cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \
--- /dev/null
+From 27b78d990b7cd901866ad6f1a17b9d633a95fdce Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Sat, 26 Sep 2015 21:40:45 +0100
+Subject: [PATCH] Rationalise 5e3e464ac4022ee0b3794513abe510817e2cf3ca
+
+---
+ src/rfc3315.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 3f1f9ee..3ed8623 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -1324,8 +1324,7 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh)
+ if (opt_cfg->opt == OPTION6_DNS_SERVER)
+ done_dns = 1;
+
+- /* Empty DNS_SERVER option will not set DHOPT_ADDR6 */
+- if ((opt_cfg->flags & DHOPT_ADDR6) || opt_cfg->opt == OPTION6_DNS_SERVER)
++ if (opt_cfg->flags & DHOPT_ADDR6)
+ {
+ int len, j;
+ struct in6_addr *a;
+--
+1.7.10.4
+
--- /dev/null
+From 98079ea89851da1df4966dfdfa1852a98da02912 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Tue, 13 Oct 2015 20:30:32 +0100
+Subject: [PATCH] Catch errors from sendmsg in DHCP code. Logs, eg, iptables
+ DROPS of dest 255.255.255.255
+
+---
+ src/dhcp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/dhcp.c b/src/dhcp.c
+index e6fceb1..1c85e42 100644
+--- a/src/dhcp.c
++++ b/src/dhcp.c
+@@ -452,8 +452,13 @@ void dhcp_packet(time_t now, int pxe_fd)
+ #endif
+
+ while(retry_send(sendmsg(fd, &msg, 0)));
++
++ /* This can fail when, eg, iptables DROPS destination 255.255.255.255 */
++ if (errno != 0)
++ my_syslog(MS_DHCP | LOG_WARNING, _("Error sending DHCP packet to %s: %s"),
++ inet_ntoa(dest.sin_addr), strerror(errno));
+ }
+-
++
+ /* check against secondary interface addresses */
+ static int check_listen_addrs(struct in_addr local, int if_index, char *label,
+ struct in_addr netmask, struct in_addr broadcast, void *vparam)
+--
+1.7.10.4
+
--- /dev/null
+From 90477fb79420a34124b66ebd808c578817a30e4c Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Tue, 20 Oct 2015 21:21:32 +0100
+Subject: [PATCH] Update list of subnet for --bogus-priv
+
+RFC6303 specifies & recommends following zones not be forwarded
+to globally facing servers.
++------------------------------+-----------------------+
+| Zone | Description |
++------------------------------+-----------------------+
+| 0.IN-ADDR.ARPA | IPv4 "THIS" NETWORK |
+| 127.IN-ADDR.ARPA | IPv4 Loopback NETWORK |
+| 254.169.IN-ADDR.ARPA | IPv4 LINK LOCAL |
+| 2.0.192.IN-ADDR.ARPA | IPv4 TEST-NET-1 |
+| 100.51.198.IN-ADDR.ARPA | IPv4 TEST-NET-2 |
+| 113.0.203.IN-ADDR.ARPA | IPv4 TEST-NET-3 |
+| 255.255.255.255.IN-ADDR.ARPA | IPv4 BROADCAST |
++------------------------------+-----------------------+
+
+Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
+---
+ src/rfc1035.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 6a51b30..4eb1772 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -756,10 +756,14 @@ int private_net(struct in_addr addr, int ban_localhost)
+ return
+ (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ ||
+ ((ip_addr & 0xFF000000) == 0x00000000) /* RFC 5735 section 3. "here" network */ ||
+- ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ ||
+ ((ip_addr & 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ ||
+ ((ip_addr & 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ ||
+- ((ip_addr & 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ ;
++ ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ ||
++ ((ip_addr & 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ ||
++ ((ip_addr & 0xFFFFFF00) == 0xC0000200) /* 192.0.2.0/24 (test-net) */ ||
++ ((ip_addr & 0xFFFFFF00) == 0xC6336400) /* 198.51.100.0/24(test-net) */ ||
++ ((ip_addr & 0xFFFFFF00) == 0xCB007100) /* 203.0.113.0/24 (test-net) */ ||
++ ((ip_addr & 0xFFFFFFFF) == 0xFFFFFFFF) /* 255.255.255.255/32 (broadcast)*/ ;
+ }
+
+ static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *header, size_t qlen, char *name, int *doctored)
+--
+1.7.10.4
+
--- /dev/null
+From 41a8d9e99be9f2cc8b02051dd322cb45e0faac87 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Edwin=20T=C3=B6r=C3=B6k?= <edwin+ml-cerowrt@etorok.net>
+Date: Sat, 14 Nov 2015 17:45:48 +0000
+Subject: [PATCH] Fix crash when empty address from DNS overlays A record from
+ hosts.
