src/util.c
+index 0c1a48b4700a..9299703c6d30 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -229,7 +229,7 @@ unsigned char *do_rfc1035_name(unsigned char *p, char *sval)
+ {
+ #ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE)
+- *p++ = *(++sval);
++ *p++ = (*(++sval))-1;
+ else
+ #endif
+ *p++ = *sval;
+--
+2.1.0
+
--- /dev/null
+From a5ae1f85873829efe473075ad77806cc02792622 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Sat, 25 Apr 2015 21:46:10 +0100
+Subject: [PATCH 83/84] Logs in DHCPv6 not suppressed by dhcp6-quiet.
+
+---
+ CHANGELOG | 6 +++++-
+ src/rfc3315.c | 4 ++--
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 7f2b1e002e9e..af2b22cf8f73 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -103,7 +103,11 @@ version 2.73
+ Previously we provided correct answers to PTR queries
+ in such zones (including NS and SOA) but not direct
+ NS and SOA queries. Thanks to Johnny S. Lee for
+- pointing out the problem.
++ pointing out the problem.
++
++ Fix logging of DHCPREPLY which should be suppressed
++ by quiet-dhcp6. Thanks to J. Pablo Abonia for
++ spotting the problem.
+
+
+ version 2.72
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index c45116a40a09..b4f5dd2db61f 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -1047,9 +1047,9 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ {
+ preferred_time = valid_time = 0;
+ message = _("address invalid");
+- }
++ }
+
+- if (message)
++ if (message && (message != state->hostname))
+ log6_packet(state, "DHCPREPLY", req_addr, message);
+ else
+ log6_quiet(state, "DHCPREPLY", req_addr, message);
+--
+2.1.0
+
--- /dev/null
+From 8efd731cc4ed2baa42aa69d0a9d336392e9987cb Mon Sep 17 00:00:00 2001
+From: "Johnny S. Lee" <_@jsl.io>
+Date: Sun, 26 Apr 2015 22:23:57 +0100
+Subject: [PATCH 84/84] Make get-version work when repo is a git submodule.
+
+---
+ bld/get-version | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/bld/get-version b/bld/get-version
+index 7ab75db729ac..5372869c0852 100755
+--- a/bld/get-version
++++ b/bld/get-version
+@@ -11,8 +11,9 @@
+ # If there is more than one v[0-9].* tag, sort them and use the
+ # first. This favours, eg v2.63 over 2.63rc6.
+
+-if which git >/dev/null 2>&1 && [ -d $1/.git ]; then
+- cd $1; git describe | sed 's/^v//'
++if which git >/dev/null 2>&1 && \
++ ([ -d $1/.git ] || grep '^gitdir:' $1/.git >/dev/null 2>&1); then
++ cd $1; git describe | sed 's/^v//'
+ elif grep '\$Format:%d\$' $1/VERSION >/dev/null 2>&1; then
+ # unsubstituted VERSION, but no git available.
+ echo UNKNOWN
+--
+2.1.0
+