--- dnsmasq-2.75.orig/Makefile +++ dnsmasq-2.75/Makefile @@ -73,7 +73,8 @@ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ - domain.o dnssec.o blockdata.o tables.o loop.o inotify.o poll.o + domain.o dnssec.o blockdata.o tables.o loop.o inotify.o poll.o \ + hash_questions.o hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ dns-protocol.h radv-protocol.h ip6addr.h --- dnsmasq-2.75.orig/bld/Android.mk +++ dnsmasq-2.75/bld/Android.mk @@ -10,7 +10,7 @@ dhcp6.c rfc3315.c dhcp-common.c outpacket.c \ radv.c slaac.c auth.c ipset.c domain.c \ dnssec.c dnssec-openssl.c blockdata.c tables.c \ - loop.c inotify.c poll.c + loop.c inotify.c poll.c hash_questions.c LOCAL_MODULE := dnsmasq --- dnsmasq-2.75.orig/debian/changelog +++ dnsmasq-2.75/debian/changelog @@ -0,0 +1,1305 @@ +dnsmasq (2.75-1ubuntu0.16.04.8) xenial-security; urgency=medium + + * SECURITY REGRESSION: issue with multiple queries (LP: #1916462) + - backport multiple upstream commits to fix regressions + + 04490bf622ac84891aad6f2dd2edf83725decdee + + 12af2b171de0d678d98583e2190789e544440e02 + + 3f535da79e7a42104543ef5c7b5fa2bed819a78b + + 141a26f979b4bc959d8e866a295e24f8cf456920 + + 305cb79c5754d5554729b18a2c06fe7ce699687a + + -- Marc Deslauriers Tue, 23 Feb 2021 08:32:59 -0500 + +dnsmasq (2.75-1ubuntu0.16.04.7) xenial-security; urgency=medium + + * SECURITY UPDATE: Multiple security issues + - CVE-2020-25681: heap overflow in RRSets sorting + - CVE-2020-25682: buffer overflow in extracting names from DNS packets + - CVE-2020-25683: heap overflow in DNSSEC validation + - CVE-2020-25684: cache poisoning issue via address/port + - CVE-2020-25685: cache poisoning issue via weak hash + - CVE-2020-25686: birthday attack via incorrect existing requests check + - CVE-2020-25687: heap overflow in DNSSEC validation + - CVE-2019-14834: memory leak via DHCP response creation + + -- Marc Deslauriers Fri, 08 Jan 2021 12:34:33 -0500 + +dnsmasq (2.75-1ubuntu0.16.04.5) xenial-security; urgency=medium + + * trusty-anchors.conf: Update DNSSEC trust anchors + - 05da782f8f45933915af0ef3cc1ba35e31d20c59 + + -- Marc Deslauriers Thu, 12 Jul 2018 09:39:42 -0400 + +dnsmasq (2.75-1ubuntu0.16.04.4) xenial; urgency=medium + + * Fix replying prematurely if one of many servers replies REFUSED + (LP: #1726017) by adding two upstream patches. + - 2.76: 4ace25c5d6: Treat REFUSED (not SERVFAIL) as an unsuccessful + upstream response + - 2.77: 68f6312d4b: Stop treating SERVFAIL as a successful response from + upstream servers. + + -- Christian Ehrhardt Mon, 23 Oct 2017 08:32:22 +0200 + +dnsmasq (2.75-1ubuntu0.16.04.3) xenial-security; urgency=medium + + * SECURITY UPDATE: add fixes to correct multiple security issues + - CVE-2017-14491 DNS heap buffer overflow. + - CVE-2017-14492, DHCPv6 RA heap overflow. + - CVE-2017-14493, DHCPv6 - Stack buffer overflow. + - CVE-2017-14494, Infoleak handling DHCPv6 forwarded requests. + - CVE-2017-14495, OOM in DNS response creation. + - CVE-2017-14496, Integer underflow in DNS response creation. + + -- Marc Deslauriers Tue, 26 Sep 2017 17:42:14 -0400 + +dnsmasq (2.75-1ubuntu0.16.04.2) xenial; urgency=medium + + * Add two upstream patches to fix binding to an interface being + destroyed and recreated. LP: #1639776. + + 2675f2061525bc954be14988d64384b74aa7bf8b + + 16800ea072dd0cdf14d951c4bb8d2808b3dfe53d + + -- Nishanth Aravamudan Mon, 27 Mar 2017 17:22:13 -0700 + +dnsmasq (2.75-1ubuntu0.16.04.1) xenial-security; urgency=medium + + * SECURITY UPDATE: denial of service via crafted CNAME (LP: #1581181) + - src/cache.c: fix crash when empty address from DNS overlays A record + from hosts. + - 41a8d9e99be9f2cc8b02051dd322cb45e0faac87 + - CVE-2015-8899 + + -- Marc Deslauriers Tue, 14 Jun 2016 15:05:23 +0300 + +dnsmasq (2.75-1) unstable; urgency=low + + * New upstream. (closes: #794095) + + -- Simon Kelley Thur, 30 Jul 2015 20:58:31 +0000 + +dnsmasq (2.74-1) unstable; urgency=low + + * New upstream. (LP: #1468611) + + -- Simon Kelley Wed, 15 Jul 2015 21:54:11 +0000 + +dnsmasq (2.73-2) unstable; urgency=low + + * Fix behaviour of empty --conf-file (closes: #790341) + + -- Simon Kelley Thu, 7 Jul 2015 21:46:42 +0000 + +dnsmasq (2.73-1) unstable; urgency=low + + * New upstream. (closes: #786996) + * Tweak field width in cache dump to avoid truncating IPv6 + addresses. (closes: #771557) + * Add newline at the end of example config file. (LP: #1416895) + * Make Debian package build reproducible. (closes: #777323) + * Add Requires=network.target to systemd unit. + + -- Simon Kelley Thu, 4 Jun 2015 22:31:42 +0000 + +dnsmasq (2.72-3) unstable; urgency=medium + + * debian/systemd.service: switch from Type=dbus to Type=forking. + dnsmasq does not depend on dbus, but Type=dbus systemd services cannot + work without it. (Closes: #769486, #776530) + - debian/init: when called with systemd-exec argument, let dnsmasq + go into the background, so Type=forking can detect when it is ready + * Remove line containing only whitespace in debian/contol. + (closes: #777571) + + -- Simon Kelley Wed, 11 Feb 2015 21:56:12 +0000 + +dnsmasq (2.72-2) unstable; urgency=low + + * Fix build in Debian-kFreeBSD. (closes: #763693) + + -- Simon Kelley Thu, 02 Oct 2014 22:34:12 +0000 + +dnsmasq (2.72-1) unstable; urgency=low + + * New upstream. + * If dns-root-data package is installed, use it to set the DNSSEC + trust anchor(s). Recommend dns-root-data. (closes: #760460) + * Handle AD bit correctly in replies from cache. (closes: #761654) + + -- Simon Kelley Tue, 20 May 2014 21:01:11 +0000 + +dnsmasq (2.71-1) unstable; urgency=low + + * New upstream. + * Fix 100% CPU-usage bug when dnsmasq started with cachesize + set to zero. (LP: #1314697) + + -- Simon Kelley Fri, 16 May 2014 20:17:10 +0000 + +dnsmasq (2.70-3) unstable; urgency=medium + + * Write a pid-file, even when being started using systemd, since + other components may wish to signal dnsmasq. + * Enable dnsmasq systemd unit on install. Otherwise dnsmasq does not run on + fresh installations (without administrator handholding) and even worse it + is disabled on systems switching from sysv to systemd. Modify + postinst/postrm exactly as dh_systemd would, add dependency on + init-system-helpers. Closes: #724602 + + -- Simon Kelley Sun, 11 May 2014 17:45:21 +0000 + +dnsmasq (2.70-2) unstable; urgency=low + + * Ensure daemon not stared if dnsmasq package has been removed, + even if dnsmasq-base is still installed. (closes: #746941) + * Tidy cruft in initscript. (closes: #746940) + + -- Simon Kelley Sun, 04 May 2014 21:34:11 +0000 + +dnsmasq (2.70-1) unstable; urgency=low + + * New upstream. + + -- Simon Kelley Wed, 23 Apr 2014 15:14:42 +0000 + +dnsmasq (2.69-1) unstable; urgency=low + + * New upstream. + * Set --local-service. (closes: #732610) + This tells dnsmasq to ignore DNS requests that don't come + from a local network. It's automatically ignored if + --interface --except-interface, --listen-address or + --auth-server exist in the configuration, so for most + installations, it will have no effect, but for + otherwise-unconfigured installations, it stops dnsmasq + from being vulnerable to DNS-reflection attacks. + + -- Simon Kelley Tue, 4 Feb 2014 16:28:12 +0000 + +dnsmasq (2.68-1) unstable; urgency=low + + * New upstream. (closes: #730553) + + -- Simon Kelley Sun, 8 Dec 2013 15:57:32 +0000 + +dnsmasq (2.67-1) unstable; urgency=low + + * New upstream. + * Update resolvconf script. (closes: #720732) + + -- Simon Kelley Wed, 4 Aug 2013 14:53:22 +0000 + +dnsmasq (2.66-4) unstable; urgency=low + + * Update resolvconf script. (closes: #716908) + + -- Simon Kelley Wed, 4 Aug 2013 14:48:21 +0000 + +dnsmasq (2.66-3) unstable; urgency=low + + * Update resolvconf script for dnscrypt-proxy integration. (closes: #709179) + + -- Simon Kelley Tue, 28 May 2013 14:39:51 +0000 + +dnsmasq (2.66-2) unstable; urgency=low + + * Fix error on startup with some configs. (closes: #709010) + + -- Simon Kelley Mon, 20 May 2013 11:46:11 +0000 + +dnsmasq (2.66-1) unstable; urgency=low + + * New upstream. + * Add support for noipset in DEB_BUILD_OPTIONS. + + -- Simon Kelley Fri, 22 Feb 2013 21:52:13 +0000 + +dnsmasq (2.65-1) unstable; urgency=low + + * New upstream. + + -- Simon Kelley Fri, 14 Dec 2012 11:34:12 +0000 + +dnsmasq (2.64-1) unstable; urgency=low + + * New upstream. + + -- Simon Kelley Fri, 21 Sep 2012 17:17:22 +0000 + +dnsmasq (2.63-4) unstable; urgency=low + + * Make pid-file creation immune to symlink attacks. (closes: #686484) + + -- Simon Kelley Fri, 21 Sep 2012 17:16:34 +0000 + +dnsmasq (2.63-3) unstable; urgency=low + + * Move adduser dependency to dnsmasq-base. (closes: #686694) + + -- Simon Kelley Tue, 4 Sep 2012 21:44:15 +0000 + +dnsmasq (2.63-2) unstable; urgency=low + + * Fix version script to report correct version. + * Unbotch move of dbus config file by using correct versions in + Replaces: and Breaks: lines. (closes: #685204) + * Create dnsmasq user in dnsmasq-base so that Dbus doesn't complain if + only dnsmasq-base is installed. (closes: #685987) + + -- Simon Kelley Tue, 28 Aug 2012 16:18:35 +0000 + +dnsmasq (2.63-1) unstable; urgency=low + + * New upstream. + * Move /etc/dbus-1/system.d/dnsmasq.conf from dnsmasq to dnsmasq-base. + + -- Simon Kelley Mon, 11 Jun 2012 21:55:35 +0000 + +dnsmasq (2.62-3) unstable; urgency=low + + * Do resolvconf and /etc/default startup logic when + starting with systemd. (closes: #675854) + + -- Simon Kelley Mon, 11 Jun 2012 21:50:11 +0000 + +dnsmasq (2.62-2) unstable; urgency=low + + * Pass LDFLAGS to make to get hardening in linker. + + -- Simon Kelley Thu, 7 Jun 2012 09:53:43 +0000 + +dnsmasq (2.62-1) unstable; urgency=low + + * New upstream. + * Use dpkg-buildflags. (Enables hardening). + + -- Simon Kelley Sat, 12 May 2012 15:25:23 +0000 + +dnsmasq (2.61-1) unstable; urgency=low + + * New upstream. + * Provide "dump-stats" initscript method. (closes: #654656) + * Add (empty) build-indep and build-arch rules targets. + * Bump standards-version to 3.9.3 + * Add port option to example dnsmasq.conf (closes: #668386) + + -- Simon Kelley Tue, 6 Mar 2012 19:45:43 +0000 + +dnsmasq (2.60-2) unstable; urgency=high + + * Fix DHCPv4 segfault. (closes: #665008) + + -- Simon Kelley Fri, 23 Mar 2012 09:37:23 +0000 + +dnsmasq (2.60-1) unstable; urgency=low + + * New upstream. + * Bump standards-version to 3.9.2 + * Fix typo in example config file. (closes: #654897) + + -- Simon Kelley Thu, 1 Dec 2011 15:49:33 +0000 + +dnsmasq (2.59-4) unstable; urgency=low + + * Supply /etc/insserv.conf.d/dnsmasq (closes: #650540) + + -- Simon Kelley Thu, 1 Dec 2011 11:35:13 +0000 + +dnsmasq (2.59-3) unstable; urgency=low + + * Stop daemon at runlevels 0, 1 and 6. (closes: #647726) + + -- Simon Kelley Sat, 26 Nov 2011 15:28:33 +0000 + +dnsmasq (2.59-2) unstable; urgency=low + + * Fix reported version number. + + -- Simon Kelley Wed, 19 Oct 2011 09:25:53 +0000 + +dnsmasq (2.59-1) unstable; urgency=low + + * New upstream. + * Fix IPv6 bind problem (closes: #644345) + + -- Simon Kelley Sat, 8 Oct 2011 16:34:13 +0000 + +dnsmasq (2.58-3) unstable; urgency=low + + * Fix resolvconf script location. (closes: #641717) + * Update systemd service file. (closes: #640095) + + -- Simon Kelley Thu, 15 Sep 2011 16:33:23 +0000 + +dnsmasq (2.58-2) unstable; urgency=low + + * Fix resolvconf script. (closes: #639963) + + -- Simon Kelley Thu, 1 Sep 2011 10:05:23 +0000 + +dnsmasq (2.58-1) unstable; urgency=low + + * New upstream. + * Add noconntrack DEB_BUILD_OPTIONS flag. + * Improve error message when tag:xxx appears + in --dhcp-host (closes: #627986) + * Add /usr/lib/resolvconf/packaging-event.d/dnsmasq (closes: #628003) + * Update resolvconf hook script to sleep only + when necessary. (closes: #627789) + * Tweak behaviour of --domain-needed to avoid problems with recursive + nameservers _downstream_ of dnsmasq. (closes: #630637) + * Allow processes running as uid dnsmasq to send messages on the DBus, + so that dnsmasq can return errors. (closes: #635017) + * Add /lib/systemd/system/dnsmasq.service (closes: #635753) + * New binary package, dnsmasq-utils, containing dhcp_release and + dhcp_lease_time from contrib/wrt. Note that these are Linux-specific + so this package is Architecture: linux-any (closes: #638136) + + -- Simon Kelley Mon, 22 Aug 2011 14:57:03 +0000 + +dnsmasq (2.57-1) unstable; urgency=low + + * New upstream. + * Fix typos in example config file. (closes: #606615) + * Bump standards-version to 3.9.1 + * Add noidn DEB_BUILD_OPTIONS flag. + * Don't complain about extra command line arguments if + they are empty, as this breaks libvirt. (closes: #613915) + + -- Simon Kelley Fri, 18 Feb 2011 09:54:13 +0000 + +dnsmasq (2.56-1) unstable; urgency=low + + * New upstream. + * Die if non-option args present on the command-line. (closes: #589885) + * Tighten up use of IGNORE_RESOLVCONF in initscript. (closes: #575345) + * Update URL of ISC's explanation of dhcp-authoritative in the example + configuration file. (closes: #604870) + * Cosmetic changes to dnsmasq.conf.example. (closes: #598790) + * More dnsmasq.conf.example fixes. (closes: #606615) + * Add other resolv.conf locations to FILES section of the manual + page. (closes: #603505) + * Clarify configuration for static IP addresses in the absence of + resolvconf in the Debian readme file. (closes: #604035) + * Fix handling of obsolete DNSMASQ_INTERFACE and DNSMASQ_EXCEPT + variables in /etc/default/dnsmasq. (LP: #691329) + * Provide debian/source/format. + + -- Simon Kelley Fri, 17 Dec 2010 13:17:33 +0000 + +dnsmasq (2.55-2) unstable; urgency=high + + * Fix crash on double free. (closes: #597205) + + -- Simon Kelley Sun, 19 Sep 2010 21:45:33 +0000 + +dnsmasq (2.55-1) unstable; urgency=low + + * New upstream. + * Fix crash when /etc/ethers in use. (closes: #584754) + + -- Simon Kelley Sun, 6 Jun 2010 20:33:13 +0000 + +dnsmasq (2.53-1) unstable; urgency=low + + * New upstream. + * Fix FTBFS on kFreeBSD. (closes: #566334) + * Teach initscript to check the config file syntax before + restarting dnsmasq. An error will leave the old dnsmasq still + running, rather than killing the old daemon and then failing to start + a new one. + * Tweak DHCP behaviour when a physical interface has two addresses on + the same subnet. (closes: #581064) + + -- Simon Kelley Thu, 20 May 2010 11:41:23 +0000 + +dnsmasq (2.52-1) unstable; urgency=low + + * New upstream. + * Be more conservative with "A for A" processing. (closes: #553337) + * Add README file in /etc/dnsmasq.d to explain what's going on. + + -- Simon Kelley Thu, 14 Jan 2010 09:53:13 +0000 + +dnsmasq (2.51-1) unstable; urgency=low + + * New upstream. + * Bump standards-version to 3.8.2 (no changes needed). + * Ignore files named *.dpkg-old, *.dpkg-new and *.dpkg-dist + in /etc/dnsmasq.d + * Provide a facility in /etc/default/dnsmasq to disable dnsmasq's + interaction with the resolvconf package. This is needed because + setting "resolv-file" in /etc/dnsmasq.conf