From b6b626201479d9889c4b28a10b24c9fd9d944bba Mon Sep 17 00:00:00 2001 From: Michael Orlitzky Date: Thu, 17 Nov 2022 08:09:07 -0500 Subject: net-dns/djbdns: new revision with updated ipv6 patch. The new ipv6 patch corrects a logic error, but now also includes a bunch of other Makefile dependency fixes, obsoleting one of our own patches. One of the CVE patches has once again been manually rebased, and I dropped the "headtail" patch in favor of sed to avoid a new conditional patch. Signed-off-by: Michael Orlitzky --- net-dns/djbdns/Manifest | 2 +- net-dns/djbdns/djbdns-1.05-r36.ebuild | 127 -------- net-dns/djbdns/djbdns-1.05-r37.ebuild | 133 ++++++++ ...erge-similar-outgoing-queries-ipv6-test29.patch | 351 --------------------- ...erge-similar-outgoing-queries-ipv6-test32.patch | 351 +++++++++++++++++++++ 5 files changed, 485 insertions(+), 479 deletions(-) delete mode 100644 net-dns/djbdns/djbdns-1.05-r36.ebuild create mode 100644 net-dns/djbdns/djbdns-1.05-r37.ebuild delete mode 100644 net-dns/djbdns/files/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test29.patch create mode 100644 net-dns/djbdns/files/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test32.patch (limited to 'net-dns') diff --git a/net-dns/djbdns/Manifest b/net-dns/djbdns/Manifest index 7892a331568a..8ba71a5953bf 100644 --- a/net-dns/djbdns/Manifest +++ b/net-dns/djbdns/Manifest @@ -1,4 +1,4 @@ DIST djbdns-1.05-man.tar.gz 17170 BLAKE2B 2fef7e1be8a427b2c426c2af58bf4c22795e64d03e0f605ca333e38f187ff65b333e88a7cea0e8a9ec867b446b5ca34a5c97dd24ae18b28ee4c747f2fd1f1608 SHA512 98af7bd9033a2205fbbc0f23b7eab45b9756f6ceff5199a62952e19c89c9fe3c03495cb6f8621d388f883c40650309a1509095417df3f54af21a71350c4aa183 DIST djbdns-1.05-test28.diff.xz 22072 BLAKE2B fff6c13220adfa056a0ac5942ff9385d83b75f8622adaebab65f557a2ca8d014fe3c255fe55ba9afca56b24880b7cd28597b26b5bcc3bbbd3ef9f581b67004fd SHA512 7fbfeda10221a0a09897c2e744df5606c83113c394ce055d822b0d8733873d72567a88c37905d21c7d2395170fc12b9e9eb133a941aa809f1b9856872ab48230 -DIST djbdns-1.05-test29.diff.xz 28884 BLAKE2B cff7dd55d68eb33a7f8725898469f39b7a1109c7a081e00b0465d599e0ea462e888f510b98a37a31190dfadb2006c6ba2f42311e235e1d9456f745dd756035a9 SHA512 f3fda79813f0067aadc399b1b8af9b33b179ee212fee188119ad2e3d8fced3b31dbd4d2a83922a138da523bb6d6784c3d98105053f9267e7e4f41cf77b76ce88 +DIST djbdns-1.05-test32.diff.xz 31096 BLAKE2B 0bd6948ba3930f7d6e657f91ff76b1101fa7bb8f3da6849344c2230622fce6c15354e632a9140fefafee5986b522fb85c77c70ac64821d280043d1cd3564be2a SHA512 ed5ea46e3346841a8e8b6a77756c1dba53dab5636f73cf495bf1a182c393bef83d6035f6af26fb903baa75ee689db4abae222b6f85a7e245eb59f9c805163774 DIST djbdns-1.05.tar.gz 85648 BLAKE2B 51918fcc8944e64e72709636ee7d56975a138a2806e22c019fa836770de3a338bb8f682216b89c09d6b2861c2423e60e28dc60639f5a86aca2040e1788e4cf5c SHA512 20f066402801d7bec183cb710a5bc51e41f1410024741e5803e26f68f2c13567e48eba793f233dfab903459c3335bc169e24b99d66a4c64e617e1f0779732fa9 diff --git a/net-dns/djbdns/djbdns-1.05-r36.ebuild b/net-dns/djbdns/djbdns-1.05-r36.ebuild deleted file mode 100644 index 115ca72ded0b..000000000000 --- a/net-dns/djbdns/djbdns-1.05-r36.ebuild +++ /dev/null @@ -1,127 +0,0 @@ -# Copyright 1999-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 -inherit readme.gentoo-r1 toolchain-funcs - -DESCRIPTION="Collection of DNS client/server software" -HOMEPAGE="https://cr.yp.to/djbdns.html" -IPV6_PATCH="test29" - -SRC_URI="http://cr.yp.to/djbdns/${P}.tar.gz - http://smarden.org/pape/djb/manpages/${P}-man.tar.gz - ipv6? ( http://www.fefe.de/dns/${P}-${IPV6_PATCH}.diff.xz )" - -SLOT="0" -LICENSE="public-domain" -KEYWORDS="~alpha ~amd64 ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86" -IUSE="ipv6 selinux" - -DEPEND="" -RDEPEND=" - acct-user/dnscache - acct-user/dnslog - acct-user/tinydns - sys-apps/ucspi-tcp - virtual/daemontools - selinux? ( sec-policy/selinux-djbdns )" - -src_unpack() { - # Unpack both djbdns and its man pages to separate directories. - default - - # Now move the man pages under ${S} so that user patches can be - # applied to them as well in src_prepare(). - mv "${PN}-man" "${P}/man" || die "failed to transplant man pages" -} - -PATCHES=( - "${FILESDIR}/headtail-r1.patch" - "${FILESDIR}/dnsroots.patch" - "${FILESDIR}/dnstracesort.patch" - "${FILESDIR}/string_length_255.patch" - "${FILESDIR}/srv_record_support.patch" - "${FILESDIR}/increase-cname-recustion-depth.patch" - "${FILESDIR}/CVE2009-0858_0001-check-response-domain-name-length.patch" - "${FILESDIR}/CVE2012-1191_0001-ghost-domain-attack.patch" - "${FILESDIR}/AR-and-RANLIB-support.patch" -) - -src_prepare() { - if use ipv6; then - PATCHES=(${PATCHES[@]} - # The big ipv6 patch. - "${WORKDIR}/${P}-${IPV6_PATCH}.diff" - # Fix CVE2008-4392 (ipv6) - "${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test29.patch" - "${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records-ipv6-test29.patch" - "${FILESDIR}/makefile-parallel-test25.patch" - ) - else - PATCHES=(${PATCHES[@]} - # Fix CVE2008-4392 (no ipv6) - "${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-r1.patch" - "${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records.patch" - # Later versions of the ipv6 patch include this - "${FILESDIR}/${PV}-errno-r1.patch" - ) - fi - - default -} - -src_compile() { - echo "$(tc-getCC) ${CFLAGS}" > conf-cc || die - echo "$(tc-getCC) ${LDFLAGS}" > conf-ld || die - echo "/usr" > conf-home || die - emake AR=$(tc-getAR) RANLIB=$(tc-getRANLIB) -} - -src_install() { - insinto /etc - doins dnsroots.global - - into /usr - dobin *-conf dnscache tinydns walldns rbldns pickdns axfrdns \ - *-get *-data *-edit dnsip dnsipq dnsname dnstxt dnsmx \ - dnsfilter random-ip dnsqr dnsq dnstrace dnstracesort - - if use ipv6; then - dobin dnsip6 dnsip6q - fi - - dodoc CHANGES README - - doman man/*.[158] - - readme.gentoo_create_doc -} - -DISABLE_AUTOFORMATTING=1 -DOC_CONTENTS=' -To configure djbdns, please follow the instructions at, - - http://cr.yp.to/djbdns.html - -Of particular interest are, - - axfrdns : http://cr.yp.to/djbdns/axfrdns-conf.html - dnscache: http://cr.yp.to/djbdns/run-cache-x-home.html - tinydns : http://cr.yp.to/djbdns/run-server.html - -Portage has created users for axfrdns, dnscache, and tinydns; the -commands to configure these programs are, - - 1. axfrdns-conf tinydns dnslog /var/axfrdns /var/tinydns $ip - 2. dnscache-conf dnscache dnslog /var/dnscache $ip - 3. tinydns-conf tinydns dnslog /var/tinydns $ip - -(replace $ip with the ip address on which the server will run). - -If you wish to configure rbldns or walldns, you will need to create -those users yourself (although you should still use the "dnslog" -user for the logs): - - 4. rbldns-conf $username dnslog /var/rbldns $ip $base - 5. walldns-conf $username dnslog /var/walldns $ip -' diff --git a/net-dns/djbdns/djbdns-1.05-r37.ebuild b/net-dns/djbdns/djbdns-1.05-r37.ebuild new file mode 100644 index 000000000000..95606086af30 --- /dev/null +++ b/net-dns/djbdns/djbdns-1.05-r37.ebuild @@ -0,0 +1,133 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit readme.gentoo-r1 toolchain-funcs + +DESCRIPTION="Collection of DNS client/server software" +HOMEPAGE="https://cr.yp.to/djbdns.html" +IPV6_PATCH="test32" + +SRC_URI="http://cr.yp.to/djbdns/${P}.tar.gz + http://smarden.org/pape/djb/manpages/${P}-man.tar.gz + ipv6? ( http://www.fefe.de/dns/${P}-${IPV6_PATCH}.diff.xz )" + +SLOT="0" +LICENSE="public-domain" +KEYWORDS="~alpha ~amd64 ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86" +IUSE="ipv6 selinux" + +DEPEND="" +RDEPEND=" + acct-user/dnscache + acct-user/dnslog + acct-user/tinydns + sys-apps/ucspi-tcp + virtual/daemontools + selinux? ( sec-policy/selinux-djbdns )" + +src_unpack() { + # Unpack both djbdns and its man pages to separate directories. + default + + # Now move the man pages under ${S} so that user patches can be + # applied to them as well in src_prepare(). + mv "${PN}-man" "${P}/man" || die "failed to transplant man