dnsmasq: fix dnssec timestamp logic, backport crashfix

Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45410

package/network/services/dnsmasq/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsmasq
 PKG_VERSION:=2.73rc4
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/release-candidates

package/network/services/dnsmasq/files/dnsmasq.init

@@ -15,6 +15,7 @@ ADD_LOCAL_HOSTNAME=1
 CONFIGFILE="/var/etc/dnsmasq.conf"
 HOSTFILE="/tmp/hosts/dhcp"
 TRUSTANCHORSFILE="/usr/share/dnsmasq/trust-anchors.conf"
+TIMESTAMPFILE="/etc/dnsmasq.time"
 
 xappend() {
 	local value="$1"
@@ -205,7 +206,7 @@ dnsmasq() {
 	[ "$dnssec" -gt 0 ] && {
 		xappend "--conf-file=$TRUSTANCHORSFILE"
 		xappend "--dnssec"
-		xappend "--dnssec-timestamp=/etc/dnsmasq.time"
+		xappend "--dnssec-timestamp=$TIMESTAMPFILE"
 		append_bool "$cfg" dnsseccheckunsigned "--dnssec-check-unsigned"
 	}
 
@@ -556,7 +557,7 @@ start_service() {
 
 	procd_add_jail dnsmasq ubus log
 	procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE /etc/passwd /dev/urandom /etc/dnsmasq.conf /tmp/dnsmasq.d /tmp/resolv.conf.auto /etc/hosts /etc/ethers
-	procd_add_jail_mount_rw /var/run/dnsmasq/ /tmp/dhcp.leases /etc/dnsmasq.time
+	procd_add_jail_mount_rw /var/run/dnsmasq/ /tmp/dhcp.leases $TIMESTAMPFILE
 	
 	procd_close_instance
 
@@ -566,9 +567,9 @@ start_service() {
 	mkdir -p /var/lib/misc
 	touch /tmp/dhcp.leases
 
-	if [ ! -f /etc/dnsmasq.time ]; then
-		touch -t 197001010000 /etc/dnsmasq.time
-		chmod 0777 /etc/dnsmasq.time
+	if [ ! -f "$TIMESTAMPFILE" ]; then
+		touch "$TIMESTAMPFILE"
+		chown nobody.nogroup "$TIMESTAMPFILE"
 	fi
 
 	echo "# auto-generated config file from /etc/config/dhcp" > $CONFIGFILE

package/network/services/dnsmasq/patches/001-fix-crash-in-auth-code.patch

@@ -0,0 +1,113 @@
+From 38440b204db65f9be16c4c3daa7e991e4356f6ed Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Sun, 12 Apr 2015 21:52:47 +0100
+Subject: [PATCH] Fix crash in auth code with odd configuration.
+
+---
+ CHANGELOG  | 32 +++++++++++++++++++++-----------
+ src/auth.c | 13 ++++++++-----
+ 2 files changed, 29 insertions(+), 16 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 9af6170..f2142c7 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -68,18 +68,31 @@ version 2.73
+ 	    Fix broken DNSSEC validation of ECDSA signatures.
+ 
+ 	    Add --dnssec-timestamp option, which provides an automatic
+-	    way to detect when the system time becomes valid after boot
+-	    on systems without an RTC, whilst allowing DNS queries before the
+-	    clock is valid so that NTP can run. Thanks to
+-	    Kevin Darbyshire-Bryant for developing this idea.
++	    way to detect when the system time becomes valid after 
++	    boot on systems without an RTC, whilst allowing DNS 
++	    queries before the clock is valid so that NTP can run. 
++	    Thanks to Kevin Darbyshire-Bryant for developing this idea.
+ 
+ 	    Add --tftp-no-fail option. Thanks to Stefan Tomanek for
+ 	    the patch.
+ 
+-	    Fix crash caused by looking up servers.bind, CHAOS text record,
+-	    when more than about five --servers= lines are in the dnsmasq
+-	    config. This causes memory corruption which causes a crash later.
+-	    Thanks to Matt Coddington for sterling work chasing this down.
++	    Fix crash caused by looking up servers.bind, CHAOS text 
++	    record, when more than about five --servers= lines are 
++	    in the dnsmasq config. This causes memory corruption 
++	    which causes a crash later. Thanks to Matt Coddington for 
++	    sterling work chasing this down.
++
++	    Fix crash on receipt of certain malformed DNS requests.
++	    Thanks to Nick Sampanis for spotting the problem.
++
++            Fix crash in authoritative DNS code, if a .arpa zone 
++	    is declared as authoritative, and then a PTR query which
++	    is not to be treated as authoritative arrived. Normally, 
++	    directly declaring .arpa zone as authoritative is not 
++	    done, so this crash wouldn't be seen. Instead the 
++	    relevant .arpa zone should be specified as a subnet
++	    in the auth-zone declaration. Thanks to Johnny S. Lee
++	    for the bugreport and initial patch.
+ 
+ 	
+ version 2.72
+@@ -125,10 +138,7 @@ version 2.72
+             Fix problem with --local-service option on big-endian platforms
+ 	    Thanks to Richard Genoud for the patch.
+ 
+-	    Fix crash on receipt of certain malformed DNS requests. Thanks
+-	    to Nick Sampanis for spotting the problem.
+ 	
+-
+ version 2.71
+             Subtle change to error handling to help DNSSEC validation 
+ 	    when servers fail to provide NODATA answers for 
+diff --git a/src/auth.c b/src/auth.c
+index 15721e5..4a5c39f 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -141,7 +141,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
+ 	      for (zone = daemon->auth_zones; zone; zone = zone->next)
+ 		if ((subnet = find_subnet(zone, flag, &addr)))
+ 		  break;
+-	      
++			
+ 	      if (!zone)
+ 		{
+ 		  auth = 0;
+@@ -186,7 +186,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
+ 	  
+ 	  if (intr)
+ 	    {
+-	      if (in_zone(zone, intr->name, NULL))
++	      if (local_query || in_zone(zone, intr->name, NULL))
+ 		{	
+ 		  found = 1;
+ 		  log_query(flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL);
+@@ -208,8 +208,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
+ 		    *p = 0; /* must be bare name */
+ 		  
+ 		  /* add  external domain */
+-		  strcat(name, ".");
+-		  strcat(name, zone->domain);
++		  if (zone)
++		    {
++		      strcat(name, ".");
++		      strcat(name, zone->domain);
++		    }
+ 		  log_query(flag | F_DHCP | F_REVERSE, name, &addr, record_source(crecp->uid));
+ 		  found = 1;
+ 		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+@@ -217,7 +220,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
+ 					  T_PTR, C_IN, "d", name))
+ 		    anscount++;
+ 		}
+-	      else if (crecp->flags & (F_DHCP | F_HOSTS) && in_zone(zone, name, NULL))
++	      else if (crecp->flags & (F_DHCP | F_HOSTS) && (local_query || in_zone(zone, name, NULL)))
+ 		{
+ 		  log_query(crecp->flags & ~F_FORWARD, name, &addr, record_source(crecp->uid));
+ 		  found = 1;
+-- 
+2.1.4
+

package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch

@@ -0,0 +1,54 @@
+From 79e60e145f8a595bca5a784c00b437216d51de68 Mon Sep 17 00:00:00 2001
+From: Steven Barth <steven@midlink.org>
+Date: Mon, 13 Apr 2015 09:45:20 +0200
+Subject: [PATCH] dnssec: improve timestamp heuristic
+
+Signed-off-by: Steven Barth <steven@midlink.org>
+---
+ src/dnssec.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/src/dnssec.c b/src/dnssec.c
+index 05e0983..9c02548 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -408,17 +408,24 @@ static int back_to_the_future;
+ int setup_timestamp(void)
+ {
+   struct stat statbuf;
+-  
++  time_t now;
++  time_t base = 1420070400; /* 1-1-2015 */
++
+   back_to_the_future = 0;
+   
+   if (!daemon->timestamp_file)
+     return 0;
+-  
++
++  now = time(NULL);
++
++  if (!stat("/proc/self/exe", &statbuf) && difftime(statbuf.st_mtime, base) > 0)
++    base = statbuf.st_mtime;
++
+   if (stat(daemon->timestamp_file, &statbuf) != -1)
+     {
+       timestamp_time = statbuf.st_mtime;
+     check_and_exit:
+-      if (difftime(timestamp_time, time(0)) <=  0)
++      if (difftime(now, base) >= 0 && difftime(timestamp_time, now) <=  0)
+ 	{
+ 	  /* time already OK, update timestamp, and do key checking from the start. */
+ 	  if (utime(daemon->timestamp_file, NULL) == -1)
+@@ -439,7 +446,7 @@ int setup_timestamp(void)
+ 
+ 	  close(fd);
+ 	  
+-	  timestamp_time = timbuf.actime = timbuf.modtime = 1420070400; /* 1-1-2015 */
++	  timestamp_time = timbuf.actime = timbuf.modtime = base;
+ 	  if (utime(daemon->timestamp_file, &timbuf) == 0)
+ 	    goto check_and_exit;
+ 	}
+-- 
+2.1.4
+