won't override a + file given on the command line from resolvconf. (closes: #528762) + * Check for duplicate names/addresses in /etc/ethers. (closes: #523787) + * Set the system locale in the environment before invoking dnsmasq, + so that translated messages work, and IDN uses the correct charset. + + -- Simon Kelley Fri, 4 Oct 2009 14:01:14 +0000 + + +dnsmasq (2.50-1) unstable; urgency=high + + * New upstream, fixes remote vulns in TFTP server. + Bugtraq id: 36120,36121 CVE: 2009-2957,2009-2958 + + -- Simon Kelley Fri, 21 Aug 2009 10:25:13 +0000 + + +dnsmasq (2.49-1) unstable; urgency=low + + * New upstream. + * Log TFTP "file not found" errors. (closes: #532201) + + -- Simon Kelley Mon, 8 Jun 2009 22:03:23 +0000 + +dnsmasq (2.48-2) unstable; urgency=low + + * Change dnsmasq -> dnsmasq-base dependency to >= to allow binNMU, + fixes Lintian error. + * Bump standards-version to 3.8.1 + + -- Simon Kelley Fri, 5 Jun 2009 10:58:33 +0000 + +dnsmasq (2.48-1) unstable; urgency=low + + * New upstream. + * Detect and ignore duplicate configuration files. (closes: #516234) + * Add 2 second sleep between stop and start during initscript restart. + * Make dependency on dnsmasq-base in dnsmasq package versioned, so that + installing the latest dnsmasq will install the latest dnsmasq-base + too. (closes: #523955) + * Add nodhcp DEB_BUILD_OPTIONS option. + + -- Simon Kelley Fri, 29 May 2009 10:20:23 +0000 + +dnsmasq (2.47-3) unstable; urgency=low + + * Fix bashism in init script. (closes: #514397) + * Tweak logging in init script. + + -- Simon Kelley Sat, 7 Feb 2009 19:25:23 +0000 + +dnsmasq (2.47-2) unstable; urgency=low + + * Check that /etc/init.d/dnsmasq is executable in postinst in case + the daemon has been disabled that way. (closes: #514314) + * Ensure that /var/run/dnsmasq exists and has the right permissions + before running dnsmasq. On some systems /var/run is cleared over + reboot. (closes: #514317) + + -- Simon Kelley Fri, 6 Feb 2009 09:38:21 +0000 + +dnsmasq (2.47-1) unstable; urgency=low + + * New upstream. + * Handle the "ENABLED" flag in the init script a bit more + intelligently. The "stop" and "status" functions continue + to work even when disabled, but a failed "stop" becomes + silent and returns zero exit code. + * Don't explicitly kill dnsmasq at system shutdown, rely on the + sendsigs script instead which is quicker. (closes: #506734) + * Store the PID-file in /var/run/dnsmasq. This directory is owned by + user "dnsmasq", so that dnsmasq can delete the PID-file on + shutdown. This ensures that the the PID-file goes even when dnsmasq + is stopped by sendsigs. (closes: #508560) + * Bump standards-version to 3.8.0 (no changes required.) + * /usr/sbin/adduser -> adduser in postinst. Lintian fix. + * Handle IPv6 addresses in "tentative" state better. (closes: #507646) + * Add DBus introspection support. (closes: #508774) + * Fix Dbus configuration. (closes: #510649) + + -- Simon Kelley Mon, 2 Feb 2009 13:39:11 +0000 + +dnsmasq (2.46-1) unstable; urgency=low + + * New upstream. (closes: #499162) (closes: #499007) + * Remove from init script start-stop-daemon call to kill + child processes. This is not needed since dnsmasq is + carefully written to kill child processes, and it interacts + badly with "private" instances of dnsmasq. (closes: #505523) + * Provide /etc/dnsmasq.d and alter the installed /etc/default/dnsmasq + so that /etc/dnsmasq.d is read. This provides a drop-directory where + libvirt can add options to make the system dnsmasq automatically + play nice with libvirt's private instances. (closes: #505522) + + -- Simon Kelley Thu, 13 Nov 2008 20:15:31 +0000 + +dnsmasq (2.45-1) unstable; urgency=high + + * New upstream - fixes regression when min-port not set. + + -- Simon Kelley Sun, 20 Jul 2008 19:27:11 +0000 + +dnsmasq (2.44-1) unstable; urgency=high + + * New upstream - bugfix release for 2.43. + * Fix crash in netlink code. (closes: #491289) + + -- Simon Kelley Fri, 11 Jul 2008 19:39:10 +0000 + +dnsmasq (2.43-1) unstable; urgency=high + + * New upstream. + * Implement source-port randomisation and better random + number generator as defence against CVE-2008-1447 (closes: #490123) + + -- Simon Kelley Tue, 17 Jun 2008 11:55:38 +0000 + +dnsmasq (2.42-4) unstable; urgency=low + + * Fix botch in postinst introduced in 2.42-2. (closes: #486616) + + -- Simon Kelley Tue, 17 Jun 2008 11:39:10 +0000 + +dnsmasq (2.42-3) unstable; urgency=low + + * Fix thinko in init script, breaks status command. (closes: #486455) + + -- Simon Kelley Mon, 16 Jun 2008 11:26:20 +0000 + +dnsmasq (2.42-2) unstable; urgency=low + + * Error check in postinst file (closes: #485645) + + -- Simon Kelley Tue, 10 Jun 2008 20:25:10 +0000 + +dnsmasq (2.42-1) unstable; urgency=low + + * New upstream. + * Fix manpage typos. (closes: #468762) + * Use LSB log_*_msg rather than echo in init script. (closes: #473117) + * Fix agent-id echo problem. (closes: #473015) + * Fixup changing /usr/share/doc/dnsmasq to symlink. (closes: #468763) + + -- Simon Kelley Wed, 27 Feb 2008 21:15:28 +0000 + +dnsmasq (2.41-2) unstable; urgency=low + + * Fix rules to build binary-arch and binary-indep correctly. + + -- Simon Kelley Wed, 27 Feb 2008 19:57:10 +0000 + +dnsmasq (2.41-1) unstable; urgency=low + + * New upstream. + * Fix typo. (closes: #448038) + * Fix DHCP problem interoperating with Sony Ericsson K610i (closes: #451871) + * Split binary packages into dnsmasq and dnsmasq-base (closes: #463407) + * Add warnings about bad effects of --filterwin2k to default config + file. (closes: #464357) + * Don't declare Provides: $named in LSB header. (closes: #464512) + * Remove conflict with pdnsd. (closes: #464691) + * Add ability to disable dnsmasq in /etc/default/dnsmasq. (closes: #465062) + + -- Simon Kelley Thu, 31 Jan 2008 20:25:28 +0000 + +dnsmasq (2.40-1) unstable; urgency=low + + * New upstream. + * Fix manpage typo. (closes: #429412) + * Fix dnsmasq.conf typos (closes: #429929) + * Handle DEB_BUILD_OPTIONS nostrip and noopt (closes: #436784) + * Add DEB_BUILD_OPTIONS for nodocs, notftp, noipv6, + nodbus, noi18n and nortc. + * Create DEBIAN/md5sums file in package. + * Add status function to init script. (closes: #439316) + + -- Simon Kelley Thu, 9 Aug 2007 10:24:18 +0000 + +dnsmasq (2.39-1) unstable; urgency=low + + * New upstream. + * Provide example config file in /usr/share/doc/dnsmasq/examples + as well as /etc/dnsmasq.conf, so it's available for reference. + + -- Simon Kelley Thu, 13 Feb 2007 10:02:38 +0000 + +dnsmasq (2.38-1) unstable; urgency=low + + * New upstream (closes: #410185) + + -- Simon Kelley Tue, 6 Feb 2007 21:14:58 +0000 + +dnsmasq (2.37-1) unstable; urgency=low + + * New upstream. + + -- Simon Kelley Thu, 25 Jan 2007 10:44:18 +0000 + +dnsmasq (2.36-1) unstable; urgency=low + + * New upstream. (closes: #400037) + * Don't fail to purge if deluser command is not available. + * Add one second sleep to resolvconf script. (closes: #398961) + * Fix dnsmasq.conf typo (closes: #405314) + + -- Simon Kelley Tue, 31 Oct 2006 10:24:58 +0000 + +dnsmasq (2.35-1) unstable; urgency=low + + * New upstream. + + -- Simon Kelley Wed, 18 Oct 2006 09:23:28 +0000 + +dnsmasq (2.34-1) unstable; urgency=low + + * New upstream. + * Includes --clear-on-reload flag. (loses: #391654) + * Don't any longer set the "domain-needed" and "bogus-priv" flags in the + * the default-installed dnsmasq.conf. These can generate puzzling + * behaviour for people who get them without asking. + + -- Simon Kelley Wed, 9 Aug 2006 09:23:28 +0000 + +dnsmasq (2.33-1) unstable; urgency=low + + * New upstream. + * Remove bashism from Makefile (closes: #375409) + * Added Provides: $named to LSB header in init script. + * Add --dns-forward-max flag. (closes: #377506) + + -- Simon Kelley Sun, 25 June 2006 18:03:13 +0000 + +dnsmasq (2.32-2) unstable; urgency=low + + * Added LSB tags to init.d startup script. (closes: #374650) + + -- Simon Kelley Sun, 25 June 2006 17:55:11 +0000 + +dnsmasq (2.32-1) unstable; urgency=low + + * New upstream. + + -- Simon Kelley Mon, 8 May 2006 09:23:28 +0000 + +dnsmasq (2.31-1) unstable; urgency=high + + * New upstream. (closes: #364800) + * Compile in Dbus support now that suitable Dbus packages exist. + * Don't stop an old dnsmasq process, until a new one is ready, + when upgrading. (closes: #366224) + * Move to standards-version 3.7.2 (no changes needed). + + -- Simon Kelley Sat, 6 May 2006 11:58:22 +0000 + +dnsmasq (2.30-1) unstable; urgency=low + + * New upstream, fixes crash with DHCP broadcast replies. + + -- Simon Kelley Sun, 23 Apr 2006 14:58:22 +0000 + +dnsmasq (2.29-1) unstable; urgency=low + + * New upstream. (closes: #363244) (closes: #363340) + * Made config options clearer in src/config.h and + clarify ISC integration status in Debian readme. (closes: #364250) + + -- Simon Kelley Tue, 18 Apr 2006 10:26:12 +0000 + +dnsmasq (2.28-1) unstable; urgency=low + + * New upstream. (closes: #359956) (closes: #362499) + * Added firestarter info to FAQ. (closes: #359139) + + -- Simon Kelley Tue, 14 Mar 2006 19:20:12 +0000 + +dnsmasq (2.27-1) unstable; urgency=low + + * New upstream. + * Workaround buggy Microsoft DHCP clients. (closes: #355008) + + -- Simon Kelley Wed, 1 Feb 2006 17:05:12 +0000 + +dnsmasq (2.26-1) unstable; urgency=high + + * New upstream. (Fixes possible crash in 2.25, hence urgency). + + -- Simon Kelley Sun, 22 Jan 2006 11:05:22 +0000 + +dnsmasq (2.25-1) unstable; urgency=low + + * Remove bashisms in postinst and prerm scripts. + * Remove misconcieved dependency on locales. + * Depend on adduser. + + -- Simon Kelley Thu, 01 Dec 2005 21:02:12 +0000 + +dnsmasq (2.24-1) unstable; urgency=low + + * New upstream. (closes: #330422) + * Fix typo and clean up dnsmasq.conf (closes: #326057) (closes: #304446) + * Add build support for I18N and gettext. + * Fixed manpage typos. (closes: #336413) + * Create a dnsmasq-unique userid for the daemon to run as. (closes: #338353) + + -- Simon Kelley Sat, 03 Sep 2005 20:02:32 +0000 + +dnsmasq (2.23-1) unstable; urgency=low + + * New upstream. (closes: #302501) (closes: #315794) + * Fix manpage typos. (closes: #304984) + * Add support for DNSMASQ_EXCEPT in /etc/defaults/dnsmasq. + putting "lo" in this also disables resolvconf support. + * No longer delete pre-existing /etc/init.d symlinks. The + change in default runlevels which neccesitated this + is now ancient history and anyway the startup script now + behaves when called twice. (closes: #312111) + * Tightened config-file parser. (closes: #317030) + + -- Simon Kelley Tue, 02 Aug 2005 13:17:22 +0000 + +dnsmasq (2.22-2) unstable; urgency=low + + * Make the resolv.conf polling code resistant to + backwards-moving system clocks. (closes: #306117) (closes: #300694) + + -- Simon Kelley Wed, 04 May 2005 13:25:23 +0000 + +dnsmasq (2.22-1) unstable; urgency=low + + * New upstream. + * Fixed broken-ness when read /etc/ethers. (closes: #301999) + + -- Simon Kelley Thur, 24 Mar 2005 17:10:13 +0000 + +dnsmasq (2.21-1) unstable; urgency=low + + * New upstream. + + -- Simon Kelley Sat, 29 Jan 2005 16:05:13 +0000 + +dnsmasq (2.20-1) unstable; urgency=low + + * New upstream. + * Fix shadowed CNAME-target problem. (closes: #286654) + * Add --localise-queries option. (closes: #291367) + + -- Simon Kelley Fri, 17 Dec 2004 17:35:23 +0000 + +dnsmasq (2.19-1) unstable; urgency=high + + * New upstream. + * Fix another IPv6 interface enumeration problem. (closes: #285182) + * Uploading at high priority since 285182 is really RC. + + -- Simon Kelley Sat, 11 Dec 2004 20:39:33 +0000 + +dnsmasq (2.18-2) unstable; urgency=low + + * Revert startup to not start from rcS. Starting in rcS + * causes problems if interfaces are not available at that + * point. Users who need this facility should manually + * make rcS.d symlinks. (closes: #283239) + + -- Simon Kelley Sat, 27 Nov 2004 16:33:12 +0000 + +dnsmasq (2.18-1) unstable; urgency=low + + * New upstream. + * Reset cache statistics when clearing the cache. (closes: #281817) + * Fix problems with bind-interfaces and IPv6. (closes: #282192) + * Fix problems upgrading when restarting dnsmasq fails. + + -- Simon Kelley Tue, 16 Nov 2004 17:33:32 +0000 + +dnsmasq (2.17-1) unstable; urgency=high + + * New upstream - fixes crash, hence high urgency. + * Clarified log message when a record in /etc/hosts + and a DHCP name clash. (closes: #275420) + * Start dnsmasq just before portmap and nfs mounts from rcS.d + DNS is required at this stage to use the net. (closes: #280434) + * Make "bind-interfaces" apply to IPv6 interfaces. (closes: #278492) + * Allow a list if interfaces as arg to the --interface and + --except-interface options. (closes: #279063) + + -- Simon Kelley Tue, 26 Oct 2004 20:39:33 +0000 + +dnsmasq (2.16-2) unstable; urgency=high + + * Rename variable in cache.c which clashes with C headers + under gcc-3.4 (closes: #277893) + + -- Simon Kelley Mon, 25 Oct 2004 16:03:24 +0000 + +dnsmasq (2.16-1) unstable; urgency=high + + * New upstream. + * Fixes interaction with Linux 2.4.x and 2.6.x not-quite-POSIX + select behavior, which can cause hangs when receiving UDP + packets with bad checksum. + * Fix bad interaction with polipo. (closes: #275754) + * Cache CNAMEs better. (closes: #276289) + + -- Simon Kelley Mon, 04 Oct 2004 15:25:44 +0000 + +dnsmasq (2.15-1) unstable; urgency=low + + * New upstream. + * Fix NXDOMAIN/NODATA confusion for locally known names. (closes: #271564) + + -- Simon Kelley Wed, 15 Sep 2004 15:01:44 +0000 + +dnsmasq (2.14-1) unstable; urgency=low + + * New upstream. + + -- Simon Kelley Sat, 28 Aug 2004 20:39:33 +0000 + +dnsmasq (2.13-1) unstable; urgency=high + + * New upstream - fixes crash. (closes #265313) + + -- Simon Kelley Thur, 12 Aug 2004 12:45:23 +0000 + +dnsmasq (2.12-1) unstable; urgency=low + + * New upstream. + * Log types of incoming queries (closes: #230123). + * Don't set "filterwin2k" by default in the included + config file - it breaks SRV lookups and Kerberos. + + -- Simon Kelley Sun, 8 Aug 2004 19:58:13 +0000 + +dnsmasq (2.11-1) unstable; urgency=low + + * New upstream. + + -- Simon Kelley Wed, 28 July 2004 21:59:33 +0000 + +dnsmasq (2.10-1) unstable; urgency=low + + * New upstream. + * Allow query-port less than 1024 (closes: #236586) + * Change behaviour of --bogus-priv (closes: #254711) + * Match existing leases by MAC address when a client stops + using client-id or they get suppressed by dnsmasq. (closes: #258519) + + -- Simon Kelley Thur, 24 June 2004 20:55:42 +0000 + +dnsmasq (2.9-2) unstable; urgency=low + + * Fix typo in debian/control (closes: #255762) + + -- Simon Kelley Wed, 23 Jun 2004 20:40:13 +0000 + +dnsmasq (2.9-1) unstable; urgency=low + + * New upstream. + * New version has improved server selection logic (closes: #251097) + * Improved initscript (closes: #252229) + * Conflict with old resolvconf versions to maintain compatibility. + * Updated README.debian (closes: #253429) + * Changed