diff options
Diffstat (limited to 'meta/recipes-connectivity/bind/bind')
15 files changed, 100 insertions, 1081 deletions
diff --git a/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch b/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch new file mode 100644 index 0000000000..8db96ec049 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch @@ -0,0 +1,27 @@ +From 31dde3562f287429eea94b77250d184818b49063 Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Mon, 15 Oct 2018 16:55:09 +0800 +Subject: [PATCH] avoid start failure with bind user + +Upstream-Status: Pending + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + init.d | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init.d b/init.d +index b2eec60..6e03936 100644 +--- a/init.d ++++ b/init.d +@@ -57,6 +57,7 @@ case "$1" in + modprobe capability >/dev/null 2>&1 || true + if [ ! -f /etc/bind/rndc.key ]; then + /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom ++ chown root:bind /etc/bind/rndc.key >/dev/null 2>&1 || true + chmod 0640 /etc/bind/rndc.key + fi + if [ -f /var/run/named/named.pid ]; then +-- +2.7.4 + diff --git a/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch b/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch deleted file mode 100644 index 805cbb3315..0000000000 --- a/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch +++ /dev/null @@ -1,50 +0,0 @@ -xml2-config is disabled, so change the configure script to use pkgconfig to find -libxml2. - -Upstream-Status: Inappropriate -Signed-off-by: Ross Burton <ross.burton@intel.com> - -Update context for version 9.10.3-P2. - -Signed-off-by: Kai Kang <kai.kang@windriver.com> ---- - configure.in | 23 +++-------------------- - 1 file changed, 3 insertions(+), 20 deletions(-) - -diff --git a/configure.in b/configure.in -index 0db826d..75819eb 100644 ---- a/configure.in -+++ b/configure.in -@@ -2107,26 +2107,9 @@ case "$use_libxml2" in - DST_LIBXML2_INC="" - ;; - auto|yes) -- case X`(xml2-config --version) 2>/dev/null` in -- X2.[[6789]].*) -- libxml2_libs=`xml2-config --libs` -- libxml2_cflags=`xml2-config --cflags` -- ;; -- *) -- if test "$use_libxml2" = "yes" ; then -- AC_MSG_RESULT(no) -- AC_MSG_ERROR(required libxml2 version not available) -- else -- libxml2_libs= -- libxml2_cflags= -- fi -- ;; -- esac -- ;; -- *) -- if test -f "$use_libxml2/bin/xml2-config" ; then -- libxml2_libs=`$use_libxml2/bin/xml2-config --libs` -- libxml2_cflags=`$use_libxml2/bin/xml2-config --cflags` -+ if pkg-config --exists libxml-2.0 ; then -+ libxml2_libs=`pkg-config libxml-2.0 --libs` -+ libxml2_cflags=`pkg-config libxml-2.0 --cflags` - fi - ;; - esac --- -2.1.4 - diff --git a/meta/recipes-connectivity/bind/bind/0001-configure.in-remove-useless-L-use_openssl-lib.patch b/meta/recipes-connectivity/bind/bind/0001-configure.in-remove-useless-L-use_openssl-lib.patch new file mode 100644 index 0000000000..9d31b98080 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/0001-configure.in-remove-useless-L-use_openssl-lib.patch @@ -0,0 +1,30 @@ +From 2325a92f1896a2a7f586611686801b41fbc91b50 Mon Sep 17 00:00:00 2001 +From: Hongxu Jia <hongxu.jia@windriver.com> +Date: Mon, 27 Aug 2018 15:00:51 +0800 +Subject: [PATCH] configure.in: remove useless `-L$use_openssl/lib' + +Since `--with-openssl=${STAGING_DIR_HOST}${prefix}' is used in bind recipe, +the `-L$use_openssl/lib' has a hardcoded suffix, removing it is harmless +and helpful for clean up host build path in isc-config.sh + +Upstream-Status: Inappropriate [oe-core specific] + +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> + +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index e85a5c6..2bbfc58 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1631,7 +1631,7 @@ If you don't want OpenSSL, use --without-openssl]) + fi + ;; + *) +- DST_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto" ++ DST_OPENSSL_LIBS="-lcrypto" + ;; + esac + fi diff --git a/meta/recipes-connectivity/bind/bind/0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch b/meta/recipes-connectivity/bind/bind/0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch deleted file mode 100644 index 1215093716..0000000000 --- a/meta/recipes-connectivity/bind/bind/0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch +++ /dev/null @@ -1,25 +0,0 @@ -Upstream-Status: Pending - -Subject: gen.c: extend DIRNAMESIZE from 256 to 512 - -Signed-off-by: Chen Qi <Qi.Chen@windriver.com> ---- - lib/dns/gen.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/dns/gen.c b/lib/dns/gen.c -index 7a7dafb..51a0435 100644 ---- a/lib/dns/gen.c -+++ b/lib/dns/gen.c -@@ -148,7 +148,7 @@ static const char copyright[] = - #define TYPECLASSBUF (TYPECLASSLEN + 1) - #define TYPECLASSFMT "%" STR(TYPECLASSLEN) "[-0-9a-z]_%d" - #define ATTRIBUTESIZE 256 --#define DIRNAMESIZE 256 -+#define DIRNAMESIZE 512 - - static struct cc { - struct cc *next; --- -1.9.1 - diff --git a/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch b/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch deleted file mode 100644 index 1ed858cd3f..0000000000 --- a/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 5bc3167a8b714ec0c4a3f1c7f3b9411296ec0a23 Mon Sep 17 00:00:00 2001 -From: Robert Yang <liezhi.yang@windriver.com> -Date: Wed, 16 Sep 2015 20:23:47 -0700 -Subject: [PATCH] lib/dns/gen.c: fix too long error - -The 512 is a little short when build in deep dir, and cause "too long" -error, use PATH_MAX if defined. - -Upstream-Status: Pending - -Signed-off-by: Robert Yang <liezhi.yang@windriver.com> ---- - lib/dns/gen.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/lib/dns/gen.c b/lib/dns/gen.c -index 51a0435..3d7214f 100644 ---- a/lib/dns/gen.c -+++ b/lib/dns/gen.c -@@ -148,7 +148,11 @@ static const char copyright[] = - #define TYPECLASSBUF (TYPECLASSLEN + 1) - #define TYPECLASSFMT "%" STR(TYPECLASSLEN) "[-0-9a-z]_%d" - #define ATTRIBUTESIZE 256 -+#ifdef PATH_MAX -+#define DIRNAMESIZE PATH_MAX -+#else - #define DIRNAMESIZE 512 -+#endif - - static struct cc { - struct cc *next; --- -1.7.9.5 - diff --git a/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch new file mode 100644 index 0000000000..75908aa638 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch @@ -0,0 +1,34 @@ +From a3af4a405baf5ff582e82aaba392dd9667d94bdc Mon Sep 17 00:00:00 2001 +From: Hongxu Jia <hongxu.jia@windriver.com> +Date: Mon, