[dnsmasq/f18] Handle locally-routed DNS Queries (#904940)

Tomas Hozza thozza at fedoraproject.org
Thu Jan 31 10:29:23 UTC 2013 

commit 261955a53f5fb62564ec3bbc81e8f09b5d4a5bcf
Author: Tomas Hozza <thozza at redhat.com>
Date:   Thu Jan 31 11:23:34 2013 +0100

    Handle locally-routed DNS Queries (#904940)
    
    Signed-off-by: Tomas Hozza <thozza at redhat.com>

 ...rong-interface-for-locally-routed-packets.patch |  178 ++++++++++++++++++++
 dnsmasq.spec                                       |    8 +-
 2 files changed, 185 insertions(+), 1 deletions(-)
---
diff --git a/dnsmasq-2.65-Handle-wrong-interface-for-locally-routed-packets.patch b/dnsmasq-2.65-Handle-wrong-interface-for-locally-routed-packets.patch
new file mode 100644
index 0000000..87872a0
--- /dev/null
+++ b/dnsmasq-2.65-Handle-wrong-interface-for-locally-routed-packets.patch
@@ -0,0 +1,178 @@
+diff -up dnsmasq-2.65/src/dnsmasq.c.local_queries dnsmasq-2.65/src/dnsmasq.c
+--- dnsmasq-2.65/src/dnsmasq.c.local_queries	2013-01-31 09:07:45.603092125 +0100
++++ dnsmasq-2.65/src/dnsmasq.c	2013-01-31 09:07:45.606092127 +0100
+@@ -1401,20 +1401,29 @@ static void check_dns_listeners(fd_set *
+ 	   else 
+ 	     {
+ 	       int if_index;
+-
++	       char intr_name[IF_NAMESIZE];
++ 
+ 	       /* In full wildcard mode, need to refresh interface list.
+ 		  This happens automagically in CLEVERBIND */
+-	        if (!option_bool(OPT_CLEVERBIND))
+-		  enumerate_interfaces();
+-
+-		/* if we can find the arrival interface, check it's one that's allowed */
+-		if ((if_index = tcp_interface(confd, tcp_addr.sa.sa_family)) != 0)
++	       if (!option_bool(OPT_CLEVERBIND))
++		 enumerate_interfaces();
++	       
++	       /* if we can find the arrival interface, check it's one that's allowed */
++	       if ((if_index = tcp_interface(confd, tcp_addr.sa.sa_family)) != 0 &&
++		   indextoname(listener->tcpfd, if_index, intr_name))
+ 		 {
++		   struct all_addr addr;
++		   addr.addr.addr4 = tcp_addr.in.sin_addr;
++#ifdef HAVE_IPV6
++		   if (tcp_addr.sa.sa_family == AF_INET6)
++		     addr.addr.addr6 = tcp_addr.in6.sin6_addr;
++#endif
++		   
+ 		   for (iface = daemon->interfaces; iface; iface = iface->next)
+ 		     if (iface->index == if_index)
+ 		       break;
+ 		   
+-		   if (!iface)
++		   if (!iface && !loopback_exception(listener->tcpfd, tcp_addr.sa.sa_family, &addr, intr_name))
+ 		     client_ok = 0;
+ 		 }
+ 	       
+@@ -1422,10 +1431,10 @@ static void check_dns_listeners(fd_set *
+ 		 iface = listener->iface; /* May be NULL */
+ 	       else
+ 		 {
+-		   /* Check for allowed interfaces when binding the wildcard address:
+-		      we do this by looking for an interface with the same address as 
+-		      the local address of the TCP connection, then looking to see if that's
+-		      an allowed interface. As a side effect, we get the netmask of the
++		    /* Check for allowed interfaces when binding the wildcard address:
++		       we do this by looking for an interface with the same address as 
++		       the local address of the TCP connection, then looking to see if that's
++		       an allowed interface. As a side effect, we get the netmask of the
+ 		      interface too, for localisation. */
+ 		   
+ 		   for (iface = daemon->interfaces; iface; iface = iface->next)
+diff -up dnsmasq-2.65/src/dnsmasq.h.local_queries dnsmasq-2.65/src/dnsmasq.h
+--- dnsmasq-2.65/src/dnsmasq.h.local_queries	2013-01-31 09:07:45.000000000 +0100
++++ dnsmasq-2.65/src/dnsmasq.h	2013-01-31 09:10:36.091202196 +0100
+@@ -954,6 +954,7 @@ void create_wildcard_listeners(void);
+ void create_bound_listeners(int die);
+ int is_dad_listeners(void);
+ int iface_check(int family, struct all_addr *addr, char *name);
++int loopback_exception(int fd, int family, struct all_addr *addr, char *name);
+ int fix_fd(int fd);
+ int tcp_interface(int fd, int af);
+ struct in_addr get_ifaddr(char *intr);
+diff -up dnsmasq-2.65/src/forward.c.local_queries dnsmasq-2.65/src/forward.c
+--- dnsmasq-2.65/src/forward.c.local_queries	2012-12-14 12:48:26.000000000 +0100
++++ dnsmasq-2.65/src/forward.c	2013-01-31 09:19:58.087573008 +0100
+@@ -759,10 +759,17 @@ void receive_query(struct listener *list
+       
+       /* enforce available interface configuration */
+       
+-      if (!indextoname(listen->fd, if_index, ifr.ifr_name) ||
+-	  !iface_check(listen->family, &dst_addr, ifr.ifr_name))
++      if (!indextoname(listen->fd, if_index, ifr.ifr_name))
+ 	return;
+       
++	   if (!iface_check(listen->family, &dst_addr, ifr.ifr_name))
++	{
++	   if (!option_bool(OPT_CLEVERBIND))
++	     enumerate_interfaces(); 
++	   if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name))
++	     return;
++	}
++
+       if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
+ 	{
+ 	  struct irec *iface;
+@@ -776,7 +783,7 @@ void receive_query(struct listener *list
+ 	      break;
+ 	  
+ 	  /* interface may be new */
+-	  if (!iface)
++	  if (!iface && !option_bool(OPT_CLEVERBIND))
+ 	    enumerate_interfaces(); 
+ 	  
+ 	  for (iface = daemon->interfaces; iface; iface = iface->next)
+diff -up dnsmasq-2.65/src/network.c.local_queries dnsmasq-2.65/src/network.c
+--- dnsmasq-2.65/src/network.c.local_queries	2013-01-31 09:07:45.000000000 +0100
++++ dnsmasq-2.65/src/network.c	2013-01-31 09:25:28.669822969 +0100
+@@ -144,7 +144,39 @@ int iface_check(int family, struct all_a
+     
+   return ret; 
+ }
+-      
++
++/* Fix for problem that the kernel sometimes reports the loopback inerface as the
++   arrival interface when a packet originates locally, even when sent to address of 
++   an interface other than the loopback. Accept packet if it arrived via a loopback 
++   interface, even when we're not accepting packets that way, as long as the destination
++   address is one we're believing. Interface list must be up-to-date before calling. */
++int loopback_exception(int fd, int family, struct all_addr *addr, char *name)    
++{
++  struct ifreq ifr;
++  struct irec *iface;
++
++  strncpy(ifr.ifr_name, name, IF_NAMESIZE);
++  if (ioctl(fd, SIOCGIFFLAGS, &ifr) != -1 &&
++      ifr.ifr_flags & IFF_LOOPBACK)
++    {
++      for (iface = daemon->interfaces; iface; iface = iface->next)
++	if (iface->addr.sa.sa_family == family)
++	  {
++	    if (family == AF_INET)
++	      {
++		if (iface->addr.in.sin_addr.s_addr == addr->addr.addr4.s_addr)
++		  return 1;
++	      }
++#ifdef HAVE_IPV6
++	    else if (IN6_ARE_ADDR_EQUAL(&iface->addr.in6.sin6_addr, &addr->addr.addr6))
++	      return 1;
++#endif
++	    
++	  }
++    }
++  return 0;
++}
++
+ static int iface_allowed(struct irec **irecp, int if_index, 
+ 			 union mysockaddr *addr, struct in_addr netmask, int dad) 
+ {
+diff -up dnsmasq-2.65/src/tftp.c.local_queries dnsmasq-2.65/src/tftp.c
+--- dnsmasq-2.65/src/tftp.c.local_queries	2012-12-14 12:48:26.000000000 +0100
++++ dnsmasq-2.65/src/tftp.c	2013-01-31 09:49:44.478008214 +0100
+@@ -61,6 +61,7 @@ void tftp_request(struct listener *liste
+   char *name = NULL;
+   char *prefix = daemon->tftp_prefix;
+   struct tftp_prefix *pref;
++  struct all_addr addra;
+ 
+   union {
+     struct cmsghdr align; /* this ensures alignment */
+@@ -190,16 +191,19 @@ void tftp_request(struct listener *liste
+ 
+       name = namebuff;
+ 
++      addra.addr.addr4 = addr.in.sin_addr;
++
+ #ifdef HAVE_IPV6
+       if (listen->family == AF_INET6)
++        addra.addr.addr6 = addr.in6.sin6_addr;
++#endif
++    if (!iface_check(listen->family, &addra, name))
+ 	{
+-	  if (!iface_check(AF_INET6, (struct all_addr *)&addr.in6.sin6_addr, name))
++	  if (!option_bool(OPT_CLEVERBIND))
++	    enumerate_interfaces(); 
++	  if (!loopback_exception(listen->tftpfd, listen->family, &addra, name))
+ 	    return;
+ 	}
+-      else
+-#endif
+-        if (!iface_check(AF_INET, (struct all_addr *)&addr.in.sin_addr, name))
+-	  return;
+ 
+ #ifdef HAVE_DHCP      
+       /* allowed interfaces are the same as for DHCP */
diff --git a/dnsmasq.spec b/dnsmasq.spec
index ec5f8ab..8573333 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -11,7 +11,7 @@
 