pages" +} + +PATCHES=( + "${FILESDIR}/dnsroots.patch" + "${FILESDIR}/dnstracesort.patch" + "${FILESDIR}/string_length_255.patch" + "${FILESDIR}/srv_record_support.patch" + "${FILESDIR}/increase-cname-recustion-depth.patch" + "${FILESDIR}/CVE2009-0858_0001-check-response-domain-name-length.patch" + "${FILESDIR}/CVE2012-1191_0001-ghost-domain-attack.patch" + "${FILESDIR}/AR-and-RANLIB-support.patch" +) + +src_prepare() { + if use ipv6; then + PATCHES=(${PATCHES[@]} + # The big ipv6 patch. + "${WORKDIR}/${P}-${IPV6_PATCH}.diff" + # Fix CVE2008-4392 (ipv6) + "${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test32.patch" + "${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records-ipv6-test29.patch" + ) + else + PATCHES=(${PATCHES[@]} + # Fix CVE2008-4392 (no ipv6) + "${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-r1.patch" + "${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records.patch" + # Later versions of the ipv6 patch include this + "${FILESDIR}/${PV}-errno-r1.patch" + ) + fi + + default + + # Change "head -X" to the posix-compatible "head -nX" within the + # Makefile. We do this with sed instead of a patch because the ipv6 + # patch uses some of the surrounding lines; we'd need two versions + # of the patch. + sed -i Makefile \ + -e 's/head[[:space:]]\{1,\}\-\([0-9]\{1,\}\)/head -n\1/g' \ + || die 'failed to sed head in the Makefile' +} + +src_compile() { + echo "$(tc-getCC) ${CFLAGS}" > conf-cc || die + echo "$(tc-getCC) ${LDFLAGS}" > conf-ld || die + echo "/usr" > conf-home || die + emake AR=$(tc-getAR) RANLIB=$(tc-getRANLIB) +} + +src_install() { + insinto /etc + doins dnsroots.global + + into /usr + dobin *-conf dnscache tinydns walldns rbldns pickdns axfrdns \ + *-get *-data *-edit dnsip dnsipq dnsname dnstxt dnsmx \ + dnsfilter random-ip dnsqr dnsq dnstrace dnstracesort + + if use ipv6; then + dobin dnsip6 dnsip6q + fi + + dodoc CHANGES README + + doman man/*.[158] + + readme.gentoo_create_doc +} + +DISABLE_AUTOFORMATTING=1 +DOC_CONTENTS=' +To configure djbdns, please follow the instructions at, + + http://cr.yp.to/djbdns.html + +Of particular interest are, + + axfrdns : http://cr.yp.to/djbdns/axfrdns-conf.html + dnscache: http://cr.yp.to/djbdns/run-cache-x-home.html + tinydns : http://cr.yp.to/djbdns/run-server.html + +Portage has created users for axfrdns, dnscache, and tinydns; the +commands to configure these programs are, + + 1. axfrdns-conf tinydns dnslog /var/axfrdns /var/tinydns $ip + 2. dnscache-conf dnscache dnslog /var/dnscache $ip + 3. tinydns-conf tinydns dnslog /var/tinydns $ip + +(replace $ip with the ip address on which the server will run). + +If you wish to configure rbldns or walldns, you will need to create +those users yourself (although you should still use the "dnslog" +user for the logs): + + 4. rbldns-conf $username dnslog /var/rbldns $ip $base + 5. walldns-conf $username dnslog /var/walldns $ip +' diff --git a/net-dns/djbdns/files/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test29.patch b/net-dns/djbdns/files/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test29.patch deleted file mode 100644 index 866b3cc51317..000000000000 --- a/net-dns/djbdns/files/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test29.patch +++ /dev/null @@ -1,351 +0,0 @@ -diff --git a/Makefile b/Makefile -index b89243a..626a829 100644 ---- a/Makefile -+++ b/Makefile -@@ -348,11 +348,11 @@ stralloc.h iopause.h taia.h tai.h uint64.h taia.h - ./compile dns_txt.c - - dnscache: \ --load dnscache.o droproot.o okclient.o log.o cache.o query.o \ -+load dnscache.o droproot.o okclient.o log.o cache.o query.o qmerge.o \ - response.o dd.o roots.o iopause.o prot.o dns.a env.a alloc.a buffer.a \ - libtai.a unix.a byte.a socket.lib - ./load dnscache droproot.o okclient.o log.o cache.o \ -- query.o response.o dd.o roots.o iopause.o prot.o dns.a \ -+ query.o qmerge.o response.o dd.o roots.o iopause.o prot.o dns.a \ - env.a alloc.a buffer.a libtai.a unix.a byte.a `cat \ - socket.lib` - -@@ -373,7 +373,7 @@ compile