Browse Source

unbound: add patches for leaks during TLS query

Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
lilik-openwrt-22.03
Eric Luehrsen 6 years ago
parent
commit
10665f5ce9
4 changed files with 76 additions and 1 deletions
  1. +1
    -1
      net/unbound/Makefile
  2. +5
    -0
      net/unbound/patches/100-example-conf-in.patch
  3. +38
    -0
      net/unbound/patches/210-query-state-leak.patch
  4. +32
    -0
      net/unbound/patches/211-tls-timeout-leak.patch

+ 1
- 1
net/unbound/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=unbound PKG_NAME:=unbound
PKG_VERSION:=1.8.0 PKG_VERSION:=1.8.0
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_LICENSE:=BSD-3-Clause PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE PKG_LICENSE_FILES:=LICENSE


+ 5
- 0
net/unbound/patches/100-example-conf-in.patch View File

@ -1,3 +1,8 @@
OpenWrt (modification):
Patch the default configuration file with the tiny memory
configuration example from Unbound documentation. This is the best
starting point for embedded routers if one is not going to use UCI.
Index: doc/example.conf.in Index: doc/example.conf.in
=================================================================== ===================================================================
--- a/doc/example.conf.in --- a/doc/example.conf.in


+ 38
- 0
net/unbound/patches/210-query-state-leak.patch View File

@ -0,0 +1,38 @@
Unbound (trunk):
Fix that with harden-below-nxdomain and qname minisation enabled
some iterator states for nonresponsive domains can get into a
state where they waited for an empty list.
Stop UDP to TCP failover after timeouts that causes the ping count
to be reset by the TCP time measurement (that exists for TLS),
because that causes the UDP part to not be measured as timeout.
Index: iterator/iterator.c
===================================================================
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -2752,6 +2752,12 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
verbose(VERB_ALGO,
"could not validate NXDOMAIN "
"response");
+ outbound_list_clear(&iq->outlist);
+ iq->num_current_queries = 0;
+ fptr_ok(fptr_whitelist_modenv_detach_subs(
+ qstate->env->detach_subs));
+ (*qstate->env->detach_subs)(qstate);
+ iq->num_target_queries = 0;
}
}
return next_state(iq, QUERYTARGETS_STATE);
Index: services/outside_network.c
===================================================================
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -1979,7 +1979,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
return 0;
}
if(rto >= RTT_MAX_TIMEOUT) {
- fallback_tcp = 1;
+ /* fallback_tcp = 1; */
/* UDP does not work, fallback to TCP below */
} else {
serviced_callbacks(sq, NETEVENT_TIMEOUT, c, rep);

+ 32
- 0
net/unbound/patches/211-tls-timeout-leak.patch View File

@ -0,0 +1,32 @@
Unbound (trunk):
For DNS over TLS service, it sets the configured tls auth name.
This is useful for hosts that apart from the DNS over TLS services
also provide other (web) services. Add SSL cleanup for tcp timeout.
Index: services/outside_network.c
===================================================================
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -377,6 +379,8 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) {
log_err("SSL_set1_host failed");
pend->c->fd = s;
+ SSL_free(pend->c->ssl);
+ pend->c->ssl = NULL;
comm_point_close(pend->c);
return 0;
}
@@ -1264,6 +1268,13 @@ outnet_tcptimer(void* arg)
} else {
/* it was in use */
struct pending_tcp* pend=(struct pending_tcp*)w->next_waiting;
+ if(pend->c->ssl) {
+#ifdef HAVE_SSL
+ SSL_shutdown(pend->c->ssl);
+ SSL_free(pend->c->ssl);
+ pend->c->ssl = NULL;
+#endif
+ }
comm_point_close(pend->c);
pend->query = NULL;
pend->next_free = outnet->tcp_free;

Loading…
Cancel
Save