Browse Source

unbound: update to 1.8.1

bug fixes for memory leaks
bug fixes for DNS over TLS

Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
lilik-openwrt-22.03
Eric Luehrsen 6 years ago
parent
commit
361446f409
3 changed files with 3 additions and 73 deletions
  1. +3
    -3
      net/unbound/Makefile
  2. +0
    -38
      net/unbound/patches/210-query-state-leak.patch
  3. +0
    -32
      net/unbound/patches/211-tls-timeout-leak.patch

+ 3
- 3
net/unbound/Makefile View File

@ -8,8 +8,8 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=unbound
PKG_VERSION:=1.8.0
PKG_RELEASE:=2
PKG_VERSION:=1.8.1
PKG_RELEASE:=1
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE
@ -17,7 +17,7 @@ PKG_MAINTAINER:=Eric Luehrsen <ericluehrsen@gmail.com>
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://www.unbound.net/downloads
PKG_HASH:=78f79d6d3b643fdcd74a14fc76542250da886c82f82bc55b51e189663d61b83f
PKG_HASH:=c362b3b9c35d1b8c1918da02cdd5528d729206c14c767add89ae95acae363c5d
PKG_BUILD_PARALLEL:=1
PKG_FIXUP:=autoreconf


+ 0
- 38
net/unbound/patches/210-query-state-leak.patch View File

@ -1,38 +0,0 @@
Unbound (trunk):
Fix that with harden-below-nxdomain and qname minisation enabled
some iterator states for nonresponsive domains can get into a
state where they waited for an empty list.
Stop UDP to TCP failover after timeouts that causes the ping count
to be reset by the TCP time measurement (that exists for TLS),
because that causes the UDP part to not be measured as timeout.
Index: iterator/iterator.c
===================================================================
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -2752,6 +2752,12 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
verbose(VERB_ALGO,
"could not validate NXDOMAIN "
"response");
+ outbound_list_clear(&iq->outlist);
+ iq->num_current_queries = 0;
+ fptr_ok(fptr_whitelist_modenv_detach_subs(
+ qstate->env->detach_subs));
+ (*qstate->env->detach_subs)(qstate);
+ iq->num_target_queries = 0;
}
}
return next_state(iq, QUERYTARGETS_STATE);
Index: services/outside_network.c
===================================================================
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -1979,7 +1979,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
return 0;
}
if(rto >= RTT_MAX_TIMEOUT) {
- fallback_tcp = 1;
+ /* fallback_tcp = 1; */
/* UDP does not work, fallback to TCP below */
} else {
serviced_callbacks(sq, NETEVENT_TIMEOUT, c, rep);

+ 0
- 32
net/unbound/patches/211-tls-timeout-leak.patch View File

@ -1,32 +0,0 @@
Unbound (trunk):
For DNS over TLS service, it sets the configured tls auth name.
This is useful for hosts that apart from the DNS over TLS services
also provide other (web) services. Add SSL cleanup for tcp timeout.
Index: services/outside_network.c
===================================================================
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -377,6 +379,8 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) {
log_err("SSL_set1_host failed");
pend->c->fd = s;
+ SSL_free(pend->c->ssl);
+ pend->c->ssl = NULL;
comm_point_close(pend->c);
return 0;
}
@@ -1264,6 +1268,13 @@ outnet_tcptimer(void* arg)
} else {
/* it was in use */
struct pending_tcp* pend=(struct pending_tcp*)w->next_waiting;
+ if(pend->c->ssl) {
+#ifdef HAVE_SSL
+ SSL_shutdown(pend->c->ssl);
+ SSL_free(pend->c->ssl);
+ pend->c->ssl = NULL;
+#endif
+ }
comm_point_close(pend->c);
pend->query = NULL;
pend->next_free = outnet->tcp_free;

Loading…
Cancel
Save