dnscache.c env.h exit.h scan.h strerr.h error.h ip4.h \ - uint16.h uint64.h socket.h uint16.h dns.h stralloc.h gen_alloc.h \ - iopause.h taia.h tai.h uint64.h taia.h taia.h byte.h roots.h fmt.h \ - iopause.h query.h dns.h uint32.h alloc.h response.h uint32.h cache.h \ --uint32.h uint64.h ndelay.h log.h uint64.h okclient.h droproot.h -+uint32.h uint64.h ndelay.h log.h uint64.h okclient.h droproot.h maxclient.h - ./compile dnscache.c - - dnsfilter: \ -@@ -751,11 +751,16 @@ qlog.o: \ - compile qlog.c buffer.h qlog.h uint16.h - ./compile qlog.c - -+qmerge.o: \ -+compile qmerge.c qmerge.h dns.h stralloc.h gen_alloc.h iopause.h \ -+taia.h tai.h uint64.h log.h maxclient.h -+ ./compile qmerge.c -+ - query.o: \ - compile query.c error.h roots.h log.h uint64.h case.h cache.h \ - uint32.h uint64.h byte.h dns.h stralloc.h gen_alloc.h iopause.h \ - taia.h tai.h uint64.h taia.h uint64.h uint32.h uint16.h dd.h alloc.h \ --response.h uint32.h query.h dns.h uint32.h -+response.h uint32.h query.h dns.h uint32.h qmerge.h - ./compile query.c - - random-ip: \ -diff --git a/dnscache.c b/dnscache.c -index d45f932..0c48ec1 100644 ---- a/dnscache.c -+++ b/dnscache.c -@@ -24,6 +24,7 @@ - #include "okclient.h" - #include "droproot.h" - #include "openreadclose.h" -+#include "maxclient.h" - - unsigned long interface; - -@@ -60,7 +61,6 @@ uint64 numqueries = 0; - - static int udp53; - --#define MAXUDP 200 - static struct udpclient { - struct query q; - struct taia start; -@@ -137,7 +137,6 @@ void u_new(void) - - static int tcp53; - --#define MAXTCP 20 - struct tcpclient { - struct query q; - struct taia start; -diff --git a/log.c b/log.c -index e697f91..2ccc345 100644 ---- a/log.c -+++ b/log.c -@@ -149,6 +149,13 @@ void log_tx(const char *q,const char qtype[2],const char *control,const unsigned - line(); - } - -+void log_tx_piggyback(const char *q, const char qtype[2], const char *control) -+{ -+ string("txpb "); -+ logtype(qtype); space(); name(q); space(); name(control); -+ line(); -+} -+ - void log_cachedanswer(const char *q,const char type[2]) - { - string("cached "); logtype(type); space(); -diff --git a/log.h b/log.h -index 68d698f..c112785 100644 ---- a/log.h -+++ b/log.h -@@ -18,6 +18,7 @@ extern void log_cachednxdomain(const char *); - extern void log_cachedns(const char *,const char *); - - extern void log_tx(const char *q,const char qtype[2],const char *control,const unsigned char servers[256],unsigned int gluelessness); -+extern void log_tx_piggyback(const char *,const char *,const char *); - - extern void log_nxdomain(const unsigned char server[16],const char *q,unsigned int ttl); - extern void log_nodata(const unsigned char server[16],const char *q,const char qtype[2],unsigned int ttl); -diff --git a/maxclient.h b/maxclient.h -new file mode 100644 -index 0000000..e52fcd1 ---- /dev/null -+++ b/maxclient.h -@@ -0,0 +1,7 @@ -+#ifndef MAXCLIENT_H -+#define MAXCLIENT_H -+ -+#define MAXUDP 200 -+#define MAXTCP 20 -+ -+#endif /* MAXCLIENT_H */ -diff --git a/qmerge.c b/qmerge.c -new file mode 100644 -index 0000000..7c92299 ---- /dev/null -+++ b/qmerge.c -@@ -0,0 +1,115 @@ -+#include "qmerge.h" -+#include "byte.h" -+#include "log.h" -+#include "maxclient.h" -+ -+#define QMERGE_MAX (MAXUDP+MAXTCP) -+struct qmerge inprogress[QMERGE_MAX]; -+ -+static -+int qmerge_key_init(struct qmerge_key *qmk, const char *q, const char qtype[2], -+ const char *control) -+{ -+ if (!dns_domain_copy(&qmk->q, q)) return 0; -+ byte_copy(qmk->qtype, 2, qtype); -+ if (!dns_domain_copy(&qmk->control, control)) return 0; -+ return 1; -+} -+ -+static -+int qmerge_key_equal(struct qmerge_key *a, struct qmerge_key *b) -+{ -+ return -+ byte_equal(a->qtype, 2, b->qtype) && -+ dns_domain_equal(a->q, b->q) && -+ dns_domain_equal(a->control, b->control); -+} -+ -+static -+void qmerge_key_free(struct qmerge_key *qmk) -+{ -+ dns_domain_free(&qmk->q); -+ dns_domain_free(&qmk->control); -+} -+ -+void qmerge_free(struct qmerge **x) -+{ -+ struct qmerge *qm; -+ -+ qm = *x; -+ *x = 0; -+ if (!qm || !qm->active) return; -+ -+ qm->active--; -+ if (!qm->active) { -+ qmerge_key_free(&qm->key); -+ dns_transmit_free(&qm->dt); -+ } -+} -+ -+int qmerge_start(struct qmerge **qm, const char servers[64], int flagrecursive, -+ const char *q, const char qtype[2], const char localip[4], -+ const char *control) -+{ -+ struct qmerge_key k; -+ int i; -+ int r; -+ -+ qmerge_free(qm); -+ -+ byte_zero(&k, sizeof k); -+ if (!qmerge_key_init(&k, q, qtype, control)) return -1; -+ for (i = 0; i < QMERGE_MAX; i++) { -+ if (!inprogress[i].active) continue; -+ if (!qmerge_key_equal(&k, &inprogress[i].key)) continue; -+ log_tx_piggyback(q, qtype, control); -+ inprogress[i].active++; -+ *qm = &inprogress[i]; -+ qmerge_key_free(&k); -+ return 0; -+ } -+ -+ for (i = 0; i < QMERGE_MAX; i++) -+ if (!inprogress[i].active) -+ break; -+ if (i == QMERGE_MAX) return -1; -+ -+ log_tx(q, qtype, control, servers, 0); -+ r = dns_transmit_start(&inprogress[i].dt, servers, flagrecursive, q, qtype, localip); -+ if (r == -1) { qmerge_key_free(&k); return -1; } -+ inprogress[i].active++; -+ inprogress[i].state = 0; -+ qmerge_key_free(&inprogress[i].key); -+ byte_copy(&inprogress[i].key, sizeof k, &k); -+ *qm = &inprogress[i]; -+ return 0; -+} -+ -+void qmerge_io(struct qmerge *qm, iopause_fd *io, struct taia *deadline) -+{ -+ if (qm->state == 0) { -+ dns_transmit_io(&qm->dt, io, deadline); -+ qm->state = 1; -+ } -+ else { -+ io->fd = -1; -+ io->events = 0; -+ } -+} -+ -+int qmerge_get(struct qmerge **x, const iopause_fd *io, const struct taia *when) -+{ -+ int r; -+ struct qmerge *qm; -+ -+ qm = *x; -+ if (qm->state == -1) return -1; /* previous error */ -+ if (qm->state == 0) return 0; /* no packet */ -+ if (qm->state == 2) return 1; /* already got packet */ -+ -+ r = dns_transmit_get(&qm->dt, io, when); -+ if (r == -1) { qm->state = -1; return -1; } /* error */ -+ if (r == 0) { qm->state = 0; return 0; } /* must wait for i/o */ -+ if (r == 1) { qm->state = 2; return 1; } /* got packet */ -+ return -1; /* bug */ -+} -diff --git a/qmerge.h b/qmerge.h -new file mode 100644 -index 0000000..9a58157 ---- /dev/null -+++ b/qmerge.h -@@ -0,0 +1,24 @@ -+#ifndef QMERGE_H -+#define QMERGE_H -+ -+#include "dns.h" -+ -+struct qmerge_key { -+ char *q; -+ char qtype[2]; -+ char *control; -+}; -+ -+struct qmerge { -+ int active; -+ struct qmerge_key key; -+ struct dns_transmit dt; -+ int state; /* -1 = error, 0 = need io, 1 = need get, 2 = got packet */ -+}; -+ -+extern int qmerge_start(struct qmerge **,const char *,int,const char *,const char *,const char *,const char *); -+extern void qmerge_io(struct qmerge *,iopause_fd *,struct taia *); -+extern int qmerge_get(struct qmerge **,const iopause_fd *,const struct taia *); -+extern void qmerge_free(struct qmerge **); -+ -+#endif /* QMERGE_H */ -diff --git a/query.c b/query.c -index a340ffd..b85039c 100644 ---- a/query.c -+++ b/query.c -@@ -84,7 +84,7 @@ static void cleanup(struct query *z) - int j; - int k; - -- dns_transmit_free(&z->dt); -+ qmerge_free(&z->qm); - for (j = 0;j < QUERY_MAXALIAS;++j) - dns_domain_free(&z->alias[j]); - for (j = 0;j < QUERY_MAXLEVEL;++j) { -@@ -623,15 +623,9 @@ static int doit(struct query *z,int state) - if (j == 256) goto SERVFAIL; - - dns_sortip6(z->servers[z->level],256); -- if (z->level) { -- dtype = z->ipv6[z->level] ? DNS_T_AAAA : DNS_T_A; -- log_tx(z->name[z->level],dtype,z->control[z->level],z->servers[z->level],z->level); -- if (dns_transmit_start(&z->dt,z->servers[z->level],flagforwardonly,z->name[z->level],dtype,z->localip) == -1) goto DIE; -- } -- else { -- log_tx(z->name[0],z->type,z->control[0],z->servers[0],0); -- if (dns_transmit_start(&z->dt,z->servers[0],flagforwardonly,z->name[0],z->type,z->localip) == -1) goto DIE; -- } -+ dtype = z->level ? (z->ipv6[z->level] ? DNS_T_AAAA : DNS_T_A) : z->type; -+ if (qmerge_start(&z->qm,z->servers[z->level],flagforwardonly,z->name[z->level],dtype,z->localip,z->control[z->level]) == -1) goto DIE; -+ - return 0; - - -@@ -645,10 +639,10 @@ static int doit(struct query *z,int state) - - HAVEPACKET: - if (++z->loop == 200) goto DIE; -- buf = z->dt.packet; -- len = z->dt.packetlen; -+ buf = z->qm->dt.packet; -+ len = z->qm->dt.packetlen; - -- whichserver = z->dt.servers + 16 * z->dt.curserver; -+ whichserver = z->qm->dt.servers + 16 * z->qm->dt.curserver; - control = z->control[z->level]; - d = z->name[z->level]; - /* dtype = z->level ? DNS_T_A : z->type; */ -@@ -1075,7 +1069,7 @@ int query_start(struct query *z,char *dn,char type[2],char class[2],unsigned cha - - int query_get(struct query *z,iopause_fd *x,struct taia *stamp) - { -- switch(dns_transmit_get(&z->dt,x,stamp)) { -+ switch(qmerge_get(&z->qm,x,stamp)) { - case 1: - return doit(z,1); - case -1: -@@ -1086,5 +1080,5 @@ int query_get(struct query *z,iopause_fd *x,struct taia *stamp) - - void query_io(struct query *z,iopause_fd *x,struct taia *deadline) - { -- dns_transmit_io(&z->dt,x,deadline); -+ qmerge_io(z->qm,x,deadline); - } -diff --git a/query.h b/query.h -index 84f33c7..0cd4ece 100644 ---- a/query.h -+++ b/query.h -@@ -1,7 +1,7 @@ - #ifndef QUERY_H - #define QUERY_H - --#include "dns.h" -+#include "qmerge.h" - #include "uint32.h" - - #define QUERY_MAXLEVEL 5 -@@ -22,7 +22,7 @@ struct query { - uint32 scope_id; - char type[2]; - char class[2]; -- struct dns_transmit dt; -+ struct qmerge *qm; - } ; - - extern int query_start(struct query *z,char *dn,char type[2],char class[2],unsigned char localip[16],unsigned int scope_id); diff --git a/net-dns/djbdns/files/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test32.patch b/net-dns/djbdns/files/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test32.patch new file mode 100644 index 000000000000..3dd47fbeb147 --- /dev/null +++ b/net-dns/djbdns/files/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test32.patch @@ -0,0 +1,351 @@ +diff --git a/Makefile b/Makefile +index cee69a5..5afa9dc 100644 +--- a/Makefile ++++ b/Makefile +@@ -351,11 +351,11 @@ iopause.h taia.h tai.h uint64.h + ./compile dns_txt.c + + dnscache: \ +-load dnscache.o droproot.o okclient.o log.o cache.o query.o \ ++load dnscache.o droproot.o okclient.o log.o cache.o query.o qmerge.o \ + response.o dd.o roots.o iopause.o prot.o dns.a env.a alloc.a buffer.a \ + libtai.a unix.a byte.a socket.lib + ./load dnscache droproot.o okclient.o log.o cache.o \ +- query.o response.o dd.o roots.o iopause.o prot.o dns.a \ ++ query.o qmerge.o response.o dd.o roots.o iopause.o prot.o dns.a \ + env.a alloc.a buffer.a libtai.a unix.a byte.a `cat \ + socket.lib` + +@@ -374,7 +374,8 @@ dnscache.o: \ + compile dnscache.c env.h exit.h scan.h strerr.h error.h ip4.h ip6.h \ + uint16.h uint64.h socket.h uint32.h dns.h stralloc.h gen_alloc.h \ + iopause.h taia.h tai.h byte.h roots.h fmt.h query.h alloc.h \ +-response.h cache.h ndelay.h log.h okclient.h droproot.h openreadclose.h ++response.h cache.h ndelay.h log.h okclient.h droproot.h openreadclose.h \ ++maxclient.h + ./compile dnscache.c + + dnsfilter: \ +@@ -750,10 +751,15 @@ qlog.o: \ + compile qlog.c buffer.h qlog.h uint16.h + ./compile qlog.c + ++qmerge.o: \ ++compile qmerge.c qmerge.h dns.h stralloc.h gen_alloc.h iopause.h \ ++taia.h tai.h uint64.h log.h maxclient.h ++ ./compile qmerge.c ++ + query.o: \ + compile query.c error.h roots.h log.h uint64.h case.h cache.h \ + uint32.h byte.h dns.h stralloc.h gen_alloc.h iopause.h taia.h tai.h \ +-uint16.h dd.h alloc.h response.h query.h ip6.h ++uint16.h dd.h alloc.h response.h query.h ip6.h qmerge.h + ./compile query.c + + random-ip: \ +diff --git a/dnscache.c b/dnscache.c +index d45f932..0c48ec1 100644 +--- a/dnscache.c ++++ b/dnscache.c +@@ -24,6 +24,7 @@ + #include "okclient.h" + #include "droproot.h" + #include "openreadclose.h" ++#include "maxclient.h" + + unsigned long interface; + +@@ -60,7 +61,6 @@ uint64 numqueries = 0; + + static int udp53; + +-#define MAXUDP 200 + static struct udpclient { + struct query q; + struct taia start; +@@ -137,7 +137,6 @@ void u_new(void) + + static