startup message to mention DHCP as well as DNS. + * New resolvconf update script (closes: #254765) + + -- Simon Kelley Wed, 26 May 2004 12:35:23 +0000 + +dnsmasq (2.8-1) unstable; urgency=low + + * New upstream. + * Fixes problem with zero-length hostnames which can lose + DHCP leases over a restart. (closes: #248829) + + -- Simon Kelley Thur, 13 May 2004 18:40:12 +0000 + +dnsmasq (2.7-2) unstable; urgency=low + + * New version of resolvconf script from Thomas Hood with the + following changes: (closes: #247695) + * Doesn't include nameservers listed in the lo.inet or lo.inet6 interface + records created by "ifup lo" + * Lists addresses in a specified order (by interface name) + * Eliminates duplicate nameserver addresses + * Updates /var/run/dnsmasq/resolv.conf atomically + * Doesn't generate empty lines + + -- Simon Kelley Tue, 11 May 2004 22:35:12 +0000 + +dnsmasq (2.7-1) unstable; urgency=low + + * New upstream. + + -- Simon Kelley Sun, 18 Apr 2004 20:00:23 +0000 + +dnsmasq (2.6-3) unstable; urgency=low + + * Removed reload command from start script and moved force-reload + to be equivalent to restart. This is needed to be policy compliant + since SIHGUP doesn't cause dnsmasq to reload its configuration file, + only the /etc/hosts, /etc/resolv.conf etc. (closes: #244208) + + -- Simon Kelley Sun, 18 Apr 2004 14:40:51 +0000 + +dnsmasq (2.6-2) unstable; urgency=low + + * Added Conflict with pdnsd (closes: #242731). + Rationale: dnsmasq used to conflict with all the DNS servers + in Debian, but that was removed because some people wished + to run with dnsmasq listening on one interface and another DNS + server listening on another interface. However AFAIK it is not + possible to make pdnsd listen on a subset of a hosts interfaces, + so there is no scenario where running pdnsd and dnsmasq on the same + host would be useful, hence the conflict goes back. + * Added note about the --bind-interfaces option to + readme.Debian (closes: #241700) + + -- Simon Kelley Tues, 13 Apr 2004 18:37:55 +0000 + +dnsmasq (2.6-1) unstable; urgency=low + + * New upstream. + * New version adds back ability to read ISC dhcpd lease files + for backwards compatibility. (closes: #229684) (closes: #236421) + * Fix parsing of # characters in options file. (closes: #241199) + + -- Simon Kelley Sun, 21 Mar 2004 19:59:25 +0000 + +dnsmasq (2.5-1) unstable; urgency=low + + * New upstream, includes fix for IP-alias related + problem. (closes: #238268) + + -- Simon Kelley Sun, 14 Mar 2004 08:32:43 +0000 + +dnsmasq (2.4-3) unstable; urgency=low + + * Fixed "bind-interfaces" option, even when + an "interface" option is given also. + + -- Simon Kelley Fri, 12 Mar 2004 08:14:23 +0000 + +dnsmasq (2.4-2) unstable; urgency=low + + * Fixed "bind-interfaces" option (closes: #237543). + + -- Simon Kelley Fri, 12 Mar 2004 07:30:25 +0000 + +dnsmasq (2.4-1) unstable; urgency=low + + * New upstream. + + -- Simon Kelley Thurs, 11 Mar 2004 07:59:55 +0000 + +dnsmasq (2.3-1) unstable; urgency=low + + * New upstream. + + -- Simon Kelley Tues, 03 Feb 2004 20:33:10 +0000 + +dnsmasq (2.2-1) unstable; urgency=low + + * New upstream. (fixes no DHCP with IPv6 problem) + * Restart (old) daemon on abort-upgrade. (closes: #230286) + + -- Simon Kelley Fri, 30 Jan 2004 10:23:00 +0000 + +dnsmasq (2.1-1) unstable; urgency=low + + * New upstream. + * Allow addresses in /etc/hosts to be used for + DHCP leases (closes: #229681) + * Fix lease time processing. (closes: #229682) (closes: #229687) + * Fix example conf file. (closes: #229683) (closes: #229701) + * Allow address 0.0.0.0 to mean "self" in dhcp-option. (closes: #229685) + * Cope with ENODEV return from bind of + IPv6 server socket (closes: #229607) + * Document the strict-order option in dnsmasq.conf (closes: #229272) + * Fix local-only domain setting. (closes: #229846) + * Updates Debian readme to mention resolvconf and point at the + local copy of RFC2132. + + -- Simon Kelley Fri, 23 Jan 2004 14:38:29 +0000 + +dnsmasq (2.0-1) unstable; urgency=low + + * New upstream: This removes the ability to read the + the leases file of ISC DHCP and replaces it with a built-in + DHCP server. Apologies in advance for breaking backwards + compatibilty, but this replaces a bit of a hack (the ISC stuff) + with a nicely engineered and much more apropriate solution. + Wearing my upstream-maintainer hat, I want to lose the hack now, + rather than have to support it into Sarge. + * New upstream closes some bugs since they become + irrelevant. (closes: #197295) + * Ensure that /var/run and /var/lib/misc exist. + * Remove sed dependency, which was a mistake. + * Remove extraneous "build" file. (closes: #226994) + + -- Simon Kelley Sun, 16 Jan 2004 19:35:49 +0000 + +dnsmasq (1.18-2) unstable; urgency=low + + * Fixed manpage typo (closes: #220961) + * Added dependency for sed. (closes: #222401) + * Check for complete resolvconf installation before + calling it. (closes: #223442) + * Added Links section to doc.html + + -- Simon Kelley Sat, 27 Dec 2003 20:21:15 +0000 + +dnsmasq (1.18-1) unstable; urgency=low + + * New upstream which does round-robin. (closes: #215460) + * Removed conflicts with other dns servers since it is now + possible to control exactly where dnsmasq listens on multi-homed + hosts, making co-existance with another nameserver + a viable proposition. (closes #176163) + * New upstream allows _ in hostnames and check for illegal + names in /etc/hosts. (closes: #218842) + + -- Simon Kelley Fri, 17 Oct 2003 16:23:14 +0000 + +dnsmasq (1.17-1) unstable; urgency=high + + * New upstream (closes: #212680) + + -- Simon Kelley Wed, 8 Oct 2003 14:38:29 +0000 + +dnsmasq (1.16-1) unstable; urgency=low + + * New upstream. + * Renamed Debian README to the standard README.Debian. (closes: #211577) + * Updated the installed /etc/dnsmasq.conf to reflect new options. + + -- Simon Kelley Tues, 16 Sep 2003 23:18:59 +0000 + +dnsmasq (1.15-1) unstable; urgency=low + + * New upstream. + + -- Simon Kelley Tues, 16 Sep 2003 21:48:49 +0000 + +dnsmasq (1.14-1) unstable; urgency=low + + * New upstream. + * Use invoke-rc.d in postinst and prerm scripts when available. + * Stop dnsmasq later (at priority 85). (closes: #200625) + * Updated /etc/resolvconf/update.d/dnsmasq. (closes: #202609) + * Suggest resolvconf. (closes: #208093) + + -- Simon Kelley Tues, 2 Sep 2003 16:43:29 +0000 + +dnsmasq (1.13-4) unstable; urgency=high + + * Ignore failures in stopping existing dnsmasq + processes. (closes: #204127) (closes: #204129) + * Added download source to copyright. (closes: #206647) + + -- Simon Kelley Tues, 2 Sep 2003 15:28:28 +0000 + +dnsmasq (1.13-3) unstable; urgency=low + + * Moved /etc/resolvconf/update.d/dnsmasq script into this package. + * Don't call resolvconf from /etc/init.d/dnsmasq if dnsmasq fails + to start. (Patch from Thomas Hood.) + + -- Simon Kelley Mon, 7 Jul 2003 20:55:29 +0000 + +dnsmasq (1.13-2) unstable; urgency=low + + * Added support for the resolvconf nameserver configuration package. + + -- Simon Kelley Sun, 22 Jun 2003 20:30:19 +0000 + +dnsmasq (1.13-1) unstable; urgency=low + + * New upstream. + * Added new options to the default dnsmasq.conf. + * Default config now reads /var/lib/dhcp/dhcp.leases (closes: #195185) + * Added option to disable negative caching. (closes: #194274) + * Added David Coe's query port patch. (closes: #196578) + + -- Simon Kelley Sat, 31 May 2003 18:10:29 +0000 + +dnsmasq (1.12-1) unstable; urgency=low + + * New upstream. + * Added examples of "local" and "address" options to dnsmasq.conf. + * Remove /usr/doc symlink code. + * Remove period from end of description field. + + -- Simon Kelley Sat, 8 Mar 2003 12:16:09 +0000 + +dnsmasq (1.11-2) unstable; urgency=low + + * Fixed thinko in example dnsmasq.conf. (closes: #180410) + + -- Simon Kelley Mon, 24 Feb 2003 20:06:19 +0000 + +dnsmasq (1.11-1) unstable; urgency=low + + * New uptream. + + -- Simon Kelley Tues, 12 Jan 2003 22:25:17 -0100 + +dnsmasq (1.10-1) unstable; urgency=low + + * New uptream. + * Force service to stop in postinst before restarting. I don't + understand the circumstances under which it would still be running at + this point, but this is the correct fix anyway. (closes: #169718) + * Add /etc/dnsmasq.conf as a conffile and add a comment to + /etc/default/dnsmasq deprecating its use and recommending + /etc/dnsmasq.conf instead, since upstream now supports this. + + -- Simon Kelley Mon, 9 Oct 2002 19:05:34 -0100 + +dnsmasq (1.9-1) unstable; urgency=low + + * New uptream. + + -- Simon Kelley Mon, 23 Sept 2002 21:35:07 -0100 + +dnsmasq (1.8-1) unstable; urgency=low + + * New upstream. + + -- Simon Kelley Mon, 12 Aug 2002 21:56:17 -0100 + +dnsmasq (1.7-1) unstable; urgency=low + + * New upstream including better group-id manipulation. (closes: #152212) + * Conflict with bind9 (closes: #151812) + * Added more options to startup script. (closes: #148535) + + -- Simon Kelley Sun, 14 July 2002 20:23:14 -0100 + +dnsmasq (1.6-1) unstable; urgency=low + + * New upstream. + * Fixed documentation typos. (closes: #144637) + * Fixed failure to remove package if daemon not running. (closes: #147083) + * Changed upload to tarball-and-diff. (closes: #144638) + + -- Simon Kelley Sun, 19 May 2002 22:30:17 -0100 + +dnsmasq (1.5-1) unstable; urgency=medium + + * New upstream (includes hotmail.com fix). + * Fixed DHCP lease file bug. (closes: #143778) + * Fixed failure of "reload" command in startup script (closes: #141021) + * Allow more than one interface name in the DNSMASQ_INTERFACE variable. + + -- Simon Kelley Sun, 14 Apr 2002 16:39:13 -0100 + +dnsmasq (1.4-2) unstable; urgency=low + + * Fixed snafu in startup script (closes: #139760) + + -- Simon Kelley Sun, 24 Mar 2002 23:06:18 +0000 + +dnsmasq (1.4-1) unstable; urgency=low + + * New upstream + + -- Simon Kelley Thurs, 7 Mar 2002 21:02:05 +0000 + +dnsmasq (1.3-1) unstable; urgency=low + + * New upstream + + -- Simon Kelley Fri, 15 Feb 2002 20:45:01 +0000 + +dnsmasq (1.2-4) unstable; urgency=low + + * Updated standards-version. + * More aggressive strip of binaries. + * Added depends: netbase. + * distribution->unstable for upload. + * Updated readme.Debian since config in /etc/default/dnsmasq now. + * Updated readme.Debian to reflect fact that this package is official now! + + -- Simon Kelley Fri, 15 Feb 2002 20:45:01 +0000 + +dnsmasq (1.2-3) stable; urgency=low + + * Added Suggests: and Conflicts: fields to control file. + + -- Simon Kelley Thurs, 14 Feb 2002 20:33:47 +0000 + +dnsmasq (1.2-2) stable; urgency=low + + * Many packaging fixes, to please lintian + * Added extended description. + * Fixed copyright file. + * Compressed everything in /usr/share/doc/dnsmasq. + * Added code to remove /usr/doc/dnsmasq to prerm script. + * Moved configuration from /etc/init.d/dnsmasq to /etc/default/dnsmasq + + -- Simon Kelley Sat, 02 Feb 2002 18:54:37 +0000 + +dnsmasq (1.2-1) stable; urgency=low + + * New upstream + * Added more options to startup script + + -- Simon Kelley Sat, 20 Dec 2001 21:15:07 +0000 + +dnsmasq (1.1-2) stable; urgency=low + + * New upstream + * Strip binary + * Moved manpage from section 1 to section 8 + + -- Simon Kelley Sat, 21 Oct 2001 17:32:04 -0100 + +dnsmasq (1.0-1) unstable; urgency=low + + * New upstream + + -- Simon Kelley Sat, 10 Oct 2001 15:52:06 -0100 + +dnsmasq (0.996-1) unstable; urgency=low + + * New upstream + + -- Simon Kelley Fri, 26 Oct 2001 10:32:06 -0100 + +dnsmasq (0.995-1) unstable; urgency=low + + * New upstream + + -- Simon Kelley Tue, 09 Oct 2001 16:39:07 -0100 + +dnsmasq (0.994-1) unstable; urgency=low + + * New upstream + + -- Simon Kelley Sat, 07 Oct 2001 15:45:04 -0100 + +dnsmasq (0.992-1) unstable; urgency=low + + * New upstream + + -- Simon Kelley Fri, 31 Aug 2001 16:17:00 -0100 + +dnsmasq (0.98-1) unstable; urgency=low + + * New upstream + + -- Simon Kelley Wed, 11 Jul 2001 11:31:00 -0100 + +dnsmasq (0.96-1) unstable; urgency=low + + * Fixed thinko in cache code.. + + -- Simon Kelley Sat, 07 Jul 2001 18:52:00 -0100 + +dnsmasq (0.95-1) unstable; urgency=low + + * Initial Release. + + -- Simon Kelley Sat, 29 Aug 1998 20:27:27 -0400 + + + + + + + + + + --- dnsmasq-2.75.orig/debian/conffiles +++ dnsmasq-2.75/debian/conffiles @@ -0,0 +1,5 @@ +/etc/init.d/dnsmasq +/etc/default/dnsmasq +/etc/dnsmasq.conf +/etc/resolvconf/update.d/dnsmasq +/etc/insserv.conf.d/dnsmasq --- dnsmasq-2.75.orig/debian/control +++ dnsmasq-2.75/debian/control @@ -0,0 +1,45 @@ +Source: dnsmasq +Section: net +Priority: optional +Build-depends: gettext, libnetfilter-conntrack-dev [linux-any], + libidn11-dev, libdbus-1-dev (>=0.61), libgmp-dev, + nettle-dev (>=2.4-3), libbsd-dev [!linux-any] +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Simon Kelley +Standards-Version: 3.9.5 + +Package: dnsmasq +Architecture: all +Depends: netbase, dnsmasq-base(>= ${binary:Version}), + init-system-helpers (>= 1.18~) +Suggests: resolvconf +Conflicts: resolvconf (<<1.15) +Description: Small caching DNS proxy and DHCP/TFTP server + Dnsmasq is a lightweight, easy to configure, DNS forwarder and DHCP + server. It is designed to provide DNS and optionally, DHCP, to a + small network. It can serve the names of local machines which are + not in the global DNS. The DHCP server integrates with the DNS + server and allows machines with DHCP-allocated addresses + to appear in the DNS with names configured either in each host or + in a central configuration file. Dnsmasq supports static and dynamic + DHCP leases and BOOTP/TFTP for network booting of diskless machines. + +Package: dnsmasq-base +Architecture: any +Depends: adduser, ${shlibs:Depends} +Breaks: dnsmasq (<< 2.63-1~) +Replaces: dnsmasq (<< 2.63-1~) +Recommends: dns-root-data +Description: Small caching DNS proxy and DHCP/TFTP server + This package contains the dnsmasq executable and documentation, but + not the infrastructure required to run it as a system daemon. For + that, install the dnsmasq package. + +Package: dnsmasq-utils +Architecture: linux-any +Depends: ${shlibs:Depends} +Conflicts: dnsmasq (<<2.40) +Description: Utilities for manipulating DHCP leases + Small utilities to query a DHCP server's lease database and + remove leases from it. These programs are distributed with dnsmasq + and may not work correctly with other DHCP servers. --- dnsmasq-2.75.orig/debian/copyright +++ dnsmasq-2.75/debian/copyright @@ -0,0 +1,21 @@ +dnsmasq is Copyright (c) 2000-2015 Simon Kelley + +It was downloaded from: http://www.thekelleys.org.uk/dnsmasq/ + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 dated June, 1991, or + (at your option) version 3 dated 29 June, 2007. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + +On Debian GNU/Linux systems, the text of the GNU general public license is +available in the file /usr/share/common-licenses/GPL-2 or +/usr/share/common-licenses/GPL-3 + +The Debian package of dnsmasq was created by Simon Kelley with assistance +from Lars Bahner. + --- dnsmasq-2.75.orig/debian/dbus.conf +++ dnsmasq-2.75/debian/dbus.conf @@ -0,0 +1,18 @@ + + + + + + + + + + + + + + + + --- dnsmasq-2.75.orig/debian/default +++ dnsmasq-2.75/debian/default @@ -0,0 +1,33 @@ +# This file has five functions: +# 1) to completely disable starting dnsmasq, +# 2) to set DOMAIN_SUFFIX by running `dnsdomainname` +# 3) to select an alternative config file +# by setting DNSMASQ_OPTS to --conf-file= +# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for +# more configuration variables. +# 5) to stop the resolvconf package from controlling dnsmasq's +# idea of which upstream nameservers to use. +# For upgraders from very old versions, all the shell variables set +# here in previous versions are still honored by the init script +# so if you just keep your old version of this file nothing will break. + +#DOMAIN_SUFFIX=`dnsdomainname` +#DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt" + +# Whether or not to run the dnsmasq daemon; set to 0 to disable. +ENABLED=1 + +# By default search this drop directory for configuration options. +# Libvirt leaves a file here to make the system dnsmasq play nice. +# Comment out this line if you don't want this. The dpkg-* are file +# endings which cause dnsmasq to skip that file. This avoids pulling +# in backups made by dpkg. +CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new + +# If the resolvconf package is installed, dnsmasq will use its output +# rather than the contents of /etc/resolv.conf to find upstream +# nameservers. Uncommenting this line inhibits this behaviour. +# Note that including a "resolv-file=" line in +# /etc/dnsmasq.conf is not enough to override resolvconf if it is +# installed: the line below must be uncommented. +#IGNORE_RESOLVCONF=yes --- dnsmasq-2.75.orig/debian/dnsmasq-base.conffiles +++ dnsmasq-2.75/debian/dnsmasq-base.conffiles @@ -0,0 +1 @@ +/etc/dbus-1/system.d/dnsmasq.conf --- dnsmasq-2.75.orig/debian/dnsmasq-base.postinst +++ dnsmasq-2.75/debian/dnsmasq-base.postinst @@ -0,0 +1,24 @@ +#!/bin/sh +set -e + +# Create the dnsmasq user in dnsmasq-base, so that Dbus doesn't complain. + +# create a user to run as (code stolen from dovecot-common) +if [ "$1" = "configure" ]; then + if [ -z "`id -u dnsmasq 2> /dev/null`" ]; then + adduser --system --home /var/lib/misc --gecos "dnsmasq" \ + --no-create-home --disabled-password \ + --quiet dnsmasq || true + fi + + # Make the directory where we keep the pid file - this + # has to be owned by "dnsmasq" so that the file can be unlinked. + # This is only actually used by the dnsmasq binary package, not + # dnsmasq-base, but it's much easier to create it here so that + # we don't have synchronisation issues with the creation of the + # dnsmasq user. + if [ ! -d /var/run/dnsmasq ]; then + mkdir /var/run/dnsmasq + chown dnsmasq:nogroup /var/run/dnsmasq + fi +fi --- dnsmasq-2.75.orig/debian/dnsmasq-base.postrm +++ dnsmasq-2.75/debian/dnsmasq-base.postrm @@ -0,0 +1,11 @@ +#!/bin/sh +set -e + +if [ purge = "$1" ]; then + if [ -x "$(command -v deluser)" ]; then + deluser --quiet --system dnsmasq > /dev/null || true + else + echo >&2 "not removing dnsmasq system account because deluser command was not found" + fi + rm -rf /var/run/dnsmasq +fi --- dnsmasq-2.75.orig/debian/init +++ dnsmasq-2.75/debian/init @@ -0,0 +1,315 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: dnsmasq +# Required-Start: $network $remote_fs $syslog +# Required-Stop: $network $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Description: DHCP and DNS server +### END INIT INFO + +set +e # Don't exit on error status + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/dnsmasq +NAME=dnsmasq +DESC="DNS forwarder and DHCP server" + +# Most configuration options in /etc/default/dnsmasq are deprecated +# but still honoured. +ENABLED=1 +if [ -r /etc/default/$NAME ]; then + . /etc/default/$NAME +fi + +# Get the system locale, so that messages are in the correct language, and the +# charset for IDN is correct +if [ -r /etc/default/locale ]; then + . /etc/default/locale + export LANG +fi + +# /etc/dnsmasq.d/README is a non-conffile installed by the dnsmasq package. +# Should the dnsmasq package be removed, the following test ensures that +# the daemon is no longer started, even if the dnsmasq-base package is +# still in place. +test -e /etc/dnsmasq.d/README || exit 0 + +test -x $DAEMON || exit 0 + +# Provide skeleton LSB log functions for backports which don't have LSB functions. +if [ -f /lib/lsb/init-functions ]; then + . /lib/lsb/init-functions +else + log_warning_msg () { + echo "${@}." + } + + log_success_msg () { + echo "${@}." + } + + log_daemon_msg () { + echo -n "${1}: $2" + } + + log_end_msg () { + if [ $1 -eq 0 ]; then + echo "." + elif [ $1 -eq 255 ]; then + /bin/echo -e " (warning)." + else + /bin/echo -e " failed!" + fi + } +fi + +# RESOLV_CONF: +# If the resolvconf package is installed then use the resolv conf file +# that it provides as the default. Otherwise use /etc/resolv.conf as +# the default. +# +# If IGNORE_RESOLVCONF is set in /etc/default/dnsmasq or an explicit +# filename is set there then this inhibits the use of the resolvconf-provided +# information. +# +# Note that if the resolvconf package is installed it is not possible to +# override it just by configuration in /etc/dnsmasq.conf, it is necessary +# to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq. + +if [ ! "$RESOLV_CONF" ] && + [ "$IGNORE_RESOLVCONF" != "yes" ] && + [ -x /sbin/resolvconf ] +then + RESOLV_CONF=/var/run/dnsmasq/resolv.conf +fi + +for INTERFACE in $DNSMASQ_INTERFACE; do + DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -i $INTERFACE" +done + +for INTERFACE in $DNSMASQ_EXCEPT; do + DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -I $INTERFACE" +done + +if [ ! "$DNSMASQ_USER" ]; then + DNSMASQ_USER="dnsmasq" +fi + +# This tells dnsmasq to ignore DNS requests that don't come from a local network. +# It's automatically ignored if --interface --except-interface, --listen-address +# or --auth-server exist in the configuration, so for most installations, it will +# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq +# from being vulnerable to DNS-reflection attacks. + +DNSMASQ_OPTS="$DNSMASQ_OPTS --local-service" + +# If the dns-root-data package is installed, then the trust anchors will be +# available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq +# --trust-anchor options. + +ROOT_DS="/usr/share/dns/root.ds" + +if [ -f $ROOT_DS ]; then + DNSMASQ_OPTS="$DNSMASQ_OPTS `sed -e s/". IN DS "/--trust-anchor=.,/ -e s/" "/,/g $ROOT_DS | tr '\n' ' '`" +fi + +start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + + # /var/run may be volatile, so we need to ensure that + # /var/run/dnsmasq exists here as well as in postinst + if [ ! -d /var/run/dnsmasq ]; then + mkdir /var/run/dnsmasq || return 2 + chown dnsmasq:nogroup /var/run/dnsmasq || return 2 + fi + + start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null || return 1 + start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON -- \ + -x /var/run/dnsmasq/$NAME.pid \ + ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \ + ${MAILTARGET:+ -t $MAILTARGET} \ + ${DNSMASQ_USER:+ -u $DNSMASQ_USER} \ + ${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \ + ${DHCP_LEASE:+ -l $DHCP_LEASE} \ + ${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \ + ${RESOLV_CONF:+ -r $RESOLV_CONF} \ + ${CACHESIZE:+ -c $CACHESIZE} \ + ${CONFIG_DIR:+ -7 $CONFIG_DIR} \ + ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} \ + || return 2 +} + +start_resolvconf() +{ +# If interface "lo" is explicitly disabled in /etc/default/dnsmasq +# Then dnsmasq won't be providing local DNS, so don't add it to +# the resolvconf server set. + for interface in $DNSMASQ_EXCEPT + do + [ $interface = lo ] && return + done + + if [ -x /sbin/resolvconf ] ; then + echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.$NAME + fi + return 0 +} + +stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /var/run/dnsmasq/$NAME.pid --name $NAME +} + +stop_resolvconf() +{ + if [ -x /sbin/resolvconf ] ; then + /sbin/resolvconf -d lo.$NAME + fi + return 0 +} + +status() +{ + # Return + # 0 if daemon is running + # 1 if daemon is dead and pid file exists + # 3 if daemon is not running + # 4 if daemon status is unknown + start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null + case "$?" in + 0) [ -e "/var/run/dnsmasq/$NAME.pid" ] && return 1 ; return 3 ;; + 1) return 0 ;; + *) return 4 ;; + esac +} + +case "$1" in + start) + test "$ENABLED" != "0" || exit 0 + log_daemon_msg "Starting $DESC" "$NAME" + start + case "$?" in + 0) + log_end_msg 0 + start_resolvconf + exit 0 + ;; + 1) + log_success_msg "(already running)" + exit 0 + ;; + *) + log_end_msg 1 + exit 1 + ;; + esac + ;; + stop) + stop_resolvconf + if [ "$ENABLED" != "0" ]; then + log_daemon_msg "Stopping $DESC" "$NAME" + fi + stop + RETVAL="$?" + if [ "$ENABLED" = "0" ]; then + case "$RETVAL" in + 0) log_daemon_msg "Stopping $DESC" "$NAME"; log_end_msg 0 ;; + esac + exit 0 + fi + case "$RETVAL" in + 0) log_end_msg 0 ; exit 0 ;; + 1) log_warning_msg "(not running)" ; exit 0 ;; + *) log_end_msg 1; exit 1 ;; + esac + ;; + restart|force-reload) + test "$ENABLED" != "0" || exit 1 + $DAEMON --test ${CONFIG_DIR:+ -7 $CONFIG_DIR} ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} >/dev/null 2>&1 + if [ $? -ne 0 ]; then + NAME="configuration syntax check" + RETVAL="2" + else + stop_resolvconf + stop + RETVAL="$?" + fi + log_daemon_msg "Restarting $DESC" "$NAME" + case "$RETVAL" in + 0|1) + sleep 2 + start + case "$?" in + 0) + log_end_msg 0 + start_resolvconf + exit 0 + ;; + *) + log_end_msg 1 + exit 1 + ;; + esac + ;; + *) + log_end_msg 1 + exit 1 + ;; + esac + ;; + status) + log_daemon_msg "Checking $DESC" "$NAME" + status + case "$?" in + 0) log_success_msg "(running)" ; exit 0 ;; + 1) log_success_msg "(dead, pid file exists)" ; exit 1 ;; + 3) log_success_msg "(not running)" ; exit 3 ;; + *) log_success_msg "(unknown)" ; exit 4 ;; + esac + ;; + dump-stats) + kill -s USR1 `cat /var/run/dnsmasq/$NAME.pid` + ;; + systemd-start-resolvconf) + start_resolvconf + ;; + systemd-stop-resolvconf) + stop_resolvconf + ;; + systemd-exec) +# /var/run may be volatile, so we need to ensure that + # /var/run/dnsmasq exists here as well as in postinst + if [ ! -d /var/run/dnsmasq ]; then + mkdir /var/run/dnsmasq || return 2 + chown dnsmasq:nogroup /var/run/dnsmasq || return 2 + fi + exec $DAEMON -x /var/run/dnsmasq/$NAME.pid \ + ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \ + ${MAILTARGET:+ -t $MAILTARGET} \ + ${DNSMASQ_USER:+ -u $DNSMASQ_USER} \ + ${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \ + ${DHCP_LEASE:+ -l $DHCP_LEASE} \ + ${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \ + ${RESOLV_CONF:+ -r $RESOLV_CONF} \ + ${CACHESIZE:+ -c $CACHESIZE} \ + ${CONFIG_DIR:+ -7 $CONFIG_DIR} \ + ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} + ;; + *) + echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload|dump-stats|status}" >&2 + exit 3 + ;; +esac + +exit 0 + --- dnsmasq-2.75.orig/debian/insserv +++ dnsmasq-2.75/debian/insserv @@ -0,0 +1 @@ +$named dnsmasq --- dnsmasq-2.75.orig/debian/postinst +++ dnsmasq-2.75/debian/postinst @@ -0,0 +1,38 @@ +#!/bin/sh +set -e + +# Code copied from dh_systemd_enable ---------------------- +# This will only remove masks created by d-s-h on package removal. +deb-systemd-helper unmask dnsmasq.service >/dev/null || true + +# was-enabled defaults to true, so new installations run enable. +if deb-systemd-helper --quiet was-enabled dnsmasq.service; then + # Enables the unit on first installation, creates new + # symlinks on upgrades if the unit file has changed. + deb-systemd-helper enable dnsmasq.service >/dev/null || true +else + # Update the statefile to add new symlinks (if any), which need to be + # cleaned up on purge. Also remove old symlinks. + deb-systemd-helper update-state dnsmasq.service >/dev/null || true +fi +# End code copied from dh_systemd_enable ------------------ + +if [ -x /etc/init.d/dnsmasq ]; then + update-rc.d dnsmasq defaults 15 85 >/dev/null + + if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then + if [ -e /var/run/dnsmasq/dnsmasq.pid ]; then + ACTION=restart + else + ACTION=start + fi + + if [ -x /usr/sbin/invoke-rc.d ] ; then + invoke-rc.d dnsmasq $ACTION || true + else + /etc/init.d/dnsmasq $ACTION || true + fi + fi +fi + + --- dnsmasq-2.75.orig/debian/postrm +++ dnsmasq-2.75/debian/postrm @@ -0,0 +1,22 @@ +#!/bin/sh +set -e + +if [ purge = "$1" ]; then + update-rc.d dnsmasq remove >/dev/null +fi + +# Code copied from dh_systemd_enable ---------------------- +if [ "$1" = "remove" ]; then + if [ -x "/usr/bin/deb-systemd-helper" ]; then + deb-systemd-helper mask dnsmasq.service >/dev/null + fi +fi + +if [ "$1" = "purge" ]; then + if [ -x "/usr/bin/deb-systemd-helper" ]; then + deb-systemd-helper purge dnsmasq.service >/dev/null + deb-systemd-helper unmask dnsmasq.service >/dev/null + fi +fi +# End code copied from dh_systemd_enable ------------------ + --- dnsmasq-2.75.orig/debian/prerm +++ dnsmasq-2.75/debian/prerm @@ -0,0 +1,14 @@ +#!