openwrt/package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch
Hauke Mehrtens e87c0d934c dnsmasq: Update to version 2.83
This fixes the following security problems in dnsmasq:
* CVE-2020-25681:
  Dnsmasq versions before 2.83 is susceptible to a heap-based buffer
  overflow in sort_rrset() when DNSSEC is used. This can allow a remote
  attacker to write arbitrary data into target device's memory that can
  lead to memory corruption and other unexpected behaviors on the target
  device.
* CVE-2020-25682:
  Dnsmasq versions before 2.83 is susceptible to buffer overflow in
  extract_name() function due to missing length check, when DNSSEC is
  enabled. This can allow a remote attacker to cause memory corruption
  on the target device.
* CVE-2020-25683:
  Dnsmasq version before 2.83 is susceptible to a heap-based buffer
  overflow when DNSSEC is enabled. A remote attacker, who can create
  valid DNS replies, could use this flaw to cause an overflow in a heap-
  allocated memory. This flaw is caused by the lack of length checks in
  rtc1035.c:extract_name(), which could be abused to make the code
  execute memcpy() with a negative size in get_rdata() and cause a crash
  in Dnsmasq, resulting in a Denial of Service.
* CVE-2020-25684:
  A lack of proper address/port check implemented in Dnsmasq version <
  2.83 reply_query function makes forging replies easier to an off-path
  attacker.
* CVE-2020-25685:
  A lack of query resource name (RRNAME) checks implemented in Dnsmasq's
  versions before 2.83 reply_query function allows remote attackers to
  spoof DNS traffic that can lead to DNS cache poisoning.
* CVE-2020-25686:
  Multiple DNS query requests for the same resource name (RRNAME) by
  Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS
  traffic, using a birthday attack (RFC 5452), that can lead to DNS
  cache poisoning.
* CVE-2020-25687:
  Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer
  overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A
  remote attacker, who can create valid DNS replies, could use this flaw
  to cause an overflow in a heap-allocated memory. This flaw is caused
  by the lack of length checks in rtc1035.c:extract_name(), which could
  be abused to make the code execute memcpy() with a negative size in
  sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of
  Service.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-01-19 13:01:03 +01:00

179 lines
5.1 KiB
Diff

From 7df4c681678612d196b4e1eec24963d181fdb28a Mon Sep 17 00:00:00 2001
From: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Date: Sun, 5 Apr 2020 17:18:23 +0100
Subject: [PATCH] drop runtime old kernel support
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
src/dnsmasq.c | 4 ----
src/dnsmasq.h | 5 +---
src/ipset.c | 64 ++++-----------------------------------------------
src/netlink.c | 3 +--
src/util.c | 19 ---------------
5 files changed, 6 insertions(+), 89 deletions(-)
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -95,10 +95,6 @@ int main (int argc, char **argv)
read_opts(argc, argv, compile_opts);
-#ifdef HAVE_LINUX_NETWORK
- daemon->kernel_version = kernel_version();
-#endif
-
if (daemon->edns_pktsz < PACKETSZ)
daemon->edns_pktsz = PACKETSZ;
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1125,7 +1125,7 @@ extern struct daemon {
int inotifyfd;
#endif
#if defined(HAVE_LINUX_NETWORK)
- int netlinkfd, kernel_version;
+ int netlinkfd;
#elif defined(HAVE_BSD_NETWORK)
int dhcp_raw_fd, dhcp_icmp_fd, routefd;
#endif
@@ -1306,9 +1306,6 @@ int read_write(int fd, unsigned char *pa
void close_fds(long max_fd, int spare1, int spare2, int spare3);
int wildcard_match(const char* wildcard, const char* match);
