[Dnsmasq-discuss] 2.80 dnspooq v3 problem
Petr Menšík
pemensik at redhat.com
Thu Dec 9 03:03:38 UTC 2021
Hi,
yes, there were some fixes related to bind to device option. I would
suggest looking at CentOS 8/RHEL 8 patches of 2.79 [1], which hopefully
fixed also regressions caused by the CVE fixes. Description of the
problem matches something I had to fix later, it should be some of
recent patches.
I think it might be referenced by this:
||
#
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3f535da79e7a42104543ef5c7b5fa2bed819a78b
#
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=04490bf622ac84891aad6f2dd2edf83725decdee
Patch27: dnsmasq-2.79-mixed-family-failed.patch
Not all fixes are always backported. I think the issue you describe were
about not matching sfd->fd socket properly. One were ignored because
SO_BINDTODEVICE, the other because mismatching socket number. Result was
ignored responses. Cannot remember exact commit, I am sorry. I think
Simon fixed it together with random sockets of source device, so it has
no separate commit.
Cheers,
Petr
1. https://git.centos.org/rpms/dnsmasq/blob/c8s/f/SOURCES
On 12/3/21 12:32, sunil rathod wrote:
> Hi Petr,
> I have used the following patches for 2.80 release along with dnspooq
> patch to resolve the bugs.
>
> Does this patch have any implications with the "SO_BINDTODEVICE"
> option in sockets. In my system, when DNS replies arrive on the
> interface, the kernel seems to drop these because of a mismatched
> socket. After the kernel upgrade, I see this problem. Is there a way
> we can bind to an IP address rather than interface for forwarding interf
>
>
> 1.
> https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014789.html
> 2.
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=74d4fcd756a85bc1823232ea74334f7ccfb9d5d2
> 3.
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=8f9bd615053cd13aba82a111ec20bb79d25a2d1e
>
> Regards,
> Sunil
>
> On Fri, 2 Apr 2021 at 05:21, Simon Kelley <simon at thekelleys.org.uk> wrote:
>
>
>
> On 31/03/2021 08:50, Petr Menšík wrote:
> > Hi Sunil,
> >
> > This is exactly the same issue I reported on thread [1].
> Unfortunately
> > it haven't got merged separately, but it should be patched by
> > CVE-2021-3448 fix [2]. It happens only when you have rp_filter
> set to 1.
> > The root cause of this is the lookup_frec part change in commit
> > 8f9bd615053cd [3], including the part added previously by commit
> [2].
> >
> > Yes, these are uncovered bugs not found when testing dnspooq
> patches.
> > The root of the issue was there also before, but it stopped
> working only
> > after dnspooq patches. They are related.
> >
>
> Thanks Petr, Given the above.
>
> 1) This is not fixed in the 2.80 dnspooq v3 patches.
> 2) It is fixed in the forthcoming 2.85 release.
>
> Simon.
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20211209/1fcb4862/attachment.htm>
More information about the Dnsmasq-discuss
mailing list