/bin/sh +set -e + +if [ "$1" = "remove" ]; then + if [ -x /usr/sbin/invoke-rc.d ] ; then + invoke-rc.d dnsmasq stop || true + else + /etc/init.d/dnsmasq stop || true + fi +fi + +exit 0 + + --- dnsmasq-2.75.orig/debian/readme +++ dnsmasq-2.75/debian/readme @@ -0,0 +1,79 @@ +Notes on configuring dnsmasq as packaged for Debian. + +(1) To configure dnsmasq edit /etc/dnsmasq.conf. The file is well + commented; see also the dnsmasq.8 man page for explanation of + the options. The file /etc/default/dnsmasq also exists but it + shouldn't need to be touched in most cases. To set up DHCP + options you might need to refer to a copy of RFC 2132. This is + available on Debian systems in the package doc-rfc-std as the file + /usr/share/doc/RFC/draft-standard/rfc2132.txt.gz . + +(2) Installing the dnsmasq package also creates the directory + /etc/dnsmasq.d which is searched by dnsmasq for configuration file + fragments. This behaviour can be disabled by editing + /etc/default/dnsmasq. + +(3) If the Debian resolvconf package is installed then, regardless + of what interface configuration daemons are employed, the list of + nameservers to which dnsmasq should forward queries can be found + in /var/run/dnsmasq/resolv.conf; also, 127.0.0.1 is listed as the + first nameserver address in /etc/resolv.conf. This works using the + default configurations of resolvconf and dnsmasq. + +(4) In the absence of resolvconf, if you are using dhcpcd then + dnsmasq should read the list of nameservers from the automatically + generated file /etc/dhcpc/resolv.conf. You should list 127.0.0.1 + as the first nameserver address in /etc/resolv.conf. + +(5) In the absence of resolvconf, if you are using pppd then + dnsmasq should read the list of nameservers from the automatically + generated file /etc/ppp/resolv.conf. You should list 127.0.0.1 + as the first nameserver address in /etc/resolv.conf. + +(6) In the absence of resolvconf, dns-nameservers lines in + /etc/network/interfaces are ignored. If you do do not use + resolvconf, list 127.0.0.1 as the first nameserver address + in /etc/resolv.conf and configure your nameservers using + "server=" lines in /etc/dnsmasq.conf. + +(7) If you run multiple DNS servers on a single machine, each + listening on a different interface, then it is necessary to use + the bind-interfaces option by uncommenting "bind-interfaces" in + /etc/dnsmasq.conf. This option stops dnsmasq from binding the + wildcard address and allows servers listening on port 53 on + interfaces not in use by dnsmasq to work. The Debian + libvirt package will add a configuration file in /etc/dnsmasq.d + which does this so that the "system" dnsmasq and "private" dnsmasq + instances started by libvirt do not clash. + +(8) The following options are supported in DEB_BUILD_OPTIONS + noopt : compile without optimisation. + nostrip : don't remove symbols from binary. + nodocs : omit documentation. + notftp : omit TFTP support. + nodhcp : omit DHCP support. + nodhcp6 : omit DHCPv6 support. + noscript : omit lease-change script support. + use_lua : provide support for lease-change scripts written + in Lua. + noipv6 : omit IPv6 support. + nodbus : omit DBus support. + noconntrack : omit connection tracking support. + noipset : omit IPset support. + nortc : compile alternate mode suitable for systems without an RTC. + noi18n : omit translations and internationalisation support. + noidn : omit international domain name support, must be + combined with noi18n to be effective. + gitversion : set the version of the produced packages from the + git-derived versioning information on the source, + rather the the debian changelog. + +(9) Dnsmasq comes as three packages - dnsmasq-utils, dnsmasq-base and + dnsmasq. Dnsmasq-base provides the dnsmasq executable and + documentation (including this file). Dnsmasq, which depends on + dnsmasq-base, provides the init script and configuration + infrastructure. This file assumes that both are installed. It is + possible to install only dnsmasq-base and use dnsmasq as a + non-"system" daemon. Libvirt, for instance, does this. + Dnsmasq-utils provides the utilities dhcp_release and + dhcp_lease_time. --- dnsmasq-2.75.orig/debian/readme.dnsmasq.d +++ dnsmasq-2.75/debian/readme.dnsmasq.d @@ -0,0 +1,7 @@ +# All files in this directory will be read by dnsmasq as +# configuration files, except if their names end in +# ".dpkg-dist",".dpkg-old" or ".dpkg-new" +# +# This can be changed by editing /etc/default/dnsmasq + + --- dnsmasq-2.75.orig/debian/resolvconf +++ dnsmasq-2.75/debian/resolvconf @@ -0,0 +1,84 @@ +#!/bin/sh +# +# Script to update the resolver list for dnsmasq +# +# N.B. Resolvconf may run us even if dnsmasq is not (yet) running. +# If dnsmasq is installed then we go ahead and update the resolver list +# in case dnsmasq is started later. +# +# Assumption: On entry, PWD contains the resolv.conf-type files. +# +# This file is part of the dnsmasq package. +# + +set -e + +RUN_DIR="/var/run/dnsmasq" +RSLVRLIST_FILE="${RUN_DIR}/resolv.conf" +TMP_FILE="${RSLVRLIST_FILE}_new.$$" +MY_NAME_FOR_RESOLVCONF="dnsmasq" + +[ -x /usr/sbin/dnsmasq ] || exit 0 +[ -x /lib/resolvconf/list-records ] || exit 1 + +PATH=/bin:/sbin + +report_err() { echo "$0: Error: $*" >&2 ; } + +# Stores arguments (minus duplicates) in RSLT, separated by spaces +# Doesn't work properly if an argument itself contains whitespace +uniquify() +{ + RSLT="" + while [ "$1" ] ; do + for E in $RSLT ; do + [ "$1" = "$E" ] && { shift ; continue 2 ; } + done + RSLT="${RSLT:+$RSLT }$1" + shift + done +} + +if [ ! -d "$RUN_DIR" ] && ! mkdir --parents --mode=0755 "$RUN_DIR" ; then + report_err "Failed trying to create directory $RUN_DIR" + exit 1 +fi + +RSLVCNFFILES="" +for F in $(/lib/resolvconf/list-records --after "lo.$MY_NAME_FOR_RESOLVCONF") ; do + case "$F" in + "lo.$MY_NAME_FOR_RESOLVCONF") + # Omit own record + ;; + lo.*) + # Include no more records after one for a local nameserver + RSLVCNFFILES="${RSLVCNFFILES:+$RSLVCNFFILES }$F" + break + ;; + *) + RSLVCNFFILES="${RSLVCNFFILES:+$RSLVCNFFILES }$F" + ;; + esac +done + +NMSRVRS="" +if [ "$RSLVCNFFILES" ] ; then + uniquify $(sed -n -e 's/^[[:space:]]*nameserver[[:space:]]\+//p' $RSLVCNFFILES) + NMSRVRS="$RSLT" +fi + +# Dnsmasq uses the mtime of $RSLVRLIST_FILE, with a resolution of one second, +# to detect changes in the file. This means that if a resolvconf update occurs +# within one second of the previous one then dnsmasq may fail to notice the +# more recent change. To work around this problem we sleep one second here +# if necessary in order to ensure that the new mtime is different. +if [ -f "$RSLVRLIST_FILE" ] && [ "$(ls -go --time-style='+%s' "$RSLVRLIST_FILE" | { read p h s t n ; echo "$t" ; })" = "$(date +%s)" ] ; then + sleep 1 +fi + +clean_up() { rm -f "$TMP_FILE" ; } +trap clean_up EXIT +: >| "$TMP_FILE" +for N in $NMSRVRS ; do echo "nameserver $N" >> "$TMP_FILE" ; done +mv -f "$TMP_FILE" "$RSLVRLIST_FILE" + --- dnsmasq-2.75.orig/debian/resolvconf-package +++ dnsmasq-2.75/debian/resolvconf-package @@ -0,0 +1,13 @@ +#!/bin/sh +# Resolvconf packaging event hook script for the dnsmasq package +restart_dnsmasq() { + if which invoke-rc.d >/dev/null 2>&1 ; then + invoke-rc.d dnsmasq restart + elif [ -x /etc/init.d/dnsmasq ] ; then + /etc/init.d/dnsmasq restart + fi +} + +case "$1" in + install) restart_dnsmasq ;; +esac --- dnsmasq-2.75.orig/debian/rules +++ dnsmasq-2.75/debian/rules @@ -0,0 +1,228 @@ +#!/usr/bin/make -f +# debian/rules file - for dnsmasq. +# Copyright 2001-2011 by Simon Kelley +# Based on the sample in the debian hello package which carries the following: +# Copyright 1994,1995 by Ian Jackson. +# I hereby give you perpetual unlimited permission to copy, +# modify and relicense this file, provided that you do not remove +# my name from the file itself. (I assert my moral right of +# paternity under the Copyright, Designs and Patents Act 1988.) +# This file may have to be extensively modified + +package=dnsmasq-base + +dpkg_buildflags := DEB_BUILD_MAINT_OPTIONS="hardening=+all" dpkg-buildflags + +CFLAGS = $(shell $(dpkg_buildflags) --get CFLAGS) +CFLAGS += $(shell $(dpkg_buildflags) --get CPPFLAGS) +CFLAGS += -Wall -W + +LDFLAGS = $(shell $(dpkg_buildflags) --get LDFLAGS) + +DEB_COPTS = $(COPTS) + +TARGET = install-i18n + +DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS) +BUILD_DATE := $(shell dpkg-parsechangelog --show-field Date) + +# Force package version based on git tags. +ifneq (,$(filter gitversion,$(DEB_BUILD_OPTIONS))) + PACKAGE_VERSION = $(shell bld/get-version `pwd` | sed 's/test/~&/; s/[a-z]/~&/; s/-/./g; s/$$/-1/; s/^/-v/';) +endif + +ifeq (,$(filter nodbus,$(DEB_BUILD_OPTIONS))) + DEB_COPTS += -DHAVE_DBUS +endif + +ifeq (,$(filter noconntrack,$(DEB_BUILD_OPTIONS))) +ifeq ($(DEB_HOST_ARCH_OS),linux) + DEB_COPTS += -DHAVE_CONNTRACK +endif +endif + +ifneq (,$(filter noipset,$(DEB_BUILD_OPTIONS))) + DEB_COPTS += -DNO_IPSET +endif + +ifneq (,$(filter nodhcp6,$(DEB_BUILD_OPTIONS))) + DEB_COPTS += -DNO_DHCP6 +endif + +ifneq (,$(filter noipv6,$(DEB_BUILD_OPTIONS))) + DEB_COPTS += -DNO_IPV6 +endif + +ifneq (,$(filter notftp,$(DEB_BUILD_OPTIONS))) + DEB_COPTS += -DNO_TFTP +endif + +ifneq (,$(filter nodhcp,$(DEB_BUILD_OPTIONS))) + DEB_COPTS += -DNO_DHCP +endif + +ifneq (,$(filter noscript,$(DEB_BUILD_OPTIONS))) + DEB_COPTS += -DNO_SCRIPT +endif + +ifneq (,$(filter nortc,$(DEB_BUILD_OPTIONS))) + DEB_COPTS += -DHAVE_BROKEN_RTC +endif + +ifneq (,$(filter noi18n,$(DEB_BUILD_OPTIONS))) + TARGET = install + ifeq (,$(filter noidn, $(DEB_BUILD_OPTIONS))) + DEB_COPTS += -DHAVE_IDN + endif +endif + +ifneq (,$(filter uselua,$(DEB_BUILD_OPTIONS))) + DEB_COPTS += -DHAVE_LUASCRIPT +endif + +ifeq (,$(filter nodnssec,$(DEB_BUILD_OPTIONS))) + DEB_COPTS += -DHAVE_DNSSEC +endif + +ifneq ($(DEB_HOST_ARCH_OS),linux) + # For strlcpy in FreeBSD + LDFLAGS += -lbsd +endif + +clean: + $(checkdir) + rm -rf debian/daemon debian/base debian/utils debian/*~ debian/files debian/substvars debian/utils-substvars + make clean + make -C contrib/wrt clean + +binary-indep: checkroot + $(checkdir) + rm -rf debian/daemon + install -m 755 \ + -d debian/daemon/DEBIAN \ + -d debian/daemon/usr/share/doc \ + -d debian/daemon/etc/init.d \ + -d debian/daemon/etc/dnsmasq.d \ + -d debian/daemon/etc/resolvconf/update.d \ + -d debian/daemon/usr/lib/resolvconf/dpkg-event.d \ + -d debian/daemon/etc/default \ + -d debian/daemon/lib/systemd/system \ + -d debian/daemon/etc/insserv.conf.d + install -m 644 debian/conffiles debian/daemon/DEBIAN + install -m 755 debian/postinst debian/postrm debian/prerm debian/daemon/DEBIAN + install -m 755 debian/init debian/daemon/etc/init.d/dnsmasq + install -m 755 debian/resolvconf debian/daemon/etc/resolvconf/update.d/dnsmasq + install -m 755 debian/resolvconf-package debian/daemon/usr/lib/resolvconf/dpkg-event.d/dnsmasq + install -m 644 debian/default debian/daemon/etc/default/dnsmasq + install -m 644 dnsmasq.conf.example debian/daemon/etc/dnsmasq.conf + install -m 644 debian/readme.dnsmasq.d debian/daemon/etc/dnsmasq.d/README + install -m 644 debian/systemd.service debian/daemon/lib/systemd/system/dnsmasq.service + install -m 644 debian/insserv debian/daemon/etc/insserv.conf.d/dnsmasq + ln -s $(package) debian/daemon/usr/share/doc/dnsmasq + cd debian/daemon && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums + dpkg-gencontrol $(PACKAGE_VERSION) -T -pdnsmasq -Pdebian/daemon + find debian/daemon -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)' + chown -R root.root debian/daemon + chmod -R g-ws debian/daemon + dpkg --build debian/daemon .. + +binary-arch: checkroot + $(checkdir) + rm -rf debian/base + install -m 755 \ + -d debian/base/DEBIAN \ + -d debian/base/etc/dbus-1/system.d \ + -d debian/base/usr/share/doc/$(package) \ + -d debian/base/usr/share/doc/$(package)/examples \ + -d debian/base/var/run \ + -d debian/base/usr/share/$(package) \ + -d debian/base/var/lib/misc + make $(TARGET) PREFIX=/usr DESTDIR=`pwd`/debian/base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=gcc +ifeq (,$(findstring nodocs,$(DEB_BUILD_OPTIONS))) +# Need to remove paypal links in Debian Package for policy reasons. + sed -e /\Donations/Q -e /icon.png/d doc.html -e /favicon.ico/d >debian/base/usr/share/doc/$(package)/doc.html + echo "" >>debian/base/usr/share/doc/$(package)/doc.html + install -m 644 setup.html debian/base/usr/share/doc/$(package)/. + install -m 644 dnsmasq.conf.example debian/base/usr/share/doc/$(package)/examples/. + install -m 644 trust-anchors.conf debian/base/usr/share/$(package)/. + install -m 644 FAQ debian/base/usr/share/doc/$(package)/. + gzip -9n debian/base/usr/share/doc/$(package)/FAQ + install -m 644 CHANGELOG debian/base/usr/share/doc/$(package)/changelog + gzip -9n debian/base/usr/share/doc/$(package)/changelog + install -m 644 CHANGELOG.archive debian/base/usr/share/doc/$(package)/changelog.archive + gzip -9n debian/base/usr/share/doc/$(package)/changelog.archive + install -m 644 dbus/DBus-interface debian/base/usr/share/doc/$(package)/. + gzip -9n debian/base/usr/share/doc/$(package)/DBus-interface +endif + install -m 644 debian/dnsmasq-base.conffiles debian/base/DEBIAN/conffiles + install -m 755 debian/dnsmasq-base.postinst debian/base/DEBIAN/postinst + install -m 755 debian/dnsmasq-base.postrm debian/base/DEBIAN/postrm + install -m 644 debian/changelog debian/base/usr/share/doc/$(package)/changelog.Debian + gzip -9n debian/base/usr/share/doc/$(package)/changelog.Debian + install -m 644 debian/readme debian/base/usr/share/doc/$(package)/README.Debian + install -m 644 debian/copyright debian/base/usr/share/doc/$(package)/copyright + install -m 644 debian/dbus.conf debian/base/etc/dbus-1/system.d/dnsmasq.conf + gzip -9n debian/base/usr/share/man/man8/dnsmasq.8 + for f in debian/base/usr/share/man/*; do \ + if [ -f $$f/man8/dnsmasq.8 ]; then \ + gzip -9n $$f/man8/dnsmasq.8 ; \ + fi \ + done +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) + strip -R .note -R .comment debian/base/usr/sbin/dnsmasq +endif + cd debian/base && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums + dpkg-shlibdeps --warnings=1 debian/base/usr/sbin/dnsmasq + dpkg-gencontrol $(PACKAGE_VERSION) -pdnsmasq-base -Pdebian/base + find debian/base -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)' + chown -R root.root debian/base + chmod -R g-ws debian/base + dpkg --build debian/base .. + +ifeq ($(DEB_HOST_ARCH_OS),linux) + rm -rf debian/utils + install -m 755 -d debian/utils/DEBIAN \ + -d debian/utils/usr/share/man/man1 \ + -d debian/utils/usr/bin \ + -d debian/utils/usr/share/doc/dnsmasq-utils + make -C contrib/wrt PREFIX=/usr DESTDIR=`pwd`/debian/utils CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=gcc + install -m 755 contrib/wrt/dhcp_release debian/utils/usr/bin/dhcp_release + install -m 644 contrib/wrt/dhcp_release.1 debian/utils/usr/share/man/man1/dhcp_release.1 + gzip -9n debian/utils/usr/share/man/man1/dhcp_release.1 + install -m 755 contrib/wrt/dhcp_lease_time debian/utils/usr/bin/dhcp_lease_time + install -m 644 contrib/wrt/dhcp_lease_time.1 debian/utils/usr/share/man/man1/dhcp_lease_time.1 + install -m 644 debian/copyright debian/utils/usr/share/doc/dnsmasq-utils/copyright + install -m 644 debian/changelog debian/utils/usr/share/doc/dnsmasq-utils/changelog.Debian + gzip -9n debian/utils/usr/share/doc/dnsmasq-utils/changelog.Debian + gzip -9n debian/utils/usr/share/man/man1/dhcp_lease_time.1 +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) + strip -R .note -R .comment debian/utils/usr/bin/dhcp_release + strip -R .note -R .comment debian/utils/usr/bin/dhcp_lease_time +endif + cd debian/utils && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums + dpkg-shlibdeps -Tdebian/utils-substvars debian/utils/usr/bin/dhcp_release debian/utils/usr/bin/dhcp_lease_time + dpkg-gencontrol $(PACKAGE_VERSION) -Tdebian/utils-substvars -pdnsmasq-utils -Pdebian/utils + find debian/utils -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)' + chown -R root.root debian/utils + chmod -R g-ws debian/utils + dpkg --build debian/utils .. +endif + +define checkdir + test -f Makefile -a -f debian/rules +endef + +# Below here is fairly generic really + +binary: binary-arch binary-indep + +build: +build-arch: +build-indep: + +checkroot: + test root = "`whoami`" + +.PHONY: binary binary-arch binary-indep clean checkroot + + --- dnsmasq-2.75.orig/debian/source/format +++ dnsmasq-2.75/debian/source/format @@ -0,0 +1 @@ +1.0 --- dnsmasq-2.75.orig/debian/systemd.service +++ dnsmasq-2.75/debian/systemd.service @@ -0,0 +1,28 @@ +[Unit] +Description=dnsmasq - A lightweight DHCP and