diff --git a/dnsmasq-2.65-Handle-wrong-interface-for-locally-routed-packets.patch b/dnsmasq-2.65-Handle-wrong-interface-for-locally-routed-packets.patch new file mode 100644 index 0000000..87872a0 --- /dev/null +++ b/dnsmasq-2.65-Handle-wrong-interface-for-locally-routed-packets.patch @@ -0,0 +1,178 @@ +diff -up dnsmasq-2.65/src/dnsmasq.c.local_queries dnsmasq-2.65/src/dnsmasq.c +--- dnsmasq-2.65/src/dnsmasq.c.local_queries 2013-01-31 09:07:45.603092125 +0100 ++++ dnsmasq-2.65/src/dnsmasq.c 2013-01-31 09:07:45.606092127 +0100 +@@ -1401,20 +1401,29 @@ static void check_dns_listeners(fd_set * + else + { + int if_index; +- ++ char intr_name[IF_NAMESIZE]; ++ + /* In full wildcard mode, need to refresh interface list. + This happens automagically in CLEVERBIND */ +- if (!option_bool(OPT_CLEVERBIND)) +- enumerate_interfaces(); +- +- /* if we can find the arrival interface, check it's one that's allowed */ +- if ((if_index = tcp_interface(confd, tcp_addr.sa.sa_family)) != 0) ++ if (!option_bool(OPT_CLEVERBIND)) ++ enumerate_interfaces(); ++ ++ /* if we can find the arrival interface, check it's one that's allowed */ ++ if ((if_index = tcp_interface(confd, tcp_addr.sa.sa_family)) != 0 && ++ indextoname(listener->tcpfd, if_index, intr_name)) + { ++ struct all_addr addr; ++ addr.addr.addr4 = tcp_addr.in.sin_addr; ++#ifdef HAVE_IPV6 ++ if (tcp_addr.sa.sa_family == AF_INET6) ++ addr.addr.addr6 = tcp_addr.in6.sin6_addr; ++#endif ++ + for (iface = daemon->interfaces; iface; iface = iface->next) + if (iface->index == if_index) + break; + +- if (!iface) ++ if (!iface && !loopback_exception(listener->tcpfd, tcp_addr.sa.sa_family, &addr, intr_name)) + client_ok = 0; + } + +@@ -1422,10 +1431,10 @@ static void check_dns_listeners(fd_set * + iface = listener->iface; /* May be NULL */ + else + { +- /* Check for allowed interfaces when binding the wildcard address: +- we do this by looking for an interface with the same address as +- the local address of the TCP connection, then looking to see if that's +- an allowed interface. As a side effect, we get the netmask of the ++ /* Check for allowed interfaces when binding the wildcard address: ++ we do this by looking for an interface with the same address as ++ the local address of the TCP connection, then looking to see if that's ++ an allowed interface. As a side effect, we get the netmask of the + interface too, for localisation. */ + + for (iface = daemon->interfaces; iface; iface = iface->next) +diff -up dnsmasq-2.65/src/dnsmasq.h.local_queries dnsmasq-2.65/src/dnsmasq.h +--- dnsmasq-2.65/src/dnsmasq.h.local_queries 2013-01-31 09:07:45.000000000 +0100 ++++ dnsmasq-2.65/src/dnsmasq.h 2013-01-31 09:10:36.091202196 +0100 +@@ -954,6 +954,7 @@ void create_wildcard_listeners(void); + void create_bound_listeners(int die); + int is_dad_listeners(void); + int iface_check(int family, struct all_addr *addr, char *name); ++int loopback_exception(int fd, int family, struct all_addr *addr, char *name); + int fix_fd(int fd); + int tcp_interface(int fd, int af); + struct in_addr get_ifaddr(char *intr); +diff -up dnsmasq-2.65/src/forward.c.local_queries dnsmasq-2.65/src/forward.c +--- dnsmasq-2.65/src/forward.c.local_queries 2012-12-14 12:48:26.000000000 +0100 ++++ dnsmasq-2.65/src/forward.c 2013-01-31 09:19:58.087573008 +0100 +@@ -759,10 +759,17 @@ void receive_query(struct listener *list + + /* enforce available interface configuration */ + +- if (!indextoname(listen->fd, if_index, ifr.ifr_name) || +- !iface_check(listen->family, &dst_addr, ifr.ifr_name)) ++ if (!indextoname(listen->fd, if_index, ifr.ifr_name)) + return; + ++ if (!iface_check(listen->family, &dst_addr, ifr.ifr_name)) ++ { ++ if (!option_bool(OPT_CLEVERBIND)) ++ enumerate_interfaces(); ++ if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name)) ++ return; ++ } ++ + if (listen->family == AF_INET && option_bool(OPT_LOCALISE)) + { + struct irec *iface; +@@ -776,7 +783,7 @@ void receive_query(struct listener *list + break; + + /* interface may be new */ +- if (!iface) ++ if (!iface && !option_bool(OPT_CLEVERBIND)) + enumerate_interfaces(); + + for (iface = daemon->interfaces; iface; iface = iface->next) +diff -up dnsmasq-2.65/src/network.c.local_queries dnsmasq-2.65/src/network.c +--- dnsmasq-2.65/src/network.c.local_queries 2013-01-31 09:07:45.000000000 +0100 ++++ dnsmasq-2.65/src/network.c 2013-01-31 09:25:28.669822969 +0100 +@@ -144,7 +144,39 @@ int iface_check(int family, struct all_a + + return ret; + } +- ++ ++/* Fix for problem that the kernel sometimes reports the loopback inerface as the ++ arrival interface when a packet originates locally, even when sent to address of ++ an interface other than the loopback. Accept packet if it arrived via a loopback ++ interface, even when we're not accepting packets that way, as long as the destination ++ address is one we're believing. Interface list must be up-to-date before calling. */ ++int loopback_exception(int fd, int family, struct all_addr *addr, char *name) ++{ ++ struct ifreq ifr; ++ struct irec *iface; ++ ++ strncpy(ifr.ifr_name, name, IF_NAMESIZE); ++ if (ioctl(fd, SIOCGIFFLAGS, &ifr) != -1 && ++ ifr.ifr_flags & IFF_LOOPBACK) ++ { ++ for (iface = daemon->interfaces; iface; iface = iface->next) ++ if (iface->addr.sa.sa_family == family) ++ { ++ if (family == AF_INET) ++ { ++ if (iface->addr.in.sin_addr.s_addr == addr->addr.addr4.s_addr) ++ return 1; ++ } ++#ifdef HAVE_IPV6 ++ else if (IN6_ARE_ADDR_EQUAL(&iface->addr.in6.sin6_addr, &addr->addr.addr6)) ++ return 1; ++#endif ++ ++ } ++ } ++ return 0; ++} ++ + static int iface_allowed(struct irec **irecp, int if_index, + union mysockaddr *addr, struct in_addr netmask, int dad) + { +diff -up dnsmasq-2.65/src/tftp.c.local_queries dnsmasq-2.65/src/tftp.c +--- dnsmasq-2.65/src/tftp.c.local_queries 2012-12-14 12:48:26.000000000 +0100 ++++ dnsmasq-2.65/src/tftp.c 2013-01-31 09:49:44.478008214 +0100 +@@ -61,6 +61,7 @@ void tftp_request(struct listener *liste + char *name = NULL; + char *prefix = daemon->tftp_prefix; + struct tftp_prefix *pref; ++ struct all_addr addra; + + union { + struct cmsghdr align; /* this ensures alignment */ +@@ -190,16 +191,19 @@ void tftp_request(struct listener *liste + + name = namebuff; + ++ addra.addr.addr4 = addr.in.sin_addr; ++ + #ifdef HAVE_IPV6 + if (listen->family == AF_INET6) ++ addra.addr.addr6 = addr.in6.sin6_addr; ++#endif ++ if (!iface_check(listen->family, &addra, name)) + { +- if (!iface_check(AF_INET6, (struct all_addr *)&addr.in6.sin6_addr, name)) ++ if (!option_bool(OPT_CLEVERBIND)) ++ enumerate_interfaces(); ++ if (!loopback_exception(listen->tftpfd, listen->family, &addra, name)) + return; + } +- else +-#endif +- if (!iface_check(AF_INET, (struct all_addr *)&addr.in.sin_addr, name)) +- return; + + #ifdef HAVE_DHCP + /* allowed interfaces are the same as for DHCP */ diff --git a/dnsmasq.spec b/dnsmasq.spec index ec5f8ab..8573333 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -11,7 +11,7 @@ Name: dnsmasq Version: 2.65 -Release: 3%{?extraversion}%{?dist} +Release: 4%{?extraversion}%{?dist} Summary: A lightweight DHCP/caching DNS server Group: System Environment/Daemons @@ -22,6 +22,8 @@ Source1: %{name}.service # http://www.thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=22ce550e5346947a12a781ed0959a7b1165d0dc6 Patch0: %{name}-2.65-Correct-behaviour-for-TCP-queries-to-allowed-address.patch +# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=e25db1f273920d58c5d2e7569cd087e5bd73dd73 +Patch1: %{name}-2.65-Handle-wrong-interface-for-locally-routed-packets.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -57,6 +59,7 @@ query/remove a DHCP server's leases. %setup -q -n %{name}-%{version}%{?extraversion} %patch0 -p1 -b .CVE-2013-0198 +%patch1 -p1 -b .local_queries # use /var/lib/dnsmasq instead of /var/lib/misc for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do @@ -134,6 +137,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man1/dhcp_* %changelog +* Thu Jan 31 2013 Tomas Hozza - 2.65-4 +- Handle locally-routed DNS Queries (#904940) + * Thu Jan 24 2013 Tomas Hozza - 2.65-3 - build dnsmasq with $RPM_OPT_FLAGS, $RPM_LD_FLAGS explicitly (#903362)