[dnsmasq/f17] Handle locally-routed DNS Queries (#904940)
Tomas Hozza
thozza at fedoraproject.org
Thu Jan 31 10:29:17 UTC 2013
commit 505574aaf406ff3cab93e4b2f17c8e34186595b7
Author: Tomas Hozza <thozza at redhat.com>
Date: Thu Jan 31 11:23:34 2013 +0100
Handle locally-routed DNS Queries (#904940)
Signed-off-by: Tomas Hozza <thozza at redhat.com>
...rong-interface-for-locally-routed-packets.patch | 178 ++++++++++++++++++++
dnsmasq.spec | 8 +-
2 files changed, 185 insertions(+), 1 deletions(-)
---
diff --git a/dnsmasq-2.65-Handle-wrong-interface-for-locally-routed-packets.patch b/dnsmasq-2.65-Handle-wrong-interface-for-locally-routed-packets.patch
new file mode 100644
index 0000000..87872a0
--- /dev/null
+++ b/dnsmasq-2.65-Handle-wrong-interface-for-locally-routed-packets.patch
@@ -0,0 +1,178 @@
+diff -up dnsmasq-2.65/src/dnsmasq.c.local_queries dnsmasq-2.65/src/dnsmasq.c
+--- dnsmasq-2.65/src/dnsmasq.c.local_queries 2013-01-31 09:07:45.603092125 +0100
++++ dnsmasq-2.65/src/dnsmasq.c 2013-01-31 09:07:45.606092127 +0100
+@@ -1401,20 +1401,29 @@ static void check_dns_listeners(fd_set *
+ else
+ {
+ int if_index;
+-
++ char intr_name[IF_NAMESIZE];
++
+ /* In full wildcard mode, need to refresh interface list.
+ This happens automagically in CLEVERBIND */
+- if (!option_bool(OPT_CLEVERBIND))
+- enumerate_interfaces();
+-
+- /* if we can find the arrival interface, check it's one that's allowed */
+- if ((if_index = tcp_interface(confd, tcp_addr.sa.sa_family)) != 0)
++ if (!option_bool(OPT_CLEVERBIND))
++ enumerate_interfaces();
++
++ /* if we can find the arrival interface, check it's one that's allowed */
++ if ((if_index = tcp_interface(confd, tcp_addr.sa.sa_family)) != 0 &&
++ indextoname(listener->tcpfd, if_index, intr_name))
+ {
++ struct all_addr addr;
++ addr.addr.addr4 = tcp_addr.in.sin_addr;
++#ifdef HAVE_IPV6
++ if (tcp_addr.sa.sa_family == AF_INET6)
++ addr.addr.addr6 = tcp_addr.in6.sin6_addr;
++#endif
++
+ for (iface = daemon->interfaces; iface; iface = iface->next)
+ if (iface->index == if_index)
+ break;
+
+- if (!iface)
++ if (!iface && !loopback_exception(listener->tcpfd, tcp_addr.sa.sa_family, &addr, intr_name))
+ client_ok = 0;
+ }
+
+@@ -1422,10 +1431,10 @@ static void check_dns_listeners(fd_set *
+ iface = listener->iface; /* May be NULL */
+ else
+ {
+- /* Check for allowed interfaces when binding the wildcard address:
+- we do this by looking for an interface with the same address as
+- the local address of the TCP connection, then looking to see if that's
+- an allowed interface. As a side effect, we get the netmask of the
++ /* Check for allowed interfaces when binding the wildcard address:
++ we do this by looking for an interface with the same address as
++ the local address of the TCP connection, then looking to see if that's
++ an allowed interface. As a side effect, we get the netmask of the
+ interface too, for localisation. */
+
+ for (iface = daemon->interfaces; iface; iface = iface->next)
+diff -up dnsmasq-2.65/src/dnsmasq.h.local_queries dnsmasq-2.65/src/dnsmasq.h
+--- dnsmasq-2.65/src/dnsmasq.h.local_queries 2013-01-31 09:07:45.000000000 +0100
++++ dnsmasq-2.65/src/dnsmasq.h 2013-01-31 09:10:36.091202196 +0100
+@@ -954,6 +954,7 @@ void create_wildcard_listeners(void);
+ void create_bound_listeners(int die);
+ int is_dad_listeners(void);
+ int iface_check(int family, struct all_addr *addr, char *name);
++int loopback_exception(int fd, int family, struct all_addr *addr, char *name);
+ int fix_fd(int fd);
+ int tcp_interface(int fd, int af);
+ struct in_addr get_ifaddr(char *intr);
+diff -up dnsmasq-2.65/src/forward.c.local_queries dnsmasq-2.65/src/forward.c
+--- dnsmasq-2.65/src/forward.c.local_queries 2012-12-14 12:48:26.000000000 +0100
++++ dnsmasq-2.65/src/forward.c 2013-01-31 09:19:58.087573008 +0100
+@@ -759,10 +759,17 @@ void receive_query(struct listener *list
+
+ /* enforce available interface configuration */
+
+- if (!indextoname(listen->fd, if_index, ifr.ifr_name) ||
+- !iface_check(listen->family, &dst_addr, ifr.ifr_name))
++ if (!indextoname(listen->fd, if_index, ifr.ifr_name))
+ return;
+
++ if (!iface_check(listen->family, &dst_addr, ifr.ifr_name))
++ {
++ if (!option_bool(OPT_CLEVERBIND))
++ enumerate_interfaces();
++ if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name))
++ return;
++ }
++
+ if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
+ {
+ struct irec *iface;
+@@ -776,7 +783,7 @@ void receive_query(struct listener *list
+ break;
+
+ /* interface may be new */
+- if (!iface)
++ if (!iface && !option_bool(OPT_CLEVERBIND))
+ enumerate_interfaces();
+
+ for (iface = daemon->interfaces; iface; iface = iface->next)
+diff -up dnsmasq-2.65/src/network.c.local_queries dnsmasq-2.65/src/network.c
+--- dnsmasq-2.65/src/network.c.local_queries 2013-01-31 09:07:45.000000000 +0100
++++ dnsmasq-2.65/src/network.c 2013-01-31 09:25:28.669822969 +0100
+@@ -144,7 +144,39 @@ int iface_check(int family, struct all_a
+
+ return ret;
+ }
+-
++
++/* Fix for problem that the kernel sometimes reports the loopback inerface as the
++ arrival interface when a packet originates locally, even when sent to address of
++ an interface other than the loopback. Accept packet if it arrived via a loopback
++ interface, even when we're not accepting packets that way, as long as the destination
++ address is one we're believing. Interface list must be up-to-date before calling. */
++int loopback_exception(int fd, int family, struct all_addr *addr, char *name)
++{
++ struct ifreq ifr;
++ struct irec *iface;
++
++ strncpy(ifr.ifr_name, name, IF_NAMESIZE);
++ if (ioctl(fd, SIOCGIFFLAGS, &ifr) != -1 &&
++ ifr.ifr_flags & IFF_LOOPBACK)
++ {
++ for (iface = daemon->interfaces; iface; iface = iface->next)
++ if (iface->addr.sa.sa_family == family)
++ {
++ if (family == AF_INET)
++ {
++ if (iface->addr.in.sin_addr.s_addr == addr->addr.addr4.s_addr)
++ return 1;
++ }
++#ifdef HAVE_IPV6
++ else if (IN6_ARE_ADDR_EQUAL(&iface->addr.in6.sin6_addr, &addr->addr.addr6))
++ return 1;
++#endif
++
++ }
++ }
++ return 0;
++}
++
+ static int iface_allowed(struct irec **irecp, int if_index,
+ union mysockaddr *addr, struct in_addr netmask, int dad)
+ {
+diff -up dnsmasq-2.65/src/tftp.c.local_queries dnsmasq-2.65/src/tftp.c
+--- dnsmasq-2.65/src/tftp.c.local_queries 2012-12-14 12:48:26.000000000 +0100
++++ dnsmasq-2.65/src/tftp.c 2013-01-31 09:49:44.478008214 +0100
+@@ -61,6 +61,7 @@ void tftp_request(struct listener *liste
+ char *name = NULL;
+ char *prefix = daemon->tftp_prefix;
+ struct tftp_prefix *pref;
++ struct all_addr addra;
+
+ union {
+ struct cmsghdr align; /* this ensures alignment */
+@@ -190,16 +191,19 @@ void tftp_request(struct listener *liste
+
+ name = namebuff;
+
++ addra.addr.addr4 = addr.in.sin_addr;
++
+ #ifdef HAVE_IPV6
+ if (listen->family == AF_INET6)
++ addra.addr.addr6 = addr.in6.sin6_addr;
++#endif
++ if (!iface_check(listen->family, &addra, name))
+ {
+- if (!iface_check(AF_INET6, (struct all_addr *)&addr.in6.sin6_addr, name))
++ if (!option_bool(OPT_CLEVERBIND))
++ enumerate_interfaces();
++ if (!loopback_exception(listen->tftpfd, listen->family, &addra, name))
+ return;
+ }
+- else
+-#endif
+- if (!iface_check(AF_INET, (struct all_addr *)&addr.in.sin_addr, name))
+- return;
+
+ #ifdef HAVE_DHCP
+ /* allowed interfaces are the same as for DHCP */
diff --git a/dnsmasq.spec b/dnsmasq.spec
index e3b45d9..f5083c4 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -11,7 +11,7 @@
Name: dnsmasq
Version: 2.65
-Release: 3%{?extraversion}%{?dist}
+Release: 4%{?extraversion}%{?dist}
Summary: A lightweight DHCP/caching DNS server
Group: System Environment/Daemons
@@ -22,6 +22,8 @@ Source1: %{name}.service
# http://www.thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=22ce550e5346947a12a781ed0959a7b1165d0dc6
Patch0: %{name}-2.65-Correct-behaviour-for-TCP-queries-to-allowed-address.patch
+# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=e25db1f273920d58c5d2e7569cd087e5bd73dd73
+Patch1: %{name}-2.65-Handle-wrong-interface-for-locally-routed-packets.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -57,6 +59,7 @@ query/remove a DHCP server's leases.
%setup -q -n %{name}-%{version}%{?extraversion}
%patch0 -p1 -b .CVE-2013-0198
+%patch1 -p1 -b .local_queries
# use /var/lib/dnsmasq instead of /var/lib/misc
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -143,6 +146,9 @@ fi
%{_mandir}/man1/dhcp_*
%changelog
+* Thu Jan 31 2013 Tomas Hozza <thozza at redhat.com> - 2.65-4
+- Handle locally-routed DNS Queries (#904940)
+
* Thu Jan 24 2013 Tomas Hozza <thozza at redhat.com> - 2.65-3
- build dnsmasq with $RPM_OPT_FLAGS, $RPM_LD_FLAGS explicitly (#903362)
More information about the scm-commits
mailing list