caching DNS server +Requires=network.target + +[Service] +Type=forking +PIDFile=/var/run/dnsmasq/dnsmasq.pid + +# Test the config file and refuse starting if it is not valid. +ExecStartPre=/usr/sbin/dnsmasq --test + +# We run dnsmasq via the /etc/init.d/dnsmasq script which acts as a +# wrapper picking up extra configuration files and then execs dnsmasq +# itself, when called with the "systemd-exec" function. +ExecStart=/etc/init.d/dnsmasq systemd-exec + +# The systemd-*-resolvconf functions configure (and deconfigure) +# resolvconf to work with the dnsmasq DNS server. They're called liek +# this to get correct error handling (ie don't start-resolvconf if the +# dnsmasq daemon fails to start. +ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf +ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf + + +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target --- dnsmasq-2.75.orig/src/cache.c +++ dnsmasq-2.75/src/cache.c @@ -481,7 +481,7 @@ existing record is for an A or AAAA and the record we're trying to insert is the same, just drop the insert, but don't error the whole process. */ - if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD)) + if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD) && addr) { if ((flags & F_IPV4) && (new->flags & F_IPV4) && new->addr.addr.addr.addr4.s_addr == addr->addr.addr4.s_addr) --- dnsmasq-2.75.orig/src/dnsmasq.h +++ dnsmasq-2.75/src/dnsmasq.h @@ -137,6 +137,10 @@ #include #endif +#ifdef HAVE_DNSSEC +# include +#endif + /* daemon is function in the C library.... */ #define daemon dnsmasq_daemon @@ -492,6 +496,7 @@ int fd; union mysockaddr source_addr; char interface[IF_NAMESIZE+1]; + unsigned int ifindex, used; struct serverfd *next; }; @@ -596,24 +601,26 @@ #define FREC_ADDED_PHEADER 128 #define FREC_CHECK_NOSIGN 256 #define FREC_TEST_PKTSZ 512 +#define FREC_HAS_PHEADER 1024 -#ifdef HAVE_DNSSEC -#define HASH_SIZE 20 /* SHA-1 digest size */ -#else -#define HASH_SIZE sizeof(int) -#endif +#define HASH_SIZE 32 /* SHA-256 digest size */ struct frec { - union mysockaddr source; - struct all_addr dest; + struct frec_src { + union mysockaddr source; + struct all_addr dest; + unsigned int iface, log_id; + int fd; + unsigned short orig_id; + struct frec_src *next; + } frec_src; struct server *sentto; /* NULL means free */ struct randfd *rfd4; #ifdef HAVE_IPV6 struct randfd *rfd6; #endif - unsigned int iface; - unsigned short orig_id, new_id; - int log_id, fd, forwardall, flags; + unsigned short new_id; + int forwardall, flags; time_t time; unsigned char *hash[HASH_SIZE]; #ifdef HAVE_DNSSEC @@ -1007,6 +1014,8 @@ #endif unsigned int local_answer, queries_forwarded, auth_answer; struct frec *frec_list; + struct frec_src *free_frec_src; + int frec_src_count; struct serverfd *sfds; struct irec *interfaces; struct listener *listeners; @@ -1126,7 +1135,6 @@ unsigned char *find_pseudoheader(struct dns_header *header, size_t plen, size_t *len, unsigned char **p, int *is_sign); int check_for_local_domain(char *name, time_t now); -unsigned int questions_crc(struct dns_header *header, size_t plen, char *buff); size_t resize_packet(struct dns_header *header, size_t plen, unsigned char *pheader, size_t hlen); size_t add_mac(struct dns_header *header, size_t plen, char *limit, union mysockaddr *l3); @@ -1159,8 +1167,12 @@ int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname); int dnskey_keytag(int alg, int flags, unsigned char *rdata, int rdlen); size_t filter_rrsigs(struct dns_header *header, size_t plen); -unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name); int setup_timestamp(void); +const struct nettle_hash *hash_find(char *name); +int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp); + +/* hash_questions.c */ +unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name); /* util.c */ void rand_init(void); @@ -1169,7 +1181,7 @@ u64 rand64(void); int legal_hostname(char *c); char *canonicalise(char *s, int *nomem); -unsigned char *do_rfc1035_name(unsigned char *p, char *sval); +unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit); void *safe_malloc(size_t size); void safe_pipe(int *fd, int read_noblock); void *whine_malloc(size_t size); --- dnsmasq-2.75.orig/src/dnssec.c +++ dnsmasq-2.75/src/dnssec.c @@ -72,7 +72,7 @@ } /* Find pointer to correct hash function in nettle library */ -static const struct nettle_hash *hash_find(char *name) +const struct nettle_hash *hash_find(char *name) { int i; @@ -89,7 +89,7 @@ } /* expand ctx and digest memory allocations if necessary and init hash function */ -static int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp) +int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp) { static void *ctx = NULL; static unsigned char *digest = NULL; @@ -549,46 +549,81 @@ return p+1; } -/* Return bytes of canonicalised rdata, when the return value is zero, the remaining - data, pointed to by *p, should be used raw. */ -static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, char *buff, int bufflen, - unsigned char **p, u16 **desc) -{ - int d = **desc; - - /* No more data needs mangling */ - if (d == (u16)-1) - { - /* If there's more data than we have space for, just return what fits, - we'll get called again for more chunks */ - if (end - *p > bufflen) - { - memcpy(buff, *p, bufflen); - *p += bufflen; - return bufflen; - } - - return 0; +/* Return bytes of canonicalised rrdata one by one. + Init state->ip with the RR, and state->end with the end of same. + Init state->op to NULL. + Init state->desc to RR descriptor. + Init state->buff with a MAXDNAME * 2 buffer. + + After each call which returns 1, state->op points to the next byte of data. + On returning 0, the end has been reached. +*/ +struct rdata_state { + u16 *desc; + size_t c; + unsigned char *end, *ip, *op; + char *buff; +}; + +static int get_rdata(struct dns_header *header, size_t plen, struct rdata_state *state) +{ + int d; + + if (state->op && state->c != 1) + { + state->op++; + state->c--; + return 1; } - (*desc)++; - - if (d == 0 && extract_name(header, plen, p, buff, 1, 0)) - /* domain-name, canonicalise */ - return to_wire(buff); - else - { - /* plain data preceding a domain-name, don't run off the end of the data */ - if ((end - *p) < d) - d = end - *p; + + while (1) + { + d = *(state->desc); - if (d != 0) + if (d == (u16)-1) + { + /* all the bytes to the end. */ + if ((state->c = state->end - state->ip) != 0) + { + state->op = state->ip; + state->ip = state->end;; + } + else + return 0; + } + else { - memcpy(buff, *p, d); - *p += d; + state->desc++; + + if (d == (u16)0) + { + /* domain-name, canonicalise */ + int len; + + if (!extract_name(header, plen, &state->ip, state->buff, 1, 0) || + (len = to_wire(state->buff)) == 0) + continue; + + state->c = len; + state->op = (unsigned char *)state->buff; + } + else + { + /* plain data preceding a domain-name, don't run off the end of the data */ + if ((state->end - state->ip) < d) + d = state->end - state->ip; + + if (d == 0) + continue; + + state->op = state->ip; + state->c = d; + state->ip += d; + } } - return d; + return 1; } } @@ -620,90 +655,75 @@ return 1; } -/* Bubble sort the RRset into the canonical order. - Note that the byte-streams from two RRs may get unsynced: consider - RRs which have two domain-names at the start and then other data. - The domain-names may have different lengths in each RR, but sort equal - - ------------ - |abcde|fghi| - ------------ - |abcd|efghi| - ------------ - - leaving the following bytes as deciding the order. Hence the nasty left1 and left2 variables. -*/ +/* Bubble sort the RRset into the canonical order. */ -static void sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int rrsetidx, - unsigned char **rrset, char *buff1, char *buff2) +static int sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int rrsetidx, + unsigned char **rrset, char *buff1, char *buff2) { - int swap, quit, i; + int swap, i, j; do { for (swap = 0, i = 0; i < rrsetidx-1; i++) { - int rdlen1, rdlen2, left1, left2, len1, len2, len, rc; - u16 *dp1, *dp2; - unsigned char *end1, *end2; + int rdlen1, rdlen2; + struct rdata_state state1, state2; + /* Note that these have been determined to be OK previously, so we don't need to check for NULL return here. */ - unsigned char *p1 = skip_name(rrset[i], header, plen, 10); - unsigned char *p2 = skip_name(rrset[i+1], header, plen, 10); - - p1 += 8; /* skip class, type, ttl */ - GETSHORT(rdlen1, p1); - end1 = p1 + rdlen1; - - p2 += 8; /* skip class, type, ttl */ - GETSHORT(rdlen2, p2); - end2 = p2 + rdlen2; - - dp1 = dp2 = rr_desc; - - for (quit = 0, left1 = 0, left2 = 0, len1 = 0, len2 = 0; !quit;) + state1.ip = skip_name(rrset[i], header, plen, 10); + state2.ip = skip_name(rrset[i+1], header, plen, 10); + state1.op = state2.op = NULL; + state1.buff = buff1; + state2.buff = buff2; + state1.desc = state2.desc = rr_desc; + + state1.ip += 8; /* skip class, type, ttl */ + GETSHORT(rdlen1, state1.ip); + if (!CHECK_LEN(header, state1.ip, plen, rdlen1)) + return rrsetidx; /* short packet */ + state1.end = state1.ip + rdlen1; + + state2.ip += 8; /* skip class, type, ttl */ + GETSHORT(rdlen2, state2.ip); + if (!CHECK_LEN(header, state2.ip, plen, rdlen2)) + return rrsetidx; /* short packet */ + state2.end = state2.ip + rdlen2; + + while (1) { - if (left1 != 0) - memmove(buff1, buff1 + len1 - left1, left1); - - if ((len1 = get_rdata(header, plen, end1, buff1 + left1, (MAXDNAME * 2) - left1, &p1, &dp1)) == 0) - { - quit = 1; - len1 = end1 - p1; - memcpy(buff1 + left1, p1, len1); - } - len1 += left1; - - if (left2 != 0) - memmove(buff2, buff2 + len2 - left2, left2); + int ok1, ok2; - if ((len2 = get_rdata(header, plen, end2, buff2 + left2, (MAXDNAME *2) - left2, &p2, &dp2)) == 0) + ok1 = get_rdata(header, plen, &state1); + ok2 = get_rdata(header, plen, &state2); + + if (!ok1 && !ok2) { - quit = 1; - len2 = end2 - p2; - memcpy(buff2 + left2, p2, len2); + /* Two RRs are equal, remove one copy. RFC 4034, para 6.3 */ + for (j = i+1; j < rrsetidx-1; j++) + rrset[j] = rrset[j+1]; + rrsetidx--; + i--; + break; } - len2 += left2; - - if (len1 > len2) - left1 = len1 - len2, left2 = 0, len = len2; - else - left2 = len2 - len1, left1 = 0, len = len1; - - rc = (len == 0) ? 0 : memcmp(buff1, buff2, len); - - if (rc > 0 || (rc == 0 && quit && len1 > len2)) + else if (ok1 && (!ok2 || *state1.op > *state2.op)) { unsigned char *tmp = rrset[i+1]; rrset[i+1] = rrset[i]; rrset[i] = tmp; - swap = quit = 1; + swap = 1; + break; } - else if (rc < 0) - quit = 1; + else if (ok2 && (!ok1 || *state2.op > *state1.op)) + break; + + /* arrive here when bytes are equal, go round the loop again + and compare the next ones. */ } } } while (swap); + + return rrsetidx; } /* Validate a single RRset (class, type, name) in the supplied DNS reply @@ -808,7 +828,7 @@ /* Sort RRset records into canonical order. Note that at this point keyname and daemon->workspacename buffs are unused, and used as workspace by the sort. */ - sort_rrset(header, plen, rr_desc, rrsetidx, rrset, daemon->workspacename, keyname); + rrsetidx = sort_rrset(header, plen, rr_desc, rrsetidx, rrset, daemon->workspacename, keyname); /* Now try all the sigs to try and find one which validates */ for (j = 0; j update(ctx, (unsigned int)wire_len, (unsigned char*)keyname); from_wire(keyname); + +#define RRBUFLEN 300 /* Most RRs are smaller than this. */ for (i = 0; i < rrsetidx; ++i) { - int seg; - unsigned char *end, *cp; - u16 len, *dp; + int j; + struct rdata_state state; + u16 len; + unsigned char rrbuf[RRBUFLEN]; p = rrset[i]; + if (!extract_name(header, plen, &p, name, 1, 10)) return STAT_BOGUS; @@ -895,12 +919,11 @@ /* if more labels than in RRsig name, hash *. 4035 5.3.2 */ if (labels < name_labels) { - int k; - for (k = name_labels - labels; k != 0; k--) + for (j = name_labels - labels; j != 0; j--) { while (*name_start != '.' && *name_start != 0) name_start++; - if (k != 1 && *name_start == '.') + if (j != 1 && *name_start == '.') name_start++; } @@ -921,24 +944,44 @@ if (!CHECK_LEN(header, p, plen, rdlen)) return STAT_BOGUS; - end = p + rdlen; - - /* canonicalise rdata and calculate length of same, use name buffer as workspace. - Note that name buffer is twice MAXDNAME long in DNSSEC mode. */ - cp = p; - dp = rr_desc; - for (len = 0; (seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp)) != 0; len += seg); - len += end - cp; - len = htons(len); + /* canonicalise rdata and calculate length of same, use + name buffer as workspace for get_rdata. */ + state.ip = p; + state.op = NULL; + state.desc = rr_desc; + state.buff = name; + state.end = p + rdlen; + + for (j = 0; get_rdata(header, plen, &state); j++) + if (j < RRBUFLEN) + rrbuf[j] = *state.op; + + len = htons((u16)j); hash->update(ctx, 2, (unsigned char *)&len); + + /* If the RR is shorter than RRBUFLEN (most of them, in practice) + then we can just digest it now. If it exceeds RRBUFLEN we have to + go back to the start and do it in chunks. */ + if (j >= RRBUFLEN) + { + state.ip = p; + state.op = NULL; + state.desc = rr_desc; + + for (j = 0; get_rdata(header, plen, &state); j++) + { + rrbuf[j] = *state.op; + + if (j == RRBUFLEN - 1) + { + hash->update(ctx, RRBUFLEN, rrbuf); + j = -1; + } + } + } - /* Now canonicalise again and digest. */ - cp = p; - dp = rr_desc; - while ((seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp))) - hash->update(ctx, seg, (unsigned char *)name); - if (cp != end) - hash->update(ctx, end - cp, cp); + if (j != 0) + hash->update(ctx, j, rrbuf); } hash->digest(ctx, hash->digest_size, digest); @@ -2264,7 +2307,7 @@ p = (unsigned char *)(header+1); - p = do_rfc1035_name(p, name); + p = do_rfc1035_name(p, name, NULL); *p++ = 0; PUTSHORT(type, p); PUTSHORT(class, p); @@ -2510,35 +2553,4 @@ return plen; } -unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name) -{ - int q; - unsigned int len; - unsigned char *p = (unsigned char *)(header+1); - const struct nettle_hash *hash; - void *ctx; - unsigned char *digest; - - if (!