projects / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| d54a2ce4 MT |
1 | From 38440b204db65f9be16c4c3daa7e991e4356f6ed Mon Sep 17 00:00:00 2001 |
| 2 | From: Simon Kelley <simon@thekelleys.org.uk> | |
| 3 | Date: Sun, 12 Apr 2015 21:52:47 +0100 | |
| 5f206778 | 4 | Subject: [PATCH 74/87] Fix crash in auth code with odd configuration. |
| d54a2ce4 MT |
5 | |
| 6 | --- | |
| 7 | CHANGELOG | 32 +++++++++++++++++++++----------- | |
| 8 | src/auth.c | 13 ++++++++----- | |
| 9 | 2 files changed, 29 insertions(+), 16 deletions(-) | |
| 10 | ||
| 11 | diff --git a/CHANGELOG b/CHANGELOG | |
| 12 | index 9af617056f1f..f2142c71cbdc 100644 | |
| 13 | --- a/CHANGELOG | |
| 14 | +++ b/CHANGELOG | |
| 15 | @@ -68,18 +68,31 @@ version 2.73 | |
| 16 | Fix broken DNSSEC validation of ECDSA signatures. | |
| 17 | ||
| 18 | Add --dnssec-timestamp option, which provides an automatic | |
| 19 | - way to detect when the system time becomes valid after boot | |
| 20 | - on systems without an RTC, whilst allowing DNS queries before the | |
| 21 | - clock is valid so that NTP can run. Thanks to | |
| 22 | - Kevin Darbyshire-Bryant for developing this idea. | |
| 23 | + way to detect when the system time becomes valid after | |
| 24 | + boot on systems without an RTC, whilst allowing DNS | |
| 25 | + queries before the clock is valid so that NTP can run. | |
| 26 | + Thanks to Kevin Darbyshire-Bryant for developing this idea. | |
| 27 | ||
| 28 | Add --tftp-no-fail option. Thanks to Stefan Tomanek for | |
| 29 | the patch. | |
| 30 | ||
| 31 | - Fix crash caused by looking up servers.bind, CHAOS text record, | |
| 32 | - when more than about five --servers= lines are in the dnsmasq | |
| 33 | - config. This causes memory corruption which causes a crash later. | |
| 34 | - Thanks to Matt Coddington for sterling work chasing this down. | |
| 35 | + Fix crash caused by looking up servers.bind, CHAOS text | |
| 36 | + record, when more than about five --servers= lines are | |
| 37 | + in the dnsmasq config. This causes memory corruption | |
| 38 | + which causes a crash later. Thanks to Matt Coddington for | |
| 39 | + sterling work chasing this down. | |
| 40 | + | |
| 41 | + Fix crash on receipt of certain malformed DNS requests. | |
| 42 | + Thanks to Nick Sampanis for spotting the problem. | |
| 43 | + | |
| 44 | + Fix crash in authoritative DNS code, if a .arpa zone | |
| 45 | + is declared as authoritative, and then a PTR query which | |
| 46 | + is not to be treated as authoritative arrived. Normally, | |
| 47 | + directly declaring .arpa zone as authoritative is not | |
| 48 | + done, so this crash wouldn't be seen. Instead the | |
| 49 | + relevant .arpa zone should be specified as a subnet | |
| 50 | + in the auth-zone declaration. Thanks to Johnny S. Lee | |
| 51 | + for the bugreport and initial patch. | |
| 52 | ||
| 53 | ||
| 54 | version 2.72 | |
| 55 | @@ -125,10 +138,7 @@ version 2.72 | |
| 56 | Fix problem with --local-service option on big-endian platforms | |
| 57 | Thanks to Richard Genoud for the patch. | |
| 58 | ||
| 59 | - Fix crash on receipt of certain malformed DNS requests. Thanks | |
| 60 | - to Nick Sampanis for spotting the problem. | |
| 61 | ||
| 62 | - | |
| 63 | version 2.71 | |
| 64 | Subtle change to error handling to help DNSSEC validation | |
| 65 | when servers fail to provide NODATA answers for | |
| 66 | diff --git a/src/auth.c b/src/auth.c | |
| 67 | index 15721e52793f..4a5c39fc5c07 100644 | |
| 68 | --- a/src/auth.c | |
| 69 | +++ b/src/auth.c | |
| 70 | @@ -141,7 +141,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n | |
| 71 | for (zone = daemon->auth_zones; zone; zone = zone->next) | |
| 72 | if ((subnet = find_subnet(zone, flag, &addr))) | |
| 73 | break; | |
| 74 | - | |
| 75 | + | |
| 76 | if (!zone) | |
| 77 | { | |
| 78 | auth = 0; | |
| 79 | @@ -186,7 +186,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n | |
| 80 | ||
| 81 | if (intr) | |
| 82 | { | |
| 83 | - if (in_zone(zone, intr->name, NULL)) | |
| 84 | + if (local_query || in_zone(zone, intr->name, NULL)) | |
| 85 | { | |
| 86 | found = 1; | |
| 87 | log_query(flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL); | |
| 88 | @@ -208,8 +208,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n | |
| 89 | *p = 0; /* must be bare name */ | |
| 90 | ||
| 91 | /* add external domain */ | |
| 92 | - strcat(name, "."); | |
| 93 | - strcat(name, zone->domain); | |
| 94 | + if (zone) | |
| 95 | + { | |
| 96 | + strcat(name, "."); | |
| 97 | + strcat(name, zone->domain); | |
| 98 | + } | |
| 99 | log_query(flag | F_DHCP | F_REVERSE, name, &addr, record_source(crecp->uid)); | |
| 100 | found = 1; | |
| 101 | if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, | |
| 102 | @@ -217,7 +220,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n | |
| 103 | T_PTR, C_IN, "d", name)) | |
| 104 | anscount++; | |
| 105 | } | |
| 106 | - else if (crecp->flags & (F_DHCP | F_HOSTS) && in_zone(zone, name, NULL)) | |
| 107 | + else if (crecp->flags & (F_DHCP | F_HOSTS) && (local_query || in_zone(zone, name, NULL))) | |
| 108 | { | |
| 109 | log_query(crecp->flags & ~F_FORWARD, name, &addr, record_source(crecp->uid)); | |
| 110 | found = 1; | |
| 111 | -- | |
| 112 | 2.1.0 | |
| 113 |