diff --git a/0141-Fix-memory-leak-in-helper.c.patch b/0141-Fix-memory-leak-in-helper.c.patch deleted file mode 100644 index 88b72f69f7af42378ec6bbbe200b504668666276..0000000000000000000000000000000000000000 --- a/0141-Fix-memory-leak-in-helper.c.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 69bc94779c2f035a9fffdb5327a54c3aeca73ed5 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Wed, 14 Aug 2019 20:44:50 +0100 -Subject: [PATCH 141/156] Fix memory leak in helper.c - -Thanks to Xu Mingjie for spotting this. ---- - src/helper.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/helper.c b/src/helper.c -index 33ba120..c392eec 100644 ---- a/src/helper.c -+++ b/src/helper.c -@@ -80,7 +80,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd) - pid_t pid; - int i, pipefd[2]; - struct sigaction sigact; -- -+ unsigned char *alloc_buff = NULL; -+ - /* create the pipe through which the main program sends us commands, - then fork our process. */ - if (pipe(pipefd) == -1 || !fix_fd(pipefd[1]) || (pid = fork()) == -1) -@@ -186,11 +187,16 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd) - struct script_data data; - char *p, *action_str, *hostname = NULL, *domain = NULL; - unsigned char *buf = (unsigned char *)daemon->namebuff; -- unsigned char *end, *extradata, *alloc_buff = NULL; -+ unsigned char *end, *extradata; - int is6, err = 0; - int pipeout[2]; - -- free(alloc_buff); -+ /* Free rarely-allocated memory from previous iteration. */ -+ if (alloc_buff) -+ { -+ free(alloc_buff); -+ alloc_buff = NULL; -+ } - - /* we read zero bytes when pipe closed: this is our signal to exit */ - if (!read_write(pipefd[0], (unsigned char *)&data, sizeof(data), 1)) --- -1.8.3.1 - diff --git a/bugfix-allow-binding-mac-with-ipv6.patch b/bugfix-allow-binding-mac-with-ipv6.patch index 3a1dad2f1a948526de064dedc26629b948dc23e4..add5225b8a38334b9dbaeddb5d3b048c811a9c0a 100644 --- a/bugfix-allow-binding-mac-with-ipv6.patch +++ b/bugfix-allow-binding-mac-with-ipv6.patch @@ -29,17 +29,17 @@ diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 6773b69..8b31d42 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h -@@ -250,7 +250,8 @@ struct event_desc { - #define OPT_MAC_B64 54 - #define OPT_MAC_HEX 55 - #define OPT_TFTP_APREF_MAC 56 --#define OPT_LAST 57 -+#define OPT_BIND_MAC_IP6 57 -+#define OPT_LAST 58 - - /* extra flags for my_syslog, we use a couple of facilities since they are known - not to occupy the same bits as priorities, no matter how syslog.h is set up. */ -@@ -1000,6 +1001,7 @@ extern struct daemon { +@@ -269,7 +269,8 @@ struct event_desc { + #define OPT_IGNORE_CLID 59 + #define OPT_SINGLE_PORT 60 + #define OPT_LEASE_RENEW 61 +-#define OPT_LAST 62 ++#define OPT_BIND_MAC_IP6 62 ++#define OPT_LAST 63 + + #define OPTION_BITS (sizeof(unsigned int)*8) + #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) ) +@@ -1049,6 +1050,7 @@ extern struct daemon { int override; int enable_pxe; int doing_ra, doing_dhcp6; @@ -51,26 +51,28 @@ diff --git a/src/option.c b/src/option.c index d358d99..919e5a3 100644 --- a/src/option.c +++ b/src/option.c -@@ -160,6 +160,7 @@ struct myoption { - #define LOPT_DHCPTTL 348 - #define LOPT_TFTP_MTU 349 - #define LOPT_REPLY_DELAY 350 -+#define LOPT_BIND_MAC_IP6 351 - +@@ -167,7 +167,8 @@ struct myoption { + #define LOPT_IGNORE_CLID 358 + #define LOPT_SINGLE_PORT 359 + #define LOPT_SCRIPT_TIME 360 +- ++#define LOPT_BIND_MAC_IP6 361 ++ #ifdef HAVE_GETOPT_LONG static const struct option opts[] = -@@ -325,6 +326,7 @@ static const struct myoption opts[] = - { "script-arp", 0, 0, LOPT_SCRIPT_ARP }, - { "dhcp-ttl", 1, 0 , LOPT_DHCPTTL }, - { "dhcp-reply-delay", 1, 0, LOPT_REPLY_DELAY }, + #else +@@ -339,6 +340,7 @@ static const struct myoption opts[] = + { "dumpfile", 1, 0, LOPT_DUMPFILE }, + { "dumpmask", 1, 0, LOPT_DUMPMASK }, + { "dhcp-ignore-clid", 0, 0, LOPT_IGNORE_CLID }, + { "bind-mac-with-ip6", 0, 0 , LOPT_BIND_MAC_IP6 }, { NULL, 0, 0, 0 } }; -@@ -497,6 +499,7 @@ static struct { - { LOPT_IGNORE_ADDR, ARG_DUP, "", gettext_noop("Ignore DNS responses containing ipaddr."), NULL }, - { LOPT_DHCPTTL, ARG_ONE, "", gettext_noop("Set TTL in DNS responses with DHCP-derived addresses."), NULL }, - { LOPT_REPLY_DELAY, ARG_ONE, "", gettext_noop("Delay DHCP replies for at least number of seconds."), NULL }, +@@ -518,6 +520,7 @@ static struct { + { LOPT_DUMPFILE, ARG_ONE, "", gettext_noop("Path to debug packet dump file"), NULL }, + { LOPT_DUMPMASK, ARG_ONE, "", gettext_noop("Mask which packets to dump"), NULL }, + { LOPT_SCRIPT_TIME, OPT_LEASE_RENEW, NULL, gettext_noop("Call dhcp-script when lease expiry changes."), NULL }, + { LOPT_BIND_MAC_IP6, OPT_BIND_MAC_IP6, NULL, gettext_noop("Bind mac with ipv6 address. This is an experimental feature and it conflicts with rfc3315."), NULL }, { 0, 0, NULL, NULL, NULL } }; @@ -79,25 +81,26 @@ diff --git a/src/rfc3315.c b/src/rfc3315.c index 21fcd9b..defd966 100644 --- a/src/rfc3315.c +++ b/src/rfc3315.c -@@ -55,6 +55,7 @@ static struct prefix_class *prefix_class_from_context(struct dhcp_context *conte +@@ -49,6 +49,7 @@ static void end_ia(int t1cntr, unsigned int min_time, int do_fuzz); static void mark_context_used(struct state *state, struct in6_addr *addr); static void mark_config_used(struct dhcp_context *context, struct in6_addr *addr); static int check_address(struct state *state, struct in6_addr *addr); +static int check_and_try_preempte_address(struct state *state, struct in6_addr *addr, time_t now, struct dhcp_config *config); + static int config_valid(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr, struct state *state, time_t now); + static struct addrlist *config_implies(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr); static void add_address(struct state *state, struct dhcp_context *context, unsigned int lease_time, void *ia_option, - unsigned int *min_time, struct in6_addr *addr, time_t now); - static void update_leases(struct state *state, struct dhcp_context *context, struct in6_addr *addr, unsigned int lease_time, time_t now); -@@ -746,7 +747,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ +@@ -703,7 +704,8 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + for (c = state->context; c; c = c->current) if (!(c->flags & CONTEXT_CONF_USED) && match_netid(c->filter, solicit_tags, plain_range) && - config_valid(config, c, &addr) && -- check_address(state, &addr)) +- config_valid(config, c, &addr, state, now)) ++ config_valid(config, c, &addr, state, now) && + check_and_try_preempte_address(state, &addr, now, config)) { mark_config_used(state->context, &addr); if (have_config(config, CONFIG_TIME)) -@@ -1744,6 +1745,37 @@ static int check_address(struct state *state, struct in6_addr *addr) - return 1; +@@ -1259,6 +1261,37 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + } +static int check_and_try_preempte_address(struct state *state, struct in6_addr *addr, time_t now, struct dhcp_config *config) @@ -131,9 +134,9 @@ index 21fcd9b..defd966 100644 + return 1; +} + - - /* Calculate valid and preferred times to send in leases/renewals. - + static struct dhcp_netid *add_options(struct state *state, int do_refresh) + { + void *oro; -- 2.19.1 diff --git a/bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6.patch b/bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6.patch index 761abbfa8d3592ad8ce6c0953deae16b92240a34..8457af8c9edbd19d161e8c3804c340339dd4ff39 100644 --- a/bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6.patch +++ b/bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6.patch @@ -12,7 +12,7 @@ diff --git a/src/rfc3315.c b/src/rfc3315.c index defd966..f8ba7e4 100644 --- a/src/rfc3315.c +++ b/src/rfc3315.c -@@ -1087,11 +1087,31 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ +@@ -1031,11 +1031,31 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ case DHCP6CONFIRM: { int good_addr = 0; @@ -44,12 +44,12 @@ index defd966..f8ba7e4 100644 for (opt = state->packet_options; opt; opt = opt6_next(opt, state->end)) { -@@ -1112,6 +1132,16 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ +@@ -1060,6 +1080,16 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ return 1; } + if(daemon->bind_mac_with_ip6) { -+ if (!is_same_net6(req_addr, &find_config->addr6, 128)) { ++ if (!is_same_net6(&req_addr, &find_config->addr6, 128)) { + o1 = new_opt6(OPTION6_STATUS_CODE); + put_opt6_short(DHCP6NOTONLINK); + put_opt6_string(_("confirm failed, not binding to this address")); @@ -59,7 +59,7 @@ index defd966..f8ba7e4 100644 + } + good_addr = 1; - log6_quiet(state, "DHCPREPLY", req_addr, state->hostname); + log6_quiet(state, "DHCPREPLY", &req_addr, state->hostname); } -- 2.19.1 diff --git a/dnsmasq-2.77-underflow.patch b/dnsmasq-2.77-underflow.patch index 2e900bfba04777b4da9b60171990e4317f17156f..e5087aa29f45c49678fa3f2696100b590ddfc656 100644 --- a/dnsmasq-2.77-underflow.patch +++ b/dnsmasq-2.77-underflow.patch @@ -34,7 +34,7 @@ diff --git a/src/forward.c b/src/forward.c index cdd11d3..3078f64 100644 --- a/src/forward.c +++ b/src/forward.c -@@ -1438,6 +1438,10 @@ void receive_query(struct listener *listen, time_t now) +@@ -1547,6 +1547,10 @@ void receive_query(struct listener *listen, time_t now) udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */ } @@ -49,15 +49,15 @@ diff --git a/src/rfc1035.c b/src/rfc1035.c index b078b59..777911b 100644 --- a/src/rfc1035.c +++ b/src/rfc1035.c -@@ -1281,6 +1281,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1; +@@ -1339,6 +1339,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, struct mx_srv_record *rec; size_t len; + int rd_bit = (header->hb3 & HB3_RD); + // Make sure we do not underflow here too. + if (qlen > (limit - ((char *)header))) return 0; + /* never answer queries with RD unset, to avoid cache snooping. */ if (ntohs(header->ancount) != 0 || - ntohs(header->nscount) != 0 || -- 2.14.3 diff --git a/dnsmasq-2.78-fips.patch b/dnsmasq-2.78-fips.patch index 011433c76f57c533b1f3627113a5125c96f5ee8d..bbbac685470597425ace09829758d65daa4f80d0 100644 --- a/dnsmasq-2.78-fips.patch +++ b/dnsmasq-2.78-fips.patch @@ -12,7 +12,7 @@ diff --git a/src/dnsmasq.c b/src/dnsmasq.c index ce44809..9f6c020 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c -@@ -187,6 +187,7 @@ int main (int argc, char **argv) +@@ -193,6 +193,7 @@ int main (int argc, char **argv) if (daemon->cachesize < CACHESIZ) die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF); @@ -21,13 +21,13 @@ index ce44809..9f6c020 100644 die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF); #endif @@ -769,7 +770,10 @@ int main (int argc, char **argv) - } - - my_syslog(LOG_INFO, _("DNSSEC validation enabled")); + my_syslog(LOG_INFO, _("DNSSEC validation enabled but all unsigned answers are trusted")); + else + my_syslog(LOG_INFO, _("DNSSEC validation enabled")); - + -+ if (access("/etc/system-fips", F_OK) == 0) -+ my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant")); ++ if (access("/etc/system-fips", F_OK) == 0) ++ my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant")); + daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME); if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future) diff --git a/dnsmasq-2.79.tar.xz b/dnsmasq-2.79.tar.xz deleted file mode 100644 index d2baa873556eb9853a36cbbe49667a7d73378078..0000000000000000000000000000000000000000 Binary files a/dnsmasq-2.79.tar.xz and /dev/null differ diff --git a/dnsmasq-2.80-dnssec.patch b/dnsmasq-2.80-dnssec.patch deleted file mode 100644 index a34f46eccdefff71b7c6ec9daea237c2beb62701..0000000000000000000000000000000000000000 --- a/dnsmasq-2.80-dnssec.patch +++ /dev/null @@ -1,73 +0,0 @@ -From a997ca0da044719a0ce8a232d14da8b30022592b Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Fri, 29 Jun 2018 14:39:41 +0100 -Subject: [PATCH] Fix sometimes missing DNSSEC RRs when DNSSEC validation not - enabled. - -Dnsmasq does pass on the do-bit, and return DNSSEC RRs, irrespective -of of having DNSSEC validation compiled in or enabled. - -The thing to understand here is that the cache does not store all the -DNSSEC RRs, and dnsmasq doesn't have the (very complex) logic required -to determine the set of DNSSEC RRs required in an answer. Therefore if -the client wants the DNSSEC RRs, the query can not be answered from -the cache. When DNSSEC validation is enabled, any query with the -do-bit set is never answered from the cache, unless the domain is -known not to be signed: the query is always forwarded. This ensures -that the DNSEC RRs are included. - -The same thing should be true when DNSSEC validation is not enabled, -but there's a bug in the logic. - -line 1666 of src/rfc1035.c looks like this - - if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK)) - -{ ...answer from cache ... } - -So local stuff (hosts, DHCP, ) get answered. If the do_bit is not set -then the query is answered, and if the domain is known not to be -signed, the query is answered. - -Unfortunately, if DNSSEC validation is not turned on then the -F_DNSSECOK bit is not valid, and it's always zero, so the question -always gets answered from the cache, even when the do-bit is set. - -This code should look like that at line 1468, dealing with PTR queries - - if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || - !do_bit || - (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))) - -where the F_DNSSECOK bit is only used when validation is enabled. ---- - src/rfc1035.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/rfc1035.c b/src/rfc1035.c -index ebb1f36..580f5ef 100644 ---- a/src/rfc1035.c -+++ b/src/rfc1035.c -@@ -1663,7 +1663,9 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - } - - /* If the client asked for DNSSEC don't use cached data. */ -- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK)) -+ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || -+ !do_bit || -+ (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))) - do - { - /* don't answer wildcard queries with data not from /etc/hosts -@@ -1747,7 +1749,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - { - if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) && - (qtype == T_CNAME || (crecp->flags & F_CONFIG)) && -- ((crecp->flags & F_CONFIG) || !do_bit || !(crecp->flags & F_DNSSECOK))) -+ ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))) - { - if (!(crecp->flags & F_DNSSECOK)) - sec_data = 0; --- -2.14.4 - diff --git a/dnsmasq-2.81.tar.xz b/dnsmasq-2.81.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..8e4453891f44889d3c28fc105b880d92ee6764ef Binary files /dev/null and b/dnsmasq-2.81.tar.xz differ diff --git a/dnsmasq.spec b/dnsmasq.spec index 1dd6481fb8093d216580903577749825b182149d..a66fa4b57f16b696b55b974c4f86c0ba49433a70 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -1,6 +1,6 @@ Name: dnsmasq -Version: 2.79 -Release: 11 +Version: 2.81 +Release: 12 Summary: Dnsmasq provides network infrastructure for small networks License: GPLv2 or GPLv3 URL: http://www.thekelleys.org.uk/dnsmasq/ @@ -11,9 +11,7 @@ Source2: dnsmasq-systemd-sysusers.conf #patches from the opensource fedora/redhat repository Patch0001: dnsmasq-2.77-underflow.patch Patch0002: dnsmasq-2.78-fips.patch -Patch0003: dnsmasq-2.80-dnssec.patch -Patch6000: 0141-Fix-memory-leak-in-helper.c.patch Patch9000: bugfix-allow-binding-mac-with-ipv6.patch Patch9001: bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6.patch @@ -109,6 +107,12 @@ install -Dpm644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysusersdir}/dnsmasq.conf %{_mandir}/man8/dnsmasq* %changelog +* Mon Jun 22 2020 cuibaobao - 2.81-12 +- Type:update +- Id:NA +- SUG:NA +- DESC:update to 2.81 + * Sat Dec 21 2019 openEuler Buildteam - 2.79-11 - Type:bugfix - Id:NA