(hash = hash_find("sha1")) || !hash_init(hash, &ctx, &digest)) - return NULL; - - for (q = ntohs(header->qdcount); q != 0; q--) - { - if (!extract_name(header, plen, &p, name, 1, 4)) - break; /* bad packet */ - - len = to_wire(name); - hash->update(ctx, len, (unsigned char *)name); - /* CRC the class and type as well */ - hash->update(ctx, 4, p); - - p += 4; - if (!CHECK_LEN(header, p, plen, 0)) - break; /* bad packet */ - } - - hash->digest(ctx, hash->digest_size, digest); - return digest; -} - #endif /* HAVE_DNSSEC */ --- dnsmasq-2.75.orig/src/forward.c +++ dnsmasq-2.75/src/forward.c @@ -16,10 +16,9 @@ #include "dnsmasq.h" -static struct frec *lookup_frec(unsigned short id, void *hash); -static struct frec *lookup_frec_by_sender(unsigned short id, - union mysockaddr *addr, - void *hash); +static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash); +static struct frec *lookup_frec_by_query(void *hash, unsigned int flags); + static unsigned short get_id(void); static void free_frec(struct frec *f); @@ -245,22 +244,74 @@ int type = 0, norebind = 0; struct all_addr *addrp = NULL; unsigned int flags = 0; + unsigned int fwd_flags = 0; struct server *start = NULL; -#ifdef HAVE_DNSSEC void *hash = hash_questions(header, plen, daemon->namebuff); -#else - unsigned int crc = questions_crc(header, plen, daemon->namebuff); - void *hash = &crc; -#endif unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL); + unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL); unsigned char *pheader; (void)do_bit; - /* may be no servers available. */ - if (!daemon->servers) - forward = NULL; - else if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash)))) + + if (header->hb4 & HB4_CD) + fwd_flags |= FREC_CHECKING_DISABLED; + if (ad_reqd) + fwd_flags |= FREC_AD_QUESTION; + if (oph) + fwd_flags |= FREC_HAS_PHEADER; +#ifdef HAVE_DNSSEC + if (do_bit) + fwd_flags |= FREC_DO_QUESTION; +#endif + + /* Check for retry on existing query */ + if (!forward && (forward = lookup_frec_by_query(hash, fwd_flags))) + { + struct frec_src *src; + + for (src = &forward->frec_src; src; src = src->next) + if (src->orig_id == ntohs(header->id) && + sockaddr_isequal(&src->source, udpaddr)) + break; + + /* Existing query, but from new source, just add this + client to the list that will get the reply. + + Note that is the EDNS client subnet option is in use, we can't do this, + as the clients (and therefore query EDNS options) will be different + for each query. The EDNS subnet code has checks to avoid + attacks in this case. */ + if (!option_bool(OPT_CLIENT_SUBNET) && (!src)) + { + /* Note whine_malloc() zeros memory. */ + if (!daemon->free_frec_src && + daemon->frec_src_count < daemon->ftabsize && + (daemon->free_frec_src = whine_malloc(sizeof(struct frec_src)))) + { + daemon->frec_src_count++; + daemon->free_frec_src->next = NULL; + } + + /* If we've been spammed with many duplicates, just drop the query. */ + if (!daemon->free_frec_src) + return 0; + + src = daemon->free_frec_src; + daemon->free_frec_src = src->next; + src->next = forward->frec_src.next; + forward->frec_src.next = src; + src->orig_id = ntohs(header->id); + src->source = *udpaddr; + src->dest = *dst_addr; + src->log_id = daemon->log_id; + src->iface = dst_iface; + src->fd = udpfd; + } + } + + /* retry existing query */ + if (forward) { /* If we didn't get an answer advertising a maximal packet in EDNS, fall back to 1280, which should work everywhere on IPv6. @@ -330,24 +381,28 @@ } else { + /* new query */ + if (gotname) flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind); - if (!flags && !(forward = get_new_frec(now, NULL, 0))) - /* table full - server failure. */ - flags = F_NEG; + /* may be no servers available. */ + if (daemon->servers && !flags) + forward = get_new_frec(now, NULL, 0); + /* table full - flags == 0, return REFUSED */ if (forward) { - forward->source = *udpaddr; - forward->dest = *dst_addr; - forward->iface = dst_iface; - forward->orig_id = ntohs(header->id); + forward->frec_src.source = *udpaddr; + forward->frec_src.orig_id = ntohs(header->id); + forward->frec_src.dest = *dst_addr; + forward->frec_src.iface = dst_iface; + forward->frec_src.next = NULL; + forward->frec_src.fd = udpfd; forward->new_id = get_id(); - forward->fd = udpfd; memcpy(forward->hash, hash, HASH_SIZE); forward->forwardall = 0; - forward->flags = 0; + forward->flags = fwd_flags; if (norebind) forward->flags |= FREC_NOREBIND; if (header->hb4 & HB4_CD) @@ -400,14 +455,14 @@ int forwarded = 0; /* If a query is retried, use the log_id for the retry when logging the answer. */ - forward->log_id = daemon->log_id; + forward->frec_src.log_id = daemon->log_id; if (option_bool(OPT_ADD_MAC)) - plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source); + plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->frec_src.source); if (option_bool(OPT_CLIENT_SUBNET)) { - size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source); + size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->frec_src.source); if (new != plen) { plen = new; @@ -473,7 +528,7 @@ if (option_bool(OPT_CONNTRACK)) { unsigned int mark; - if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark)) + if (get_incoming_mark(&forward->frec_src.source, &forward->frec_src.dest, 0, &mark)) setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); } #endif @@ -523,7 +578,7 @@ return 1; /* could not send on, prepare to return */ - header->id = htons(forward->orig_id); + header->id = htons(forward->frec_src.orig_id); free_frec(forward); /* cancel */ } @@ -704,9 +759,6 @@ size_t nn; struct server *server; void *hash; -#ifndef HAVE_DNSSEC - unsigned int crc; -#endif /* packet buffer overwritten */ daemon->srv_save = NULL; @@ -732,20 +784,15 @@ if (!server) return; -#ifdef HAVE_DNSSEC hash = hash_questions(header, n, daemon->namebuff); -#else - hash = &crc; - crc = questions_crc(header, n, daemon->namebuff); -#endif - if (!(forward = lookup_frec(ntohs(header->id), hash))) + if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash))) return; /* log_query gets called indirectly all over the place, so pass these in global variables - sorry. */ - daemon->log_display_id = forward->log_id; - daemon->log_source_addr = &forward->source; + daemon->log_display_id = forward->frec_src.log_id; + daemon->log_source_addr = &forward->frec_src.source; if (daemon->ignore_addr && RCODE(header) == NOERROR && check_for_ignored_address(header, n, daemon->ignore_addr)) @@ -810,7 +857,8 @@ we get a good reply from another server. Kill it when we've had replies from all to avoid filling the forwarding table when everything is broken */ - if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != SERVFAIL) + if (forward->forwardall == 0 || --forward->forwardall == 1 || + (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL)) { int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0; @@ -916,6 +964,7 @@ #ifdef HAVE_IPV6 new->rfd6 = NULL; #endif + new->frec_src.next = NULL; new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN); new->dependent = forward; /* to find query awaiting new one. */ @@ -936,8 +985,7 @@ nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz, daemon->keyname, forward->class, T_DS, &server->addr, server->edns_pktsz); } - if ((hash = hash_questions(header, nn, daemon->namebuff))) - memcpy(new->hash, hash, HASH_SIZE); + memcpy(new->hash, hash_questions(header, nn, daemon->namebuff), HASH_SIZE); new->new_id = get_id(); header->id = htons(new->new_id); /* Save query for retransmission */ @@ -1094,13 +1142,30 @@ if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer, forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION, - forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source))) + forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->frec_src.source))) { - header->id = htons(forward->orig_id); + struct frec_src *src; + + header->id = htons(forward->frec_src.orig_id); header->hb4 |= HB4_RA; /* recursion if available */ - send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, - &forward->source, &forward->dest, forward->iface); + + for (src = &forward->frec_src; src; src = src->next) + { + header->id = htons(src->orig_id); + + + send_from(src->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, + &src->source, &src->dest, src->iface); + + if (option_bool(OPT_EXTRALOG) && src != &forward->frec_src) + { + daemon->log_display_id = src->log_id; + daemon->log_source_addr = &src->source; + log_query(F_UPSTREAM, "query", NULL, "duplicate"); + } + } } + free_frec(forward); /* cancel */ } } @@ -1964,15 +2029,9 @@ if (!flags && last_server) { struct server *firstsendto = NULL; -#ifdef HAVE_DNSSEC - unsigned char *newhash, hash[HASH_SIZE]; - if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff))) - memcpy(hash, newhash, HASH_SIZE); - else - memset(hash, 0, HASH_SIZE); -#else - unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff); -#endif + unsigned char hash[HASH_SIZE]; + memcpy(hash, hash_questions(header, (unsigned int)size, daemon->namebuff), HASH_SIZE); + /* Loop round available servers until we succeed in connecting to one. Note that this code subtley ensures that consecutive queries on this connection which can go to the same server, do so. */ @@ -2123,20 +2182,11 @@ /* If the crc of the question section doesn't match the crc we sent, then someone might be attempting to insert bogus values into the cache by sending replies containing questions and bogus answers. */ -#ifdef HAVE_DNSSEC - newhash = hash_questions(header, (unsigned int)m, daemon->namebuff); - if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0) + if (memcmp(hash, hash_questions(header, (unsigned int)m, daemon->namebuff), HASH_SIZE) != 0) { m = 0; break; } -#else - if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff)) - { - m = 0; - break; - } -#endif m = process_reply(header, now, last_server, (unsigned int)m, option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer, @@ -2231,6 +2281,17 @@ static void free_frec(struct frec *f) { + struct frec_src *last; + + /* add back to freelist if not the record builtin to every frec. */ + for (last = f->frec_src.next; last && last->next; last = last->next) ; + if (last) + { + last->next = daemon->free_frec_src; + daemon->free_frec_src = f->frec_src.next; + } + + f->frec_src.next = NULL; free_rfd(f->rfd4); f->rfd4 = NULL; f->sentto = NULL; @@ -2341,34 +2402,48 @@ } /* crc is all-ones if not known. */ -static struct frec *lookup_frec(unsigned short id, void *hash) +static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash) { struct frec *f; for(f = daemon->frec_list; f; f = f->next) if (f->sentto && f->new_id == id && - (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0)) - return f; + (memcmp(hash, f->hash, HASH_SIZE) == 0)) + { + /* sent from random port */ + if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd) + return f; + + if (family == AF_INET6 && f->rfd6 && f->rfd6->fd == fd) + return f; + + /* sent to upstream from bound socket. */ + if (f->sentto->sfd && f->sentto->sfd->fd == fd) + return f; + } return NULL; } -static struct frec *lookup_frec_by_sender(unsigned short id, - union mysockaddr *addr, - void *hash) +static struct frec *lookup_frec_by_query(void *hash, unsigned int flags) { struct frec *f; + + /* FREC_DNSKEY and FREC_DS_QUERY are never set in flags, so the test below + ensures that no frec created for internal DNSSEC query can be returned here. */ + +#define FLAGMASK (FREC_CHECKING_DISABLED | FREC_AD_QUESTION | FREC_DO_QUESTION \ + | FREC_HAS_PHEADER | FREC_DNSKEY_QUERY | FREC_DS_QUERY) for(f = daemon->frec_list; f; f = f->next) if (f->sentto && - f->orig_id == id && - memcmp(hash, f->hash, HASH_SIZE) == 0 && - sockaddr_isequal(&f->source, addr)) + (f->flags & FLAGMASK) == flags && + memcmp(hash, f->hash, HASH_SIZE) == 0) return f; - + return NULL; } - + /* Send query packet again, if we can. */ void resend_query() { @@ -2409,12 +2484,20 @@ static unsigned short get_id(void) { unsigned short ret = 0; + struct frec *f; - do - ret = rand16(); - while (lookup_frec(ret, NULL)); - - return ret; + while (1) + { + ret = rand16(); + + /* ensure id is unique. */ + for (f = daemon->frec_list; f; f = f->next) + if (f->sentto && f->new_id == ret) + break; + + if (!f) + return ret; + } } --- dnsmasq-2.75.orig/src/hash_questions.c +++ dnsmasq-2.75/src/hash_questions.c @@ -0,0 +1,281 @@ +/* Copyright (c) 2012-2020 Simon Kelley + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 dated June, 1991, or + (at your option) version 3 dated 29 June, 2007. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + + +/* Hash the question section. This is used to safely detect query + retransmission and to detect answers to questions we didn't ask, which + might be poisoning attacks. Note that we decode the name rather + than CRC the raw bytes, since replies might be compressed differently. + We ignore case in the names for the same reason. + + The hash used is SHA-256. If we're building with DNSSEC support, + we use the Nettle cypto library. If not, we prefer not to + add a dependency on Nettle, and use a stand-alone implementaion. +*/ + +#include "dnsmasq.h" + +#ifdef HAVE_DNSSEC +unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name) +{ + int q; + unsigned char *p = (unsigned char *)(header+1); + const struct nettle_hash *hash; + void *ctx; + unsigned char *digest; + + if (!(hash = hash_find("sha256")) || !hash_init(hash, &ctx, &digest)) + { + /* don't think this can ever happen. */ + static unsigned char dummy[HASH_SIZE]; + static int warned = 0; + + if (warned) + my_syslog(LOG_ERR, _("Failed to create SHA-256 hash object")); + warned = 1; + + return dummy; + } + + for (q = ntohs(header->qdcount); q != 0; q--) + { + char *cp, c; + + if (!extract_name(header, plen, &p, name, 1, 4)) + break; /* bad packet */ + + for (cp = name; (c = *cp); cp++) + if (c >= 'A' && c <= 'Z') + *cp += 'a' - 'A'; + + hash->update(ctx, cp - name, (unsigned char *)name); + /* CRC the class and type as well */ + hash->update(ctx, 4, p); + + p += 4; + if (!CHECK_LEN(header, p, plen, 0)) + break; /* bad packet */ + } + + hash->digest(ctx, hash->digest_size, digest); + return digest; +} + +#else /* HAVE_DNSSEC */ + +#define SHA256_BLOCK_SIZE 32 // SHA256 outputs a 32 byte digest +typedef unsigned char BYTE; // 8-bit byte +typedef unsigned int WORD; // 32-bit word, change to "long" for 16-bit machines + +typedef struct { + BYTE data[64]; + WORD datalen; + unsigned long long bitlen; + WORD state[8]; +} SHA256_CTX; + +static void sha256_init(SHA256_CTX *ctx); +static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len); +static void sha256_final(SHA256_CTX *ctx, BYTE hash[]); + + +unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name) +{ + int q; + unsigned char *p = (unsigned char *)(header+1); + SHA256_CTX ctx; + static BYTE digest[SHA256_BLOCK_SIZE]; + + sha256_init(&ctx); + + for (q = ntohs(header->qdcount); q != 0; q--) + { + char *cp, c; + + if (!extract_name(header, plen, &p, name, 1, 4)) + break; /* bad packet */ + + for (cp = name; (c = *cp); cp++) + if (c >= 'A' && c <= 'Z') + *cp += 'a' - 'A'; + + sha256_update(&ctx, (BYTE *)name, cp - name); + /* CRC the class and type as well */ + sha256_update(&ctx, (BYTE *)p, 4); + + p += 4; + if (!CHECK_LEN(header, p, plen, 0)) + break; /* bad packet */ + } + + sha256_final(&ctx, digest); + return (unsigned char *)digest; +} + +/* Code from here onwards comes from https://github.com/B-Con/crypto-algorithms + and was written by Brad Conte (brad@bradconte.com), to whom all credit is given. + + This code is in the public domain, and the copyright notice at the head of this + file does not apply to it. +*/ + + +/****************************** MACROS ******************************/ +#define ROTLEFT(a,b) (((a) << (b)) | ((a) >> (32-(b)))) +#define