From patchwork Wed Aug 5 09:18:08 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kevin Darbyshire-Bryant X-Patchwork-Id: 503942 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from arrakis.dune.hu (arrakis.dune.hu [78.24.191.176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id E2C0F1402C7 for ; Wed, 5 Aug 2015 19:18:44 +1000 (AEST) Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id 4AA3728022B; Wed, 5 Aug 2015 11:17:57 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on arrakis.dune.hu X-Spam-Level: X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00 autolearn=unavailable version=3.3.2 Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id 70935280163 for ; Wed, 5 Aug 2015 11:17:48 +0200 (CEST) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 HELO_IP_IN_CL_SUBNET=-1.2 (check from: .darbyshire-bryant. - helo: .emea01-db3-obe.outbound.protection.outlook. - helo-domain: .outlook.) FROM/MX_MATCHES_HELO(DOMAIN)=-2; rate: -7.7 Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3on0068.outbound.protection.outlook.com [157.55.234.68]) by arrakis.dune.hu (Postfix) with ESMTPS for ; Wed, 5 Aug 2015 11:17:47 +0200 (CEST) Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=kevin@darbyshire-bryant.me.uk; Received: from Gonzo.darbyshire-bryant.me.uk (151.226.12.52) by AM2PR07MB0932.eurprd07.prod.outlook.com (10.162.37.14) with Microsoft SMTP Server (TLS) id 15.1.225.19; Wed, 5 Aug 2015 09:18:23 +0000 From: Kevin Darbyshire-Bryant To: Date: Wed, 5 Aug 2015 10:18:08 +0100 Message-ID: <1438766288-9281-1-git-send-email-kevin@darbyshire-bryant.me.uk> X-Mailer: git-send-email 1.9.1 MIME-Version: 1.0 X-Originating-IP: [151.226.12.52] X-ClientProxiedBy: HE1PR05CA0018.eurprd05.prod.outlook.com (25.162.181.28) To AM2PR07MB0932.eurprd07.prod.outlook.com (25.162.37.14) X-Microsoft-Exchange-Diagnostics: 1; AM2PR07MB0932; 2:Ie9V7LDAjTVCO9vhjj97t5x7m7cduzR6CNnVCPaw65iXIBZ6LyQ1t3DaqnLwq/7yGq8SXMHyJKDdpOZEVnQSE94AjodYFif7GPTSic3Z4i/rIyyKbOcQNQdbEkCnTl/y8A1xDgdF1m+eyuvTmQqv9vh69Wsq0as9uiuMca+UiaU=; 3://iFa53vyoW4mC730ol/2mWY3owEVMJoeKzWZhPB61WyAPr56XhdNmFZSCxftJH5k8feCFlyltbvfzqBPXYtFgS4J/RYqgRbxLAFxBeQEIvfmDrfCj2vjPQwZehmgplASMYOERN1mtgyqz90iDoHuw==; 25:drHAHiphDPQYU5p7RBLykj4tEB5E38p+3JuZhaXc8B5JM8qL+HnXAwyAeNrIMZ51zqKy25+yp3aLm5ilO5v5714mUO8tog4JyPqIs7QzL8oa84wfHvSRsRNmWkRW6RLmKbuLtXLCvQfJ9qBoBU491xDpwvQxQHSZdV1BpyliCfIcE4LwEqCjE/+KP7/e6mRAnP8dOI61RKaM08Bde7o5vlRPIe0tz0KjgHJdNE7gUhWegXGzMiMg1Ay+vypwJKID+FOwTl5MPuY7pur0KBYEhA==; 4:CcNKF8UF6fvxi7Weyng32D/emd8rerYpBxDD0Swg0f80wfzIEWdo1/uGwfGV5oI+SI/k7OWgGO3oPe+fvKc4Ha1UF8XMQwzK5oxTX4g/u4GldiP/SrWDe0r+JQpw2rmHK4hLB0iQd8wmgmogVgXzxjPcK+Wbdag5hSalf9FQq4tqKPNBtGOE3bdsKprc5diW6ZF0GqycHQhFJ9RD9wk8t9IyCfrUaArxSInbK8BIZCMNGbpKGmbRqKwyfRR3mM0y7aNurtfNWTB3ktQJU4w+kl+URM/nxH4gD7YrFE3xoGg= X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:AM2PR07MB0932; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:AM2PR07MB0932; BCL:0; PCL:0; RULEID:; SRVR:AM2PR07MB0932; X-Forefront-PRVS: 06592CCE58 