← Back to branch summary

~ubuntu-branches/ubuntu/trusty/maradns/trusty-proposed

« back to all changes in this revision

Viewing changes to deadwood-3.2.05/update/2.9.03/deadwood-2.9.02-truncated_packet_recursive.patch

  • Committer: Package Import Robot
  • Author(s): Dariusz Dwornikowski
  • Date: 2014-02-16 19:36:04 UTC
  • mfrom: (1.2.11) (21.1.11 experimental)
  • Revision ID: package-import@ubuntu.com-20140216193604-xtmcopn9pilzszae
Tags: 2.0.09-1
http://bugs.debian.org/739084
http://bugs.debian.org/739755
http://bugs.debian.org/710903
http://bugs.debian.org/709826
http://bugs.debian.org/701657
* New maintainer (Closes: #739084)
* New upstream release to unstable
* Several security bugs (Closes: #739755)
   - security bugfix for CVE-2011-5055, CVE-2011-5056, CVE-2012-0024,
   CVE-2012-1570
   - security bugfix agains blind spoofing attack (no CVE number)
   - security bugfix for packet of death attack (no CVE number)
* Bump standards to 3.9.5
* Updated d/postinst to no longer modify conffiles (Closes: #710903)
* Init script fixed (Closes: #709826)
* --reinstall no longer kills the process (Closes: #701657)
* Updated old d/changelog entries, added information when the CVEs were
  fixed: 2.0.06-1, 2.0.04-1, 1.4.11-1, 1.2.12.06-1, 1.2.12.05-1, 1.0.28-1

Show diffs side-by-side

added added

removed removed

Lines of Context:
deadwood-3.2.05/update/2.9.03/deadwood-2.9.02-truncated_packet_recursive.patch
 
1
diff -ur deadwood-2.9.02/src/DwRecurse.h deadwood-2.9.03/src/DwRecurse.h
 
2
--- deadwood-2.9.02/src/DwRecurse.h     2010-07-29 10:39:10.000000000 -0700
 
3
+++ deadwood-2.9.03/src/DwRecurse.h     2010-08-02 08:49:55.000000000 -0700
 
4
@@ -68,12 +68,13 @@
 
5
 #define TYPE_ANSWER 0
 
6
 #define TYPE_NXDOMAIN 1
 
7
 #define TYPE_NOT_THERE 2 /* Non-NXDOMAIN negative reply */
 
8
+#define TYPE_TRUNCATED 3 /* Non-NXDOMAIN truncated reply */
 
9
+#define TYPE_TRUNCATED_NXDOMAIN 4 /* NXDOMAIN truncated reply */
 
10
 #define TYPE_NS_REFER 16 /* NS referral */
 
11
 #define TYPE_CNAME_REFER 17 /* CNAME referral */
 
12
 #define TYPE_SERVER_TIMEOUT 18
 
13
 #define TYPE_NO_USEFUL_DATA 19
 
14
 #define TYPE_ERROR 20
 
15
-#define TYPE_TRUNCATED 21
 
16
 #define TYPE_UPSTREAM_REFER 22 /* Upstream server; set RD and stop here */
 
17
 /* These won't be used by Deadwood, but may be useful if I ever
 
18
  * expand DwHash to support for datatypes for elements besides
 
19
diff -ur deadwood-2.9.02/src/DwStr.c deadwood-2.9.03/src/DwStr.c
 
20
--- deadwood-2.9.02/src/DwStr.c 2010-07-29 10:39:10.000000000 -0700
 
21
+++ deadwood-2.9.03/src/DwStr.c 2010-08-02 09:16:06.000000000 -0700
 
22
@@ -438,6 +438,8 @@
 
23
  *
 
24
  * Should this function succeed, it will return a 0.  Otherwise, it
 
25
  * will return a -1
 
26
+ *
 
27
+ * BUG: Does not work correctly with length-1 (1-byte) strings
 
28
  */
 
29
 
 
30
 int dw_put_u8(dw_str *obj, uint8_t value, int32_t offset) {
 
31
diff -ur deadwood-2.9.02/src/DwUdpSocket.c deadwood-2.9.03/src/DwUdpSocket.c
 
32
--- deadwood-2.9.02/src/DwUdpSocket.c   2010-07-29 10:39:09.000000000 -0700
 
33
+++ deadwood-2.9.03/src/DwUdpSocket.c   2010-08-02 10:32:13.000000000 -0700
 
34
@@ -451,9 +451,12 @@
 
35
         dw_str *out = 0;
 
