[Dnsmasq-discuss] Announce 2.85rc1 and security warning.

Simon Kelley simon at thekelleys.org.uk
Sat Mar 20 09:26:06 UTC 2021



>>
>> 2) On *BSD this is moot anyway, since the index we're deriving is used
>> for binding a UDP socket to an interface, and *BSD doesn't, as far as I
>> know, have an equivalent of the SO_BINDTODEVICE linux ioctl, so it's not
>> supported. Matthias, you can't test any code, since to do so you'd need
>> to bind a server to an interface
>>
>> server=8.8.8.8 at eth0
>>
>> and that will just exit with a "not supported" message on *BSD.
>>
>> I think the best bet here might be to use if_nametoindex(), on non-linux
>> builds, so that the expected data is there, even if it's not used
>> (principle of least surprise). I'll commit that patch.
>>
>>
>> Matthias, do you know of FreeBSD has gained an equivalent of
>> SO_BINDTODEVICE? Last time I looked it didn't, and a quick Google wasn't
>> promising, but if it does that would a useful thing to support.
> 
> Simon, thank you.
> 
> Apparently FreeBSD still has neither SO_BINDTODEVICE nor IP_SENDIF.
> https://github.com/freebsd/freebsd-src is a mirror of FreeBSD's source
> and has a search function. Nadazero except users in included/imported
> third-party application code.
> 
> For specifying datagram source addresses, it would appear you can either
> bind(2) the socket you send from, or you can use IP_SENDSRCADDR as
> ancillary data for sendmsg() if you want to ship out from unbound udp(4)
> sockets. Anything else that we need here functionally?

The code dnsmasq already binds the sending socket, and binding servers
to source addresses works under FreeBSD (hence, this is still a security
issue for you, though probably a very minor one, since you don't have
the ubiquity of networkmanger usage driving things.)

Adding binding to interfaces will be pretty trivial if/when FreeBSD adds
the kernel smarts with any API. (The Linux calls are not necessarily the
ones to emulate - SO_BINDTODEVICE takes interface _name_ but IP_SENDIF
takes interface _index_. Hmmm.)

Cheers,

Simon.

> 
> https://www.freebsd.org/cgi/man.cgi?query=ip&apropos=0&sektion=4&manpath=FreeBSD+11.4-RELEASE&arch=default&format=html
> 
> https://www.freebsd.org/cgi/man.cgi?query=sendmsg&apropos=0&sektion=2&manpath=FreeBSD+11.4-RELEASE&arch=default&format=html
> 
> and the structures are on the recv(2) manpage:
> 
> https://www.freebsd.org/cgi/man.cgi?query=recvmsg&apropos=0&sektion=2&manpath=FreeBSD+11.4-RELEASE&arch=default&format=html
> 
> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> 



More information about the Dnsmasq-discuss mailing list