Browse Source

Merge pull request #7112 from EricLuehrsen/unbound_leak

unbound: add patches for leaks during TLS query
lilik-openwrt-22.03
Dirk Brenken 6 years ago
committed by GitHub
parent
commit
7f9dfaae85
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 76 additions and 1 deletions
  1. +1
    -1
      net/unbound/Makefile
  2. +5
    -0
      net/unbound/patches/100-example-conf-in.patch
  3. +38
    -0
      net/unbound/patches/210-query-state-leak.patch
  4. +32
    -0
      net/unbound/patches/211-tls-timeout-leak.patch

+ 1
- 1
net/unbound/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=unbound
PKG_VERSION:=1.8.0
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE


+ 5
- 0
net/unbound/patches/100-example-conf-in.patch View File

@ -1,3 +1,8 @@
OpenWrt (modification):
Patch the default configuration file with the tiny memory
configuration example from Unbound documentation. This is the best
starting point for embedded routers if one is not going to use UCI.
Index: doc/example.conf.in
===================================================================
--- a/doc/example.conf.in


+ 38
- 0
net/unbound/patches/210-query-state-leak.patch View File

@ -0,0 +1,38 @@
Unbound (trunk):
Fix that with harden-below-nxdomain and qname minisation enabled
some iterator states for nonresponsive domains can get into a
state where they waited for an empty list.
Stop UDP to TCP failover after timeouts that causes the ping count
to be reset by the TCP time measurement (that exists for TLS),
because that causes the UDP part to not be measured as timeout.
Index: iterator/iterator.c
===================================================================
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -2752,6 +2752,12 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
verbose(VERB_ALGO,
"could not validate NXDOMAIN "
"response");
+ outbound_list_clear(&iq->outlist);
+ iq->num_current_queries = 0;
+ fptr_ok(fptr_whitelist_modenv_detach_subs(
+ qstate->env->detach_subs));
+ (*qstate->env->detach_subs)(qstate);
+ iq->num_target_queries = 0;
}
}
return next_state(iq, QUERYTARGETS_STATE);
Index: services/outside_network.c
===================================================================
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -1979,7 +1979,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
return 0;
}
if(rto >= RTT_MAX_TIMEOUT) {
- fallback_tcp = 1;
+ /* fallback_tcp = 1; */
/* UDP does not work, fallback to TCP below */
} else {
serviced_callbacks(sq, NETEVENT_TIMEOUT, c, rep);

+ 32
- 0
net/unbound/patches/211-tls-timeout-leak.patch View File

@ -0,0 +1,32 @@
Unbound (trunk):
For DNS over TLS service, it sets the configured tls auth name.
This is useful for hosts that apart from the DNS over TLS services
also provide other (web) services. Add SSL cleanup for tcp timeout.
Index: services/outside_network.c
===================================================================
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -377,6 +379,8 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) {
log_err("SSL_set1_host failed");
pend->c->fd = s;
+ SSL_free(pend->c->ssl);
+ pend->c->ssl = NULL;
comm_point_close(pend->c);
return 0;
}
@@ -1264,6 +1268,13 @@ outnet_tcptimer(void* arg)
} else {
/* it was in use */
struct pending_tcp* pend=(struct pending_tcp*)w->next_waiting;
+ if(pend->c->ssl) {
+#ifdef HAVE_SSL
+ SSL_shutdown(pend->c->ssl);
+ SSL_free(pend->c->ssl);
+ pend->c->ssl = NULL;
+#endif
+ }
comm_point_close(pend->c);
pend->query = NULL;
pend->next_free = outnet->tcp_free;

Loading…
Cancel
Save