36
 
 
37
         is_nxdomain = dw_pop_u8(answer);
 
38
-        arcount = dw_pop_u16(answer);
 
39
-        nscount = dw_pop_u16(answer);
 
40
-        ancount = dw_pop_u16(answer);
 
41
+       if(is_nxdomain != TYPE_TRUNCATED && 
 
42
+                       is_nxdomain != TYPE_TRUNCATED_NXDOMAIN) {
 
43
+               arcount = dw_pop_u16(answer);
 
44
+               nscount = dw_pop_u16(answer);
 
45
+               ancount = dw_pop_u16(answer);
 
46
+       } 
 
47
 
 
48
         if(is_nxdomain == 0 || is_nxdomain == 2) {
 
49
                 /* 0x8180: QR = 1; Opcode = 0; AA = 0; TC = 0; RD = 1; RA = 1;
 
50
@@ -462,16 +465,26 @@
 
51
         } else if(is_nxdomain == 1) {
 
52
                 /* Same header as before, but with RCODE of "name error" */
 
53
                 out = make_dns_header(id,0x8183,ancount,nscount,arcount);
 
54
+       } else if(is_nxdomain == TYPE_TRUNCATED) {
 
55
+               /* Set TC to 1 */
 
56
+                out = make_dns_header(id,0x8380,0,0,0);
 
57
+       } else if(is_nxdomain == TYPE_TRUNCATED_NXDOMAIN) {
 
58
+               /* TC 1; RCODE "name error" */
 
59
+                out = make_dns_header(id,0x8383,0,0,0);
 
60
         } else {
 
61
                 goto catch_make_dns_packet;
 
62
         }
 
63
 
 
64
         if(dw_append(question,out) == -1 ||
 
65
-           dw_put_u16(out,1,-1) == -1 || /* QCLASS: 1 */
 
66
-           dw_append(answer,out) == -1) {
 
67
+           dw_put_u16(out,1,-1) == -1 /* QCLASS: 1 */ ) {
 
68
                 goto catch_make_dns_packet;
 
69
         }
 
70
-
 
71
+       if(is_nxdomain != TYPE_TRUNCATED && 
 
72
+                       is_nxdomain != TYPE_TRUNCATED_NXDOMAIN &&
 
73
+                       dw_append(answer,out) == -1) {
 
74
+                goto catch_make_dns_packet;
 
75
+        }
 
76
+               
 
77
         return out;
 
78
 
 
79
 catch_make_dns_packet:
 
80
@@ -491,7 +504,7 @@
 
81
         dw_str *comp = 0; /* Compressed DNS packet */
 
82
         dw_str *packet = 0;
 
83
         socklen_t c_len = sizeof(struct sockaddr_in);
 
84
-        int ret = -1, type = 0;
 
85
+        int ret = -1, type = 0, cache_type = 0;
 
86
 
 
87
 #ifdef IPV6
 
88
         if (client->Family == AF_INET6) {
 
89
@@ -505,9 +518,22 @@
 
90
                 dwc_process(cache,query,3); /* RR rotation, TTL aging, etc. */
 
91
         }
 
92
         value = dwh_get(cache,query,resurrect,1);
 
93
-        comp = dwc_compress(query,value);
 
94
+       cache_type = dw_fetch_u8(value,-1);
 
95
+       if(cache_type != TYPE_TRUNCATED && 
 
96
+                       cache_type != TYPE_TRUNCATED_NXDOMAIN) {
 
97
+               comp = dwc_compress(query,value);
 
98
+       } else {
 
99
+               /* Immediately zap truncated from cache when fetched */
 
100
+               dwh_zap(cache,query,0,1);
 
101
+               if(client == 0) { /* DNS-over-TCP */
 
102
+                       ret = 2;
 
103
+                       goto catch_get_reply_from_cache;
 
104
+               }
 
105
+               comp = dw_copy(value);
 
106
+       }
 
107
+
 
108
         if(comp == 0) {
 
109
-                goto catch_get_reply_from_cache;
 
110
+                       goto catch_get_reply_from_cache;
 
111
         }
 
112
 
 
113
         if(comp->len == 7) { /* Empty packet; workaround */
 
114
@@ -669,7 +695,7 @@
 
115
 
 
116
 /* Add a reply we have received from the remote (upstream) DNS server to
 
117
  * the cache */
 
118
-int cache_dns_reply(unsigned char *packet, int count, int b) {
 
119
+int cache_dns_reply(unsigned char *packet, int count, int b, int truncated) {
 
120
         int32_t ttl = 60;
 
121
         int32_t ancount = 0;
 
122
         int is_nxdomain = 0;
 
123
@@ -683,35 +709,46 @@
 
124
         if((packet[3] & 0x0f) == 3) {
 
125
                 is_nxdomain = 1;
 
126
         }
 
127
-        answer = dw_packet_to_cache(packet,count,is_nxdomain);
 
128
-        decomp = dwc_decompress(question,answer);
 
129
-        if(dwc_has_bad_ip(decomp,blacklist_dict) ||
 
130
-           (qtype == 28 /* AAAA */ && key_n[DWM_N_reject_aaaa] == 1)) {
 
131
-                ret = -2; /* Tell caller we need synth "not there" */
 
132
-                goto catch_cache_dns_reply;
 
133
-        }
 
134
-        ancount = dw_cachepacket_to_ancount(answer);
 
135
-        if(ancount == 0) {
 
136
-                ancount = 32; /* So we can correctly cache negative answers */
 
137
-        }
 
138
-
 
139
-        if(question == 0 || answer == 0 || ancount == -1) {
 
140
-                goto catch_cache_dns_reply;
 
141
-        }
 
142
-
 
143
-        ttl = dw_get_a_dnsttl(answer,0,31536000,ancount);
 
144
-
 
145
-        if(ttl == -1) {
 
146
-                goto catch_cache_dns_reply;
 
147
-        }
 
148
-        if(ttl < 30) {
 
149
-                ttl = 30;
 
150
-        }
 
151
-
 
152
-        /* Have routines in DwRecurse.c process the packet and let us know
 
153
-         * what kind of packet we got upstream (so we know how to continue)
 
154
-         */
 
155
-        ret = dwx_cache_reply(cache,question,decomp,ttl,b);
 
156
+       if(truncated == 1) {
 
157
+               is_nxdomain += 3; 
 
158
+               answer = dw_create(2);
 
159
+               if(dw_put_u8(answer, is_nxdomain, 0) == -1) {
 
160
+                       goto catch_cache_dns_reply;
 
161
+               }
 
162
+               dwh_add(cache,question,answer,7,1);
 
163
+               ret = 1;
 
164
+       } else {
 
165
+               answer = dw_packet_to_cache(packet,count,is_nxdomain);
 
166
+               decomp = dwc_decompress(question,answer);
 
167
+               if(dwc_has_bad_ip(decomp,blacklist_dict) ||
 
168
+                  (qtype == 28 /* AAAA */ && key_n[DWM_N_reject_aaaa] == 1)) {
 
169
+                       ret = -2; /* Tell caller we need synth "not there" */
 
170
+                       goto catch_cache_dns_reply;
 
171
+               }
 
172
+               ancount = dw_cachepacket_to_ancount(answer);
 