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(288314003)(54534003)(189002)(199003)(106356001)(77156002)(86362001)(64706001)(77096005)(36756003)(69596002)(2351001)(229853001)(81156007)(5001860100001)(23676002)(33646002)(50986999)(105586002)(5001830100001)(15975445007)(68736005)(92566002)(97736004)(4001540100001)(5820100001)(107886002)(1720100001)(5001960100002)(110136002)(189998001)(450100001)(19580405001)(87976001)(62966003)(47776003)(46102003)(66066001)(19580395003)(74482002)(50226001)(575784001)(101416001)(122386002)(42186005)(53416004)(40100003)(50466002)(4001430100001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM2PR07MB0932; H:Gonzo.darbyshire-bryant.me.uk; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received-SPF: None (protection.outlook.com: darbyshire-bryant.me.uk does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtBTTJQUjA3TUIwOTMyOzIzOkpTVzN0V205eHlMUTJRbzhUaUcwcEtVU3dZ?= =?utf-8?B?eEY4cmp5T0RqYXJBSW5NL0hoSURQME9FUG9GK2UyRUVKVXFoK1hGSFI5dEFx?= =?utf-8?B?Q0d0QVk5dzhvZHBSd0ZZVXQ1MDVzUFdoSGpSVDdnRldVME1OZnlMK0kvcnJo?= =?utf-8?B?SUF2Mi9BSS9lSHE4YzJTNVQ3VFZGOU41UFRRVWlpSlpXdG1KalBqSVV2aWh1?= =?utf-8?B?b0lBSTM1MDIrVmhXcWc3eC9JMmNzZGh3akViUUxyR0lDL0hCVTM2ODhzeVNy?= =?utf-8?B?TlN4UU1QUXpCeEdwVFdXbUdXY3kwMmJIRnVOUjludHF0WWtTZGU3b2dEUlJt?= =?utf-8?B?UXRrYXp3MFBkYVlqczNvVlJhSDBtSk9CNHpyVm52eVpFOWVQamt5bzcrem1V?= =?utf-8?B?QndCZnBNVHZ3TTJPaDNpNVZKNmMrcXpRb1Nva005dEx6S3N5dVNOSzJ2MWVz?= =?utf-8?B?dlFzcE11ZTM3ZUxQcHpiTHpyVXU2YUZ3ZDdvS0d4V0JLbzY3Vkd1ZGxva2Nx?= =?utf-8?B?TzlHTkZvZXdReUVqUXhvejBRNmFrS1owY2k2RU1qaGptN2J3RjIzYzlSZ3g3?= =?utf-8?B?VlJPTVNQWjRMNlVDV3lBQkRqdTVEK3JyRGpmV002dEJ1QS9tdFQ4VFM5QzlR?= =?utf-8?B?L1NrZWxzQXlqbUpJY1hqY1IvUXFnOG4zcUcrMGdkS0FzcFF3Z0pnUFFjSURt?= =?utf-8?B?RSs5emlFQXZhYXZCOVUrVnhjMDlIeURDcDh0a1FEaGMwM2FGY2dOOGZSQVl6?= =?utf-8?B?NHJZcGZNMEU0cCtDRnlrYnRYckRiblZWdDdPNHAwUTBHUFZodlhtUFpqMVlU?= =?utf-8?B?N3E3WFh0dGdabERQMTV2a2xPcXRESC94bWJlUXVhaEdSVWFhZkR5VnYrSStz?= =?utf-8?B?MDhXbmlFa2NSK3N6OHNNOGxWZnhWRklINEd3R0NxOU85bEE4UVQ3L2xlZXdm?= =?utf-8?B?WkdIdTRnbTFOaUJHdUxmS3lQUjRpNFRkMzRkVmtuRDBnZzEvVUVlTldqeTF2?= =?utf-8?B?QWovQlBqc3F0QUdKc0ZsdGtCN0pkbzhvc1NuT2tWMkJpMGNWTk1qcXFINXVM?= =?utf-8?B?clJwSDFlbEZkbjhTbDZFVDNTT3g5SjlBcUhRYStLVTZSYVUyNUZoT3k2U1U2?= =?utf-8?B?ZWRJdVN1Z2F3QmVxRzhXMU95WmVOUGk0VFVzR0ZFN2ZqTEhKMEpXWnkvdlFz?= =?utf-8?B?WGpGR2U1WHdCYy9lcTU4YTVqSGp1ZytCa3FzT21rQTg5bk9HUFUyMWZDeEk2?= =?utf-8?B?MXVVakFSOXVPdzl6NlZXMjlmVHhGWmorMFpPTVNNeWhTYjk1dnFaTVhtSUNZ?= =?utf-8?B?dDFIR2xlUC9FOFZ0aHZqcnovMDNCRVJlYzZkRllVa0IzLzVsREVZL0pVenF2?= =?utf-8?B?NkJJaE5yRk1ORzJwb2I1emRUTzlHeFl5NXBtVHhWT3ZlL1pPWWc3TlBqV2Z3?= =?utf-8?B?VlBySG81SkQrV2JDRDFSclM4QUJXaFh3bFBPRGJMRitTdGJiN3Y1eFNjZkdU?= =?utf-8?B?eDd4SHltYXUzSzIrVGs2T2Q2cEFzUHhISkVOd3h6WWVld1RTVDVBOUtkbnRn?= =?utf-8?B?NUgzYlk2UHNzUUZTMzhIQ2FNZnNqY2x2S1RJL3JIQ3pJeVhBbmk5SzNvSzB6?= =?utf-8?B?aTdhN3VSZDVxZmhmSEttNlJpTkM4WW1ZNC9yYVZVNnFpWE1TZXU1ODhyRVlV?= =?utf-8?B?TWhSOWM5SFdCTlZCei9VMzZLMEVtVm5UQ3BpeGQvZExSdWlvV1hsZUtSSDZs?= =?utf-8?Q?+OnoSYOvux/So0HdbS6YoVFwsTB8EGDESr3NM=3D?= X-Microsoft-Exchange-Diagnostics: 1; AM2PR07MB0932; 5:7I82pos5CreUPtSqWhaLdUJgPYvU8LpHQDV9QFYt+nJJ6bHveNAYTvhL8Z0JNQm7vf+nIWLvHOL/TVoCK5n/DP1WPp+DCU7k/hPQT0Ctuepxv5wXIQjkOwJ5rM6E6/mIQRpDN3Cqg3LsG3fXGON6EA==; 24:NSV5A8TaXxr7O0gmOpl/b1ic/REpHQGbe7Fk9XqyshjHDR4iJDKGJxY9Xmy6zjk9Yb+pwzRZs3eSo0RN99p1p4E+elqsMqvFWkV9oEgsiaA=; 20:SdVcHoN9l+8IqGWz6gGabsV9yk1MPXVZwGHR1aDlrTuoXbsUpFfkMsljEpT+mtKHgSnzpD2khQee0PuG3nVrJQ== SpamDiagnosticOutput: 1:23 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: darbyshire-bryant.me.uk X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Aug 2015 09:18:23.0386 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM2PR07MB0932 Subject: [OpenWrt-Devel] [PATCH] dnsmasq: dns rebind protection improvements X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openwrt-devel-bounces@lists.openwrt.org Sender: "openwrt-devel" From upstream dnsmasq pre 2.76 release. Include 0.0.0.0/8 in DNS rebind checks. Signed-off-by: Kevin Darbyshire-Bryant --- package/network/services/dnsmasq/Makefile | 2 +- .../patches/300-dns-rebind-improvements.patch | 42 ++++++++++++++++++++++ 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 package/network/services/dnsmasq/patches/300-dns-rebind-improvements.patch diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index 444459b..864914e 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq PKG_VERSION:=2.75 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq diff --git a/package/network/services/dnsmasq/patches/300-dns-rebind-improvements.patch b/package/network/services/dnsmasq/patches/300-dns-rebind-improvements.patch new file mode 100644 index 0000000..ab84b58 --- /dev/null +++ b/package/network/services/dnsmasq/patches/300-dns-rebind-improvements.patch @@ -0,0 +1,42 @@ +From d2aa7dfbb6d1088dcbea9fecc61b9293b320eb95 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Mon, 3 Aug 2015 21:52:12 +0100 +Subject: [PATCH] Include 0.0.0.0/8 in DNS rebind checks. + +--- + CHANGELOG | 7 +++++++ + src/rfc1035.c | 3 ++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 901da47..3f4026d 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -1,3 +1,10 @@ ++version 2.76 ++ Include 0.0.0.0/8 in DNS rebind checks. This range ++ translates to hosts on the local network, or, at ++ least, 0.0.0.0 accesses the local host, so could ++ be targets for DNS rebinding. See RFC 5735 section 3 ++ for details. Thanks to Stephen Röttger for the bug report. ++ + version 2.75 + Fix reversion on 2.74 which caused 100% CPU use when a + dhcp-script is configured. Thanks to Adrian Davey for +diff --git a/src/rfc1035.c b/src/rfc1035.c +index 56647b0..29e9e65 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -728,7 +728,8 @@ int private_net(struct in_addr addr, int ban_localhost) + in_addr_t ip_addr = ntohl(addr.s_addr); + + return +- (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ || ++ (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ || ++ ((ip_addr & 0xFF000000) == 0x00000000) /* RFC 5735 section 3. "here" network */ || + ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ || + ((ip_addr & 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ || + ((ip_addr & 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ || +-- +1.7.10.4 +