ROTRIGHT(a,b) (((a) >> (b)) | ((a) << (32-(b)))) + +#define CH(x,y,z) (((x) & (y)) ^ (~(x) & (z))) +#define MAJ(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) +#define EP0(x) (ROTRIGHT(x,2) ^ ROTRIGHT(x,13) ^ ROTRIGHT(x,22)) +#define EP1(x) (ROTRIGHT(x,6) ^ ROTRIGHT(x,11) ^ ROTRIGHT(x,25)) +#define SIG0(x) (ROTRIGHT(x,7) ^ ROTRIGHT(x,18) ^ ((x) >> 3)) +#define SIG1(x) (ROTRIGHT(x,17) ^ ROTRIGHT(x,19) ^ ((x) >> 10)) + +/**************************** VARIABLES *****************************/ +static const WORD k[64] = { + 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5, + 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174, + 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da, + 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967, + 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85, + 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070, + 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3, + 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 +}; + +/*********************** FUNCTION DEFINITIONS ***********************/ +static void sha256_transform(SHA256_CTX *ctx, const BYTE data[]) +{ + WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64]; + + for (i = 0, j = 0; i < 16; ++i, j += 4) + m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]); + for ( ; i < 64; ++i) + m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16]; + + a = ctx->state[0]; + b = ctx->state[1]; + c = ctx->state[2]; + d = ctx->state[3]; + e = ctx->state[4]; + f = ctx->state[5]; + g = ctx->state[6]; + h = ctx->state[7]; + + for (i = 0; i < 64; ++i) + { + t1 = h + EP1(e) + CH(e,f,g) + k[i] + m[i]; + t2 = EP0(a) + MAJ(a,b,c); + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + } + + ctx->state[0] += a; + ctx->state[1] += b; + ctx->state[2] += c; + ctx->state[3] += d; + ctx->state[4] += e; + ctx->state[5] += f; + ctx->state[6] += g; + ctx->state[7] += h; +} + +static void sha256_init(SHA256_CTX *ctx) +{ + ctx->datalen = 0; + ctx->bitlen = 0; + ctx->state[0] = 0x6a09e667; + ctx->state[1] = 0xbb67ae85; + ctx->state[2] = 0x3c6ef372; + ctx->state[3] = 0xa54ff53a; + ctx->state[4] = 0x510e527f; + ctx->state[5] = 0x9b05688c; + ctx->state[6] = 0x1f83d9ab; + ctx->state[7] = 0x5be0cd19; +} + +static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len) +{ + WORD i; + + for (i = 0; i < len; ++i) + { + ctx->data[ctx->datalen] = data[i]; + ctx->datalen++; + if (ctx->datalen == 64) { + sha256_transform(ctx, ctx->data); + ctx->bitlen += 512; + ctx->datalen = 0; + } + } +} + +static void sha256_final(SHA256_CTX *ctx, BYTE hash[]) +{ + WORD i; + + i = ctx->datalen; + + // Pad whatever data is left in the buffer. + if (ctx->datalen < 56) + { + ctx->data[i++] = 0x80; + while (i < 56) + ctx->data[i++] = 0x00; + } + else + { + ctx->data[i++] = 0x80; + while (i < 64) + ctx->data[i++] = 0x00; + sha256_transform(ctx, ctx->data); + memset(ctx->data, 0, 56); + } + + // Append to the padding the total message's length in bits and transform. + ctx->bitlen += ctx->datalen * 8; + ctx->data[63] = ctx->bitlen; + ctx->data[62] = ctx->bitlen >> 8; + ctx->data[61] = ctx->bitlen >> 16; + ctx->data[60] = ctx->bitlen >> 24; + ctx->data[59] = ctx->bitlen >> 32; + ctx->data[58] = ctx->bitlen >> 40; + ctx->data[57] = ctx->bitlen >> 48; + ctx->data[56] = ctx->bitlen >> 56; + sha256_transform(ctx, ctx->data); + + // Since this implementation uses little endian byte ordering and SHA uses big endian, + // reverse all the bytes when copying the final state to the output hash. + for (i = 0; i < 4; ++i) + { + hash[i] = (ctx->state[0] >> (24 - i * 8)) & 0x000000ff; + hash[i + 4] = (ctx->state[1] >> (24 - i * 8)) & 0x000000ff; + hash[i + 8] = (ctx->state[2] >> (24 - i * 8)) & 0x000000ff; + hash[i + 12] = (ctx->state[3] >> (24 - i * 8)) & 0x000000ff; + hash[i + 16] = (ctx->state[4] >> (24 - i * 8)) & 0x000000ff; + hash[i + 20] = (ctx->state[5] >> (24 - i * 8)) & 0x000000ff; + hash[i + 24] = (ctx->state[6] >> (24 - i * 8)) & 0x000000ff; + hash[i + 28] = (ctx->state[7] >> (24 - i * 8)) & 0x000000ff; + } +} + +#endif --- dnsmasq-2.75.orig/src/helper.c +++ dnsmasq-2.75/src/helper.c @@ -82,7 +82,8 @@ pid_t pid; int i, pipefd[2]; struct sigaction sigact; - + unsigned char *alloc_buff = NULL; + /* create the pipe through which the main program sends us commands, then fork our process. */ if (pipe(pipefd) == -1 || !fix_fd(pipefd[1]) || (pid = fork()) == -1) @@ -187,10 +188,15 @@ struct script_data data; char *p, *action_str, *hostname = NULL, *domain = NULL; unsigned char *buf = (unsigned char *)daemon->namebuff; - unsigned char *end, *extradata, *alloc_buff = NULL; + unsigned char *end, *extradata; int is6, err = 0; - free(alloc_buff); + /* Free rarely-allocated memory from previous iteration. */ + if (alloc_buff) + { + free(alloc_buff); + alloc_buff = NULL; + } /* we read zero bytes when pipe closed: this is our signal to exit */ if (!read_write(pipefd[0], (unsigned char *)&data, sizeof(data), 1)) --- dnsmasq-2.75.orig/src/network.c +++ dnsmasq-2.75/src/network.c @@ -1191,6 +1191,7 @@ static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname) { struct serverfd *sfd; + unsigned int ifindex = 0; int errsave; /* when using random ports, servers which would otherwise use @@ -1211,11 +1212,15 @@ return NULL; #endif } + + if (intname && strlen(intname) != 0) + ifindex = if_nametoindex(intname); /* index == 0 when not binding to an interface */ /* may have a suitable one already */ for (sfd = daemon->sfds; sfd; sfd = sfd->next ) if (sockaddr_isequal(&sfd->source_addr, addr) && - strcmp(intname, sfd->interface) == 0) + strcmp(intname, sfd->interface) == 0 && + ifindex == sfd->ifindex) return sfd; /* need to make a new one. */ @@ -1237,11 +1242,13 @@ errno = errsave; return NULL; } - + strcpy(sfd->interface, intname); sfd->source_addr = *addr; sfd->next = daemon->sfds; + sfd->ifindex = ifindex; daemon->sfds = sfd; + return sfd; } @@ -1417,12 +1424,16 @@ { struct irec *iface; struct server *serv; + struct serverfd *sfd, *tmp, **up; int port = 0; /* interface may be new since startup */ if (!option_bool(OPT_NOWILD)) enumerate_interfaces(0); + for (sfd = daemon->sfds; sfd; sfd = sfd->next) + sfd->used = 0; + for (serv = daemon->servers; serv; serv = serv->next) { if (!(serv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND))) @@ -1458,6 +1469,9 @@ serv->flags |= SERV_MARK; continue; } + + if (serv->sfd) + serv->sfd->used = 1; } if (!(serv->flags & SERV_NO_REBIND) && !(serv->flags & SERV_LITERAL_ADDRESS)) @@ -1490,6 +1504,20 @@ } } + /* Remove unused sfds */ + for (sfd = daemon->sfds, up = &daemon->sfds; sfd; sfd = tmp) + { + tmp = sfd->next; + if (!sfd->used) + { + *up = sfd->next; + close(sfd->fd); + free(sfd); + } + else + up = &sfd->next; + } + cleanup_servers(); } --- dnsmasq-2.75.orig/src/option.c +++ dnsmasq-2.75/src/option.c @@ -1348,7 +1348,7 @@ } p = newp; - end = do_rfc1035_name(p + len, dom); + end = do_rfc1035_name(p + len, dom, NULL); *end++ = 0; len = end - p; free(dom); --- dnsmasq-2.75.orig/src/radv.c +++ dnsmasq-2.75/src/radv.c @@ -197,6 +197,9 @@ /* look for link-layer address option for logging */ if (sz >= 16 && packet[8] == ICMP6_OPT_SOURCE_MAC && (packet[9] * 8) + 8 <= sz) { + if ((packet[9] * 8 - 2) * 3 - 1 >= MAXDNAME) { + return; + } print_mac(daemon->namebuff, &packet[10], (packet[9] * 8) - 2); mac = daemon->namebuff; } --- dnsmasq-2.75.orig/src/rfc1035.c +++ dnsmasq-2.75/src/rfc1035.c @@ -37,7 +37,7 @@ /* end marker */ { /* check that there are the correct no of bytes after the name */ - if (!CHECK_LEN(header, p, plen, extrabytes)) + if (!CHECK_LEN(header, p1 ? p1 : p, plen, extrabytes)) return 0; if (isExtract) @@ -335,55 +335,6 @@ return ansp; } -/* CRC the question section. This is used to safely detect query - retransmision and to detect answers to questions we didn't ask, which - might be poisoning attacks. Note that we decode the name rather - than CRC the raw bytes, since replies might be compressed differently. - We ignore case in the names for the same reason. Return all-ones - if there is not question section. */ -#ifndef HAVE_DNSSEC -unsigned int questions_crc(struct dns_header *header, size_t plen, char *name) -{ - int q; - unsigned int crc = 0xffffffff; - unsigned char *p1, *p = (unsigned char *)(header+1); - - for (q = ntohs(header->qdcount); q != 0; q--) - { - if (!extract_name(header, plen, &p, name, 1, 4)) - return crc; /* bad packet */ - - for (p1 = (unsigned char *)name; *p1; p1++) - { - int i = 8; - char c = *p1; - - if (c >= 'A' && c <= 'Z') - c += 'a' - 'A'; - - crc ^= c << 24; - while (i--) - crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1; - } - - /* CRC the class and type as well */ - for (p1 = p; p1 < p+4; p1++) - { - int i = 8; - crc ^= *p1 << 24; - while (i--) - crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1; - } - - p += 4; - if (!CHECK_LEN(header, p, plen, 0)) - return crc; /* bad packet */ - } - - return crc; -} -#endif - size_t resize_packet(struct dns_header *header, size_t plen, unsigned char *pheader, size_t hlen) { unsigned char *ansp = skip_questions(header, plen); @@ -794,6 +745,8 @@ { unsigned int i, len = *p1; unsigned char *p2 = p1; + if ((p1 + len - p) >= rdlen) + return 0; /* bad packet */ /* make counted string zero-term and sanitise */ for (i = 0; i < len; i++) { @@ -1205,9 +1158,7 @@ header->nscount = htons(0); header->arcount = htons(0); header->ancount = htons(0); /* no answers unless changed below */ - if (flags == F_NEG) - SET_RCODE(header, SERVFAIL); /* couldn't get memory */ - else if (flags == F_NOERR) + if (flags == F_NOERR) SET_RCODE(header, NOERROR); /* empty domain */ else if (flags == F_NXDOMAIN) SET_RCODE(header, NXDOMAIN); @@ -1362,6 +1313,7 @@ return 0; } + int add_resource_record(struct dns_header *header, char *limit, int *truncp, int nameoffset, unsigned char **pp, unsigned long ttl, int *offset, unsigned short type, unsigned short class, char *format, ...) { @@ -1371,29 +1323,47 @@ unsigned short usval; long lval; char *sval; +#define CHECK_LIMIT(size) \ + if (limit && p + (size) > (unsigned char*)limit) \ + { \ + va_end(ap); \ + goto truncated; \ + } if (truncp && *truncp) return 0; - + va_start(ap, format); /* make ap point to 1st unamed argument */ - + if (nameoffset > 0) { + CHECK_LIMIT(2); PUTSHORT(nameoffset | 0xc000, p); } else { char *name = va_arg(ap, char *); - if (name) - p = do_rfc1035_name(p, name); + if (name && !(p = do_rfc1035_name(p, name, limit))) + { + va_end(ap); + goto truncated; + } + if (nameoffset < 0) { + CHECK_LIMIT(2); PUTSHORT(-nameoffset | 0xc000, p); } else - *p++ = 0; + { + CHECK_LIMIT(1); + *p++ = 0; + } } + /* type (2) + class (2) + ttl (4) + rdlen (2) */ + CHECK_LIMIT(10); + PUTSHORT(type, p); PUTSHORT(class, p); PUTLONG(ttl, p); /* TTL */ @@ -1406,6 +1376,7 @@ { #ifdef HAVE_IPV6 case '6': + CHECK_LIMIT(IN6ADDRSZ); sval = va_arg(ap, char *); memcpy(p, sval, IN6ADDRSZ); p += IN6ADDRSZ; @@ -1413,36 +1384,47 @@ #endif case '4': + CHECK_LIMIT(INADDRSZ); sval = va_arg(ap, char *); memcpy(p, sval, INADDRSZ); p += INADDRSZ; break; case 'b': + CHECK_LIMIT(1); usval = va_arg(ap, int); *p++ = usval; break; case 's': + CHECK_LIMIT(2); usval = va_arg(ap, int); PUTSHORT(usval, p); break; case 'l': + CHECK_LIMIT(4); lval = va_arg(ap, long); PUTLONG(lval, p); break; case 'd': - /* get domain-name answer arg and store it in RDATA field */ - if (offset) - *offset = p - (unsigned char *)header; - p = do_rfc1035_name(p, va_arg(ap, char *)); - *p++ = 0; + /* get domain-name answer arg and store it in RDATA field */ + if (offset) + *offset = p - (unsigned char *)header; + p = do_rfc1035_name(p, va_arg(ap, char *), limit); + if (!p) + { + va_end(ap); + goto truncated; + } + CHECK_LIMIT(1); + *p++ = 0; break; case 't': usval = va_arg(ap, int); + CHECK_LIMIT(usval); sval = va_arg(ap, char *); if (usval != 0) memcpy(p, sval, usval); @@ -1454,20 +1436,24 @@ usval = sval ? strlen(sval) : 0; if (usval > 255) usval = 255; + CHECK_LIMIT(usval + 1); *p++ = (unsigned char)usval; memcpy(p, sval, usval); p += usval; break; } +#undef CHECK_LIMIT va_end(ap); /* clean up variable argument pointer */ j = p - sav - 2; - PUTSHORT(j, sav); /* Now, store real RDLength */ + /* this has already been checked against limit before */ + PUTSHORT(j, sav); /* Now, store real RDLength */ /* check for overflow of buffer */ if (limit && ((unsigned char *)limit - p) < 0) { +truncated: if (truncp) *truncp = 1; return 0; --- dnsmasq-2.75.orig/src/rfc2131.c +++ dnsmasq-2.75/src/rfc2131.c @@ -155,7 +155,7 @@ for (offset = 0; offset < (len - 5); offset += elen + 5) { elen = option_uint(opt, offset + 4 , 1); - if (option_uint(opt, offset, 4) == BRDBAND_FORUM_IANA) + if (option_uint(opt, offset, 4) == BRDBAND_FORUM_IANA && offset + elen + 5 <= len) { unsigned char *x = option_ptr(opt, offset + 5); unsigned char *y = option_ptr(opt, offset + elen + 5); @@ -2352,10 +2352,10 @@ if (fqdn_flags & 0x04) { - p = do_rfc1035_name(p, hostname); + p = do_rfc1035_name(p, hostname, NULL); if (domain) { - p = do_rfc1035_name(p, domain); + p = do_rfc1035_name(p, domain, NULL); *p++ = 0; } } --- dnsmasq-2.75.orig/src/rfc3315.c +++ dnsmasq-2.75/src/rfc3315.c @@ -206,6 +206,9 @@ /* RFC-6939 */ if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3))) { + if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) { + return 0; + } state->mac_type = opt6_uint(opt, 0, 2); state->mac_len = opt6_len(opt) - 2; memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len); @@ -213,6 +216,9 @@ for (opt = opts; opt; opt = opt6_next(opt, end)) { + if (opt6_ptr(opt, 0) + opt6_len(opt) >= end) { + return 0; + } int o = new_opt6(opt6_type(opt)); if (opt6_type(opt) == OPTION6_RELAY_MSG) { @@ -1472,10 +1478,10 @@ if ((p = expand(len + 2))) { *(p++) = state->fqdn_flags; - p = do_rfc1035_name(p, state->hostname); + p = do_rfc1035_name(p, state->hostname, NULL); if (state->send_domain) { - p = do_rfc1035_name(p, state->send_domain); + p = do_rfc1035_name(p, state->send_domain, NULL); *p = 0; } } --- dnsmasq-2.75.orig/src/util.c +++ dnsmasq-2.75/src/util.c @@ -218,15 +218,20 @@ return ret; } -unsigned char *do_rfc1035_name(unsigned char *p, char *sval) +unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit) { int j; while (sval && *sval) { + if (limit && p + 1 > (unsigned char*)limit) + return p; + unsigned char *cp = p++; for (j = 0; *sval && (*sval != '.'); sval++, j++) { + if (limit && p + 1 > (unsigned char*)limit) + return p; #ifdef HAVE_DNSSEC if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE) *p++ = (*(++sval))-1; --- dnsmasq-2.75.orig/trust-anchors.conf +++ dnsmasq-2.75/trust-anchors.conf @@ -1,9 +1,10 @@ -# The root DNSSEC trust anchor, valid as at 30/01/2014 +# The root DNSSEC trust anchor, valid as at 10/02/2017 # Note that this is a DS record (ie a hash of the root Zone Signing Key) # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 +trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D