+
+---
+ CHANGELOG | 5 +++++
+ src/cache.c | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index d6e309f..93c73d0 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -13,6 +13,11 @@ version 2.76
+ was a dangling symbolic link, even of --no-resolv set.
+ Thanks to Alexander Kurtz for spotting the problem.
+
++ Fix crash when an A or AAAA record is defined locally,
++ in a hosts file, and an upstream server sends a reply
++ that the same name is empty. Thanks to Edwin Török for
++ the patch.
++
+
+ version 2.75
+ Fix reversion on 2.74 which caused 100% CPU use when a
+diff --git a/src/cache.c b/src/cache.c
+index 178d654..1b76b67 100644
+--- a/src/cache.c
++++ b/src/cache.c
+@@ -481,7 +481,7 @@ struct crec *cache_insert(char *name, struct all_addr *addr,
+ existing record is for an A or AAAA and
+ the record we're trying to insert is the same,
+ just drop the insert, but don't error the whole process. */
+- if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD))
++ if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD) && addr)
+ {
+ if ((flags & F_IPV4) && (new->flags & F_IPV4) &&
+ new->addr.addr.addr.addr4.s_addr == addr->addr.addr4.s_addr)
+--
+1.7.10.4
+
--- /dev/null
+From 67ab3285b5d9a1b1e20e034cf272867fdab8a0f9 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 20 Nov 2015 23:20:47 +0000
+Subject: [PATCH] Handle unknown DS hash algos correctly.
+
+When we can validate a DS RRset, but don't speak the hash algo it
+contains, treat that the same as an NSEC/3 proving that the DS
+doesn't exist. 4025 5.2
+---
+ src/dnssec.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/dnssec.c b/src/dnssec.c
+index 67ce486..b4dc14e 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -1005,6 +1005,19 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
+ if (crecp->flags & F_NEG)
+ return STAT_INSECURE_DS;
+
++ /* 4035 5.2
++ If the validator does not support any of the algorithms listed in an
++ authenticated DS RRset, then the resolver has no supported
++ authentication path leading from the parent to the child. The
++ resolver should treat this case as it would the case of an
++ authenticated NSEC RRset proving that no DS RRset exists, */
++ for (recp1 = crecp; recp1; recp1 = cache_find_by_name(recp1, name, now, F_DS))
++ if (hash_find(ds_digest_name(recp1->addr.ds.digest)))
++ break;
++
++ if (!recp1)
++ return STAT_INSECURE_DS;
++
+ /* NOTE, we need to find ONE DNSKEY which matches the DS */
+ for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--)
+ {
+--
+1.7.10.4
+
--- /dev/null
+From 0007ee90646a5a78a96ee729932e89d31c69513a Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Sat, 21 Nov 2015 21:47:41 +0000
+Subject: [PATCH] Fix crash at start up with conf-dir=/path,*
+
+Thanks to Brian Carpenter and American Fuzzy Lop for finding the bug.
+---
+ src/option.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/option.c b/src/option.c
+index 746cd11..71beb98 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -1515,10 +1515,16 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ li = opt_malloc(sizeof(struct list));
+ if (*arg == '*')
+ {
+- li->next = match_suffix;
+- match_suffix = li;
+- /* Have to copy: buffer is overwritten */
+- li->suffix = opt_string_alloc(arg+1);
++ /* "*" with no suffix is a no-op */
++ if (arg[1] == 0)
++ free(li);
++ else
++ {
++ li->next = match_suffix;
++ match_suffix = li;
++ /* Have to copy: buffer is overwritten */
++ li->suffix = opt_string_alloc(arg+1);
++ }
+ }
+ else
+ {
+--
+1.7.10.4
+
projects / people / meitelwein / ipfire-2.x.git / commitdiff