int wildcard_matchn(const char* wildcard, const char* match, int num);
-#ifdef HAVE_LINUX_NETWORK
-int kernel_version(void);
-#endif
/* log.c */
void die(char *message, char *arg1, int exit_code) ATTRIBUTE_NORETURN;
--- a/src/ipset.c
+++ b/src/ipset.c
@@ -70,7 +70,7 @@ struct my_nfgenmsg {
#define NL_ALIGN(len) (((len)+3) & ~(3))
static const struct sockaddr_nl snl = { .nl_family = AF_NETLINK };
-static int ipset_sock, old_kernel;
+static int ipset_sock;
static char *buffer;
static inline void add_attr(struct nlmsghdr *nlh, uint16_t type, size_t len, const void *data)
@@ -85,12 +85,7 @@ static inline void add_attr(struct nlmsg
void ipset_init(void)
{
- old_kernel = (daemon->kernel_version < KERNEL_VERSION(2,6,32));
-
- if (old_kernel && (ipset_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) != -1)
- return;
-
- if (!old_kernel &&
+ if (
(buffer = safe_malloc(BUFF_SZ)) &&
(ipset_sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER)) != -1 &&
(bind(ipset_sock, (struct sockaddr *)&snl, sizeof(snl)) != -1))
@@ -147,65 +142,14 @@ static int new_add_to_ipset(const char *
return errno == 0 ? 0 : -1;
}
-
-static int old_add_to_ipset(const char *setname, const union all_addr *ipaddr, int remove)
-{
- socklen_t size;
- struct ip_set_req_adt_get {
- unsigned op;
- unsigned version;
- union {
- char name[IPSET_MAXNAMELEN];
- uint16_t index;
- } set;
- char typename[IPSET_MAXNAMELEN];
- } req_adt_get;
- struct ip_set_req_adt {
- unsigned op;
- uint16_t index;
- uint32_t ip;
- } req_adt;
-
- if (strlen(setname) >= sizeof(req_adt_get.set.name))
- {
- errno = ENAMETOOLONG;
- return -1;
- }
-
- req_adt_get.op = 0x10;
- req_adt_get.version = 3;
- strcpy(req_adt_get.set.name, setname);
- size = sizeof(req_adt_get);
- if (getsockopt(ipset_sock, SOL_IP, 83, &req_adt_get, &size) < 0)
- return -1;
- req_adt.op = remove ? 0x102 : 0x101;
- req_adt.index = req_adt_get.set.index;
- req_adt.ip = ntohl(ipaddr->addr4.s_addr);
- if (setsockopt(ipset_sock, SOL_IP, 83, &req_adt, sizeof(req_adt)) < 0)
- return -1;
-
- return 0;
-}
-
-
-
int add_to_ipset(const char *setname, const union all_addr *ipaddr, int flags, int remove)
{
int ret = 0, af = AF_INET;
if (flags & F_IPV6)
- {
af = AF_INET6;
- /* old method only supports IPv4 */
- if (old_kernel)
- {
- errno = EAFNOSUPPORT ;
- ret = -1;
- }
- }
-
- if (ret != -1)
- ret = old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove);
+
+ ret = new_add_to_ipset(setname, ipaddr, af, remove);
if (ret == -1)
my_syslog(LOG_ERR, _("failed to update ipset %s: %s"), setname, strerror(errno));
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -92,8 +92,7 @@ char *netlink_init(void)
iov.iov_len = 100;
iov.iov_base = safe_malloc(iov.iov_len);
- if (daemon->kernel_version >= KERNEL_VERSION(2,6,30) &&
- setsockopt(daemon->netlinkfd, SOL_NETLINK, NETLINK_NO_ENOBUFS, &opt, sizeof(opt)) == -1)
+ if (setsockopt(daemon->netlinkfd, SOL_NETLINK, NETLINK_NO_ENOBUFS, &opt, sizeof(opt)) == -1)
return _("warning: failed to set NETLINK_NO_ENOBUFS on netlink socket");
return NULL;
--- a/src/util.c
+++ b/src/util.c
@@ -786,22 +786,3 @@ int wildcard_matchn(const char* wildcard
return (!num) || (*wildcard == *match);
}
-
-#ifdef HAVE_LINUX_NETWORK
-int kernel_version(void)
-{
- struct utsname utsname;
- int version;
- char *split;
-
- if (uname(&utsname) < 0)
- die(_("failed to find kernel version: %s"), NULL, EC_MISC);
-
- split = strtok(utsname.release, ".");
- version = (split ? atoi(split) : 0);
- split = strtok(NULL, ".");
- version = version * 256 + (split ? atoi(split) : 0);
- split = strtok(NULL, ".");
- return version * 256 + (split ? atoi(split) : 0);
-}
-#endif