[Dnsmasq-discuss] v2.83 failed to send packet: Network is unreachable

[Simon Kelley]

On 22/01/2021 16:08, Hannu Nyman wrote:
> I bisected the dnsmasq commits, and looks like it is caused by this:
> 
> 15b60ddf935a531269bb8c68198de012a4967156  FAIL
> 824461192ca5098043f9ca4ddeba7df1f65b30ba  Ok ?
> 
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=15b60ddf935a531269bb8c68198de012a4967156
> 
> 
> "Handle multiple identical near simultaneous DNS queries better."'
> 
> Dnsmasq built from earlier commits seem to avoid the error/warning
> messages, while builds after 15b60ddf cause log spam.
> 
> 
> This bug is seen by lots of OpenWrt users, based on OpenWrt forum
> discussion.  E.g. onward from
> https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/22
> 
> 
> One observation in the forum discussion is that this is only/mainly seen
> when then are Windows PCs or Macs active in LAN. IPv6 RA/DHCPv6 may also
> play a role.
> 
> 

I think this is the solution.

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=04490bf622ac84891aad6f2dd2edf83725decdee


You've found the right commit, and it looks like if two queries are
combined (because they ask the same question) then dnsmasq can get
confused when it comes to return the answer, the reply to the second
query can be sent via the socket that the first one arrived on. That's
normally OK, but if the first query arrives via IPv4 and the second via
IPv6, for instance, then the bug is triggered. Hence the mentions of
IPv6 in this thread.

This is an example of the risk of doing security fixes in secret before
public disclosure, I'm sure a beta release would have found this.

Thanks for the effort taken chasing this. Please apply the patch above
and see if it fixes it.


Cheers,

Simon.





> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss