- Fix that dns64 with subnetcache does not write ECS scoped
answers to global cache. Thanks to Qifan Zhang, Palo Alto
Networks, for the report.
+ - Fix ipset module for name too long checks, race conditions
+ on local name buffer, and for socket close race condition.
+ Thanks to Qifan Zhang, Palo Alto Networks, for the report.
26 May 2026: Wouter
- Fix for mesh new client and mesh new callback to rollback the
struct nlmsghdr *nlh;
struct nfgenmsg *nfg;
struct nlattr *nested[2];
- static char buffer[BUFF_LEN];
+ char buffer[BUFF_LEN];
if (strlen(setname) >= IPSET_MAXNAMELEN) {
errno = ENAMETOOLONG;
ret = add_to_ipset((filter_dev)ie->dev, setname, rr_data + 2, af);
if (ret < 0) {
log_err("ipset: could not add %s into %s", dname, setname);
-
-#if HAVE_NET_PFVAR_H
- /* don't close as we might not be able to open again due to dropped privs */
-#else
- mnl_socket_close((filter_dev)ie->dev);
- ie->dev = NULL;
-#endif
break;
}
}
struct ub_packed_rrset_key *rrset, const char *qname, int qlen,
const char *setname, int af)
{
- static char dname[BUFF_LEN];
+ char dname[BUFF_LEN];
const char *ds, *qs;
int dlen, plen;
const char *setname;
struct ub_packed_rrset_key *rrset;
int af;
- static char qname[BUFF_LEN];
+ char qname[BUFF_LEN];
int qlen;
#ifdef HAVE_NET_PFVAR_H
ipset_env->name_v4 = env->cfg->ipset_name_v4;
ipset_env->name_v6 = env->cfg->ipset_name_v6;
+#ifndef HAVE_NET_PFVAR_H
+ if (ipset_env->name_v4 && strlen(ipset_env->name_v4) >= IPSET_MAXNAMELEN) {
+ log_err("ipset: name-v4 exceeds IPSET_MAXNAMELEN (%d)", IPSET_MAXNAMELEN);
+ return 0;
+ }
+ if (ipset_env->name_v6 && strlen(ipset_env->name_v6) >= IPSET_MAXNAMELEN) {
+ log_err("ipset: name-v6 exceeds IPSET_MAXNAMELEN (%d)", IPSET_MAXNAMELEN);
+ return 0;
+ }
+#endif
ipset_env->v4_enabled = !ipset_env->name_v4 || (strlen(ipset_env->name_v4) == 0) ? 0 : 1;
ipset_env->v6_enabled = !ipset_env->name_v6 || (strlen(ipset_env->name_v6) == 0) ? 0 : 1;
projects / thirdparty / unbound.git / commitdiff