int tcp53; + +-#define MAXTCP 20 + struct tcpclient { + struct query q; + struct taia start; +diff --git a/log.c b/log.c +index e697f91..2ccc345 100644 +--- a/log.c ++++ b/log.c +@@ -149,6 +149,13 @@ void log_tx(const char *q,const char qtype[2],const char *control,const unsigned + line(); + } + ++void log_tx_piggyback(const char *q, const char qtype[2], const char *control) ++{ ++ string("txpb "); ++ logtype(qtype); space(); name(q); space(); name(control); ++ line(); ++} ++ + void log_cachedanswer(const char *q,const char type[2]) + { + string("cached "); logtype(type); space(); +diff --git a/log.h b/log.h +index 68d698f..c112785 100644 +--- a/log.h ++++ b/log.h +@@ -18,6 +18,7 @@ extern void log_cachednxdomain(const char *); + extern void log_cachedns(const char *,const char *); + + extern void log_tx(const char *q,const char qtype[2],const char *control,const unsigned char servers[256],unsigned int gluelessness); ++extern void log_tx_piggyback(const char *,const char *,const char *); + + extern void log_nxdomain(const unsigned char server[16],const char *q,unsigned int ttl); + extern void log_nodata(const unsigned char server[16],const char *q,const char qtype[2],unsigned int ttl); +diff --git a/maxclient.h b/maxclient.h +new file mode 100644 +index 0000000..e52fcd1 +--- /dev/null ++++ b/maxclient.h +@@ -0,0 +1,7 @@ ++#ifndef MAXCLIENT_H ++#define MAXCLIENT_H ++ ++#define MAXUDP 200 ++#define MAXTCP 20 ++ ++#endif /* MAXCLIENT_H */ +diff --git a/qmerge.c b/qmerge.c +new file mode 100644 +index 0000000..7c92299 +--- /dev/null ++++ b/qmerge.c +@@ -0,0 +1,115 @@ ++#include "qmerge.h" ++#include "byte.h" ++#include "log.h" ++#include "maxclient.h" ++ ++#define QMERGE_MAX (MAXUDP+MAXTCP) ++struct qmerge inprogress[QMERGE_MAX]; ++ ++static ++int qmerge_key_init(struct qmerge_key *qmk, const char *q, const char qtype[2], ++ const char *control) ++{ ++ if (!dns_domain_copy(&qmk->q, q)) return 0; ++ byte_copy(qmk->qtype, 2, qtype); ++ if (!dns_domain_copy(&qmk->control, control)) return 0; ++ return 1; ++} ++ ++static ++int qmerge_key_equal(struct qmerge_key *a, struct qmerge_key *b) ++{ ++ return ++ byte_equal(a->qtype, 2, b->qtype) && ++ dns_domain_equal(a->q, b->q) && ++ dns_domain_equal(a->control, b->control); ++} ++ ++static ++void qmerge_key_free(struct qmerge_key *qmk) ++{ ++ dns_domain_free(&qmk->q); ++ dns_domain_free(&qmk->control); ++} ++ ++void qmerge_free(struct qmerge **x) ++{ ++ struct qmerge *qm; ++ ++ qm = *x; ++ *x = 0; ++ if (!qm || !qm->active) return; ++ ++ qm->active--; ++ if (!qm->active) { ++ qmerge_key_free(&qm->key); ++ dns_transmit_free(&qm->dt); ++ } ++} ++ ++int qmerge_start(struct qmerge **qm, const char servers[64], int flagrecursive, ++ const char *q, const char qtype[2], const char localip[4], ++ const char *control) ++{ ++ struct qmerge_key k; ++ int i; ++ int r; ++ ++ qmerge_free(qm); ++ ++ byte_zero(&k, sizeof k); ++ if (!qmerge_key_init(&k, q, qtype, control)) return -1; ++ for (i = 0; i < QMERGE_MAX; i++) { ++ if (!inprogress[i].active) continue; ++ if (!qmerge_key_equal(&k, &inprogress[i].key)) continue; ++ log_tx_piggyback(q, qtype, control); ++ inprogress[i].active++; ++ *qm = &inprogress[i]; ++ qmerge_key_free(&k); ++ return 0; ++ } ++ ++ for (i = 0; i < QMERGE_MAX; i++) ++ if (!inprogress[i].active) ++ break; ++ if (i == QMERGE_MAX) return -1; ++ ++ log_tx(q, qtype, control, servers, 0); ++ r = dns_transmit_start(&inprogress[i].dt, servers, flagrecursive, q, qtype, localip); ++ if (r == -1) { qmerge_key_free(&k); return -1; } ++ inprogress[i].active++; ++ inprogress[i].state = 0; ++ qmerge_key_free(&inprogress[i].key); ++ byte_copy(&inprogress[i].key, sizeof k, &k); ++ *qm = &inprogress[i]; ++ return 0; ++} ++ ++void qmerge_io(struct qmerge *qm, iopause_fd *io, struct taia *deadline) ++{ ++ if (qm->state == 0) { ++ dns_transmit_io(&qm->dt, io, deadline); ++ qm->state = 1; ++ } ++ else { ++ io->fd = -1; ++ io->events = 0; ++ } ++} ++ ++int qmerge_get(struct qmerge **x, const