unbound: add patches for leaks during TLS query
authorEric Luehrsen <ericluehrsen@gmail.com>
Tue, 18 Sep 2018 01:10:33 +0000 (21:10 -0400)
committerEric Luehrsen <ericluehrsen@gmail.com>
Fri, 28 Sep 2018 03:21:58 +0000 (23:21 -0400)
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
net/unbound/Makefile
net/unbound/patches/100-example-conf-in.patch
net/unbound/patches/210-query-state-leak.patch [new file with mode: 0644]
net/unbound/patches/211-tls-timeout-leak.patch [new file with mode: 0644]

index 354cf59a7c525ffd5f76db62f8cc4aa02d9158a1..6624695e4d9a5170d4430a01a9a433289281ade4 100644 (file)
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=unbound
 PKG_VERSION:=1.8.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
index 5559a4870f5c30a81a9744ae968fd004d6a8b582..0a4b61104bb0f4692260c4323ecedd9fdf8e118d 100644 (file)
@@ -1,3 +1,8 @@
+OpenWrt (modification):
+Patch the default configuration file with the tiny memory
+configuration example from Unbound documentation. This is the best
+starting point for embedded routers if one is not going to use UCI.
+
 Index: doc/example.conf.in
 ===================================================================
 --- a/doc/example.conf.in
diff --git a/net/unbound/patches/210-query-state-leak.patch b/net/unbound/patches/210-query-state-leak.patch
new file mode 100644 (file)
index 0000000..f8a6d25
--- /dev/null
@@ -0,0 +1,38 @@
+Unbound (trunk):
+Fix that with harden-below-nxdomain and qname minisation enabled
+some iterator states for nonresponsive domains can get into a
+state where they waited for an empty list.
+Stop UDP to TCP failover after timeouts that causes the ping count
+to be reset by the TCP time measurement (that exists for TLS),
+because that causes the UDP part to not be measured as timeout.
+
+Index: iterator/iterator.c
+===================================================================
+--- a/iterator/iterator.c
++++ b/iterator/iterator.c
+@@ -2752,6 +2752,12 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
+                                               verbose(VERB_ALGO,
+                                               "could not validate NXDOMAIN "
+                                               "response");
++                                      outbound_list_clear(&iq->outlist);
++                                      iq->num_current_queries = 0;
++                                      fptr_ok(fptr_whitelist_modenv_detach_subs(
++                                              qstate->env->detach_subs));
++                                      (*qstate->env->detach_subs)(qstate);
++                                      iq->num_target_queries = 0;
+                               }
+                       }
+                       return next_state(iq, QUERYTARGETS_STATE);
+Index: services/outside_network.c
+===================================================================
+--- a/services/outside_network.c
++++ b/services/outside_network.c
+@@ -1979,7 +1979,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
+                       return 0;
+               }
+               if(rto >= RTT_MAX_TIMEOUT) {
+-                      fallback_tcp = 1;
++                      /* fallback_tcp = 1; */
+                       /* UDP does not work, fallback to TCP below */
+               } else {
+                       serviced_callbacks(sq, NETEVENT_TIMEOUT, c, rep);
diff --git a/net/unbound/patches/211-tls-timeout-leak.patch b/net/unbound/patches/211-tls-timeout-leak.patch
new file mode 100644 (file)
index 0000000..7dfc2a8
--- /dev/null
@@ -0,0 +1,32 @@
+Unbound (trunk):
+For DNS over TLS service, it sets the configured tls auth name.
+This is useful for hosts that apart from the DNS over TLS services
+also provide other (web) services. Add SSL cleanup for tcp timeout.
+
+Index: services/outside_network.c
+===================================================================
+--- a/services/outside_network.c
++++ b/services/outside_network.c
+@@ -377,6 +379,8 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
+                         if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) {
+                                 log_err("SSL_set1_host failed");
+                               pend->c->fd = s;
++                              SSL_free(pend->c->ssl);
++                              pend->c->ssl = NULL;
+                               comm_point_close(pend->c);
+                               return 0;
+                       }
+@@ -1264,6 +1268,13 @@ outnet_tcptimer(void* arg)
+       } else {
+               /* it was in use */
+               struct pending_tcp* pend=(struct pending_tcp*)w->next_waiting;
++              if(pend->c->ssl) {
++#ifdef HAVE_SSL
++                      SSL_shutdown(pend->c->ssl);
++                      SSL_free(pend->c->ssl);
++                      pend->c->ssl = NULL;
++#endif
++              }
+               comm_point_close(pend->c);
+               pend->query = NULL;
+               pend->next_free = outnet->tcp_free;