173
+               if(ancount == 0) {
 
174
+                       ancount = 32; /* Correct negative answer caching */
 
175
+               }
 
176
+
 
177
+               if(question == 0 || answer == 0 || ancount == -1) {
 
178
+                       goto catch_cache_dns_reply;
 
179
+               }
 
180
+
 
181
+               ttl = dw_get_a_dnsttl(answer,0,31536000,ancount);
 
182
+
 
183
+               if(ttl == -1) {
 
184
+                       goto catch_cache_dns_reply;
 
185
+               }
 
186
+               if(ttl < 30) {
 
187
+                       ttl = 30;
 
188
+               }
 
189
+
 
190
+               /* Routines in DwRecurse.c process the packet and let us know
 
191
+                * what kind of packet we got upstream (so we know how to 
 
192
+                * continue)
 
193
+                */
 
194
+               ret = dwx_cache_reply(cache,question,decomp,ttl,b);
 
195
+       }
 
196
 
 
197
 catch_cache_dns_reply:
 
198
         if(question != 0) {
 
199
@@ -879,7 +916,7 @@
 
200
         if (rem[b].local[l]->glueless_type != 0) {
 
201
                 conn_num = rem[b].local[l]->glueless_conn;
 
202
                 if(rem[b].local[l]->glueless_type == 1) { /* Glueless NS */
 
203
-                        if(rem[conn_num].child_id == b) {
 
204
+                        if(rem[conn_num].child_id == b) { /* Sanity check */
 
205
                                 dwx_glueless_done(query, conn_num);
 
206
                         }
 
207
                         ret = 4; /* Yes, we want to end the connection */
 
208
@@ -931,7 +968,7 @@
 
209
 
 
210
         if((a[2] & 0x02) == 0x00) { /* If not truncated */
 
211
                 fflush(stdout);
 
212
-                cache_dns_reply_return_value = cache_dns_reply(a,count,b);
 
213
+                cache_dns_reply_return_value = cache_dns_reply(a,count,b,0);
 
214
                 if(cache_dns_reply_return_value == -2) { /* Make synth NX */
 
215
                         make_synth_not_there(b,sock,a,count);
 
216
                         return -1; /* Bad reply and they got a Synth NX */
 
217
@@ -952,7 +989,10 @@
 
218
                  * we can fully process the TCP connection */
 
219
                 rem[b].die = get_time() + ((int64_t)timeout_seconds << 10);
 
220
                 return 2; /* Don't kill pending UDP connection */
 
221
-        }
 
222
+        } else { /* Truncated over UDP; just given them a blank "truncated"
 
223
+                 * reply */
 
224
+               cache_dns_reply(a,count,b,1);
 
225
+       }
 
226
 
 
227
         /* Now make sure the ID is the same as the one the client
 
228
          * originally sent us */
 
229
--- deadwood-2.9.02/doc/Deadwood.ej     2010-07-29 10:39:09.000000000 -0700
 
230
+++ deadwood-2.9.03/doc/Deadwood.ej     2010-08-02 10:39:59.000000000 -0700
 
231
@@ -567,11 +567,12 @@
 
232
 <h1>BUGS</h1>
 
233
 
 
234
 DNS-over-TCP needs to be explicitly enabled.  Note that DNS-over-TCP is 
 
235
-almost never used. 
 
236
-<p>
 
237
-
 
238
+almost never used.  Also,
 
239
 Deadwood does not cache DNS packets larger than 512 bytes in size that
 
240
-need to be sent using TCP.  Again, DNS-over-TCP is almost never used.
 
241
+need to be sent using TCP.  In addition, DNS-over-TCP packets which
 
242
+are "incomplete" DNS replies (replies which a stub resolver can not use,
 
243
+namely either a NS referral or an incomplete CNAME reply) are not
 
244
+handled correctly by Deadwood.  Again, DNS-over-TCP is very rare.
 
245
 <p>
 
246
 
 
247
 Deadwood can not process DNS resource record types with numbers between