iopause_fd *io, const struct taia *when) ++{ ++ int r; ++ struct qmerge *qm; ++ ++ qm = *x; ++ if (qm->state == -1) return -1; /* previous error */ ++ if (qm->state == 0) return 0; /* no packet */ ++ if (qm->state == 2) return 1; /* already got packet */ ++ ++ r = dns_transmit_get(&qm->dt, io, when); ++ if (r == -1) { qm->state = -1; return -1; } /* error */ ++ if (r == 0) { qm->state = 0; return 0; } /* must wait for i/o */ ++ if (r == 1) { qm->state = 2; return 1; } /* got packet */ ++ return -1; /* bug */ ++} +diff --git a/qmerge.h b/qmerge.h +new file mode 100644 +index 0000000..9a58157 +--- /dev/null ++++ b/qmerge.h +@@ -0,0 +1,24 @@ ++#ifndef QMERGE_H ++#define QMERGE_H ++ ++#include "dns.h" ++ ++struct qmerge_key { ++ char *q; ++ char qtype[2]; ++ char *control; ++}; ++ ++struct qmerge { ++ int active; ++ struct qmerge_key key; ++ struct dns_transmit dt; ++ int state; /* -1 = error, 0 = need io, 1 = need get, 2 = got packet */ ++}; ++ ++extern int qmerge_start(struct qmerge **,const char *,int,const char *,const char *,const char *,const char *); ++extern void qmerge_io(struct qmerge *,iopause_fd *,struct taia *); ++extern int qmerge_get(struct qmerge **,const iopause_fd *,const struct taia *); ++extern void qmerge_free(struct qmerge **); ++ ++#endif /* QMERGE_H */ +diff --git a/query.c b/query.c +index a340ffd..b85039c 100644 +--- a/query.c ++++ b/query.c +@@ -84,7 +84,7 @@ static void cleanup(struct query *z) + int j; + int k; + +- dns_transmit_free(&z->dt); ++ qmerge_free(&z->qm); + for (j = 0;j < QUERY_MAXALIAS;++j) + dns_domain_free(&z->alias[j]); + for (j = 0;j < QUERY_MAXLEVEL;++j) { +@@ -623,15 +623,9 @@ static int doit(struct query *z,int state) + if (j == 256) goto SERVFAIL; + + dns_sortip6(z->servers[z->level],256); +- if (z->level) { +- dtype = z->ipv6[z->level] ? DNS_T_AAAA : DNS_T_A; +- log_tx(z->name[z->level],dtype,z->control[z->level],z->servers[z->level],z->level); +- if (dns_transmit_start(&z->dt,z->servers[z->level],flagforwardonly,z->name[z->level],dtype,z->localip) == -1) goto DIE; +- } +- else { +- log_tx(z->name[0],z->type,z->control[0],z->servers[0],0); +- if (dns_transmit_start(&z->dt,z->servers[0],flagforwardonly,z->name[0],z->type,z->localip) == -1) goto DIE; +- } ++ dtype = z->level ? (z->ipv6[z->level] ? DNS_T_AAAA : DNS_T_A) : z->type; ++ if (qmerge_start(&z->qm,z->servers[z->level],flagforwardonly,z->name[z->level],dtype,z->localip,z->control[z->level]) == -1) goto DIE; ++ + return 0; + + +@@ -645,10 +639,10 @@ static int doit(struct query *z,int state) + + HAVEPACKET: + if (++z->loop == 200) goto DIE; +- buf = z->dt.packet; +- len = z->dt.packetlen; ++ buf = z->qm->dt.packet; ++ len = z->qm->dt.packetlen; + +- whichserver = z->dt.servers + 16 * z->dt.curserver; ++ whichserver = z->qm->dt.servers + 16 * z->qm->dt.curserver; + control = z->control[z->level]; + d = z->name[z->level]; + /* dtype = z->level ? DNS_T_A : z->type; */ +@@ -1075,7 +1069,7 @@ int query_start(struct query *z,char *dn,char type[2],char class[2],unsigned cha + + int query_get(struct query *z,iopause_fd *x,struct taia *stamp) + { +- switch(dns_transmit_get(&z->dt,x,stamp)) { ++ switch(qmerge_get(&z->qm,x,stamp)) { + case 1: + return doit(z,1); + case -1: +@@ -1086,5 +1080,5 @@ int query_get(struct query *z,iopause_fd *x,struct taia *stamp) + + void query_io(struct query *z,iopause_fd *x,struct taia *deadline) + { +- dns_transmit_io(&z->dt,x,deadline); ++ qmerge_io(z->qm,x,deadline); + } +diff --git a/query.h b/query.h +index 84f33c7..0cd4ece 100644 +--- a/query.h ++++ b/query.h +@@ -1,7 +1,7 @@ + #ifndef QUERY_H + #define QUERY_H + +-#include "dns.h" ++#include "qmerge.h" + #include "uint32.h" + + #define QUERY_MAXLEVEL 5 +@@ -22,7 +22,7 @@ struct query { + uint32 scope_id; + char type[2]; + char class[2]; +- struct dns_transmit dt; ++ struct qmerge *qm; + } ; + + extern int query_start(struct query *z,char *dn,char type[2],char class[2],unsigned char localip[16],unsigned int scope_id); -- cgit v1.2.3-65-gdbad