 Name:           dnsmasq
 Version:        2.65
-Release:        3%{?extraversion}%{?dist}
+Release:        4%{?extraversion}%{?dist}
 Summary:        A lightweight DHCP/caching DNS server
 
 Group:          System Environment/Daemons
@@ -22,6 +22,8 @@ Source1:        %{name}.service
 
 # http://www.thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=22ce550e5346947a12a781ed0959a7b1165d0dc6
 Patch0:         %{name}-2.65-Correct-behaviour-for-TCP-queries-to-allowed-address.patch
+# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=e25db1f273920d58c5d2e7569cd087e5bd73dd73
+Patch1:         %{name}-2.65-Handle-wrong-interface-for-locally-routed-packets.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -57,6 +59,7 @@ query/remove a DHCP server's leases.
 %setup -q -n %{name}-%{version}%{?extraversion}
 
 %patch0 -p1 -b .CVE-2013-0198
+%patch1 -p1 -b .local_queries
 
 # use /var/lib/dnsmasq instead of /var/lib/misc
 for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -134,6 +137,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man1/dhcp_*
 
 %changelog
+* Thu Jan 31 2013 Tomas Hozza <thozza at redhat.com> - 2.65-4
+- Handle locally-routed DNS Queries (#904940)
+
 * Thu Jan 24 2013 Tomas Hozza <thozza at redhat.com> - 2.65-3
 - build dnsmasq with $RPM_OPT_FLAGS, $RPM_LD_FLAGS explicitly (#903362)

More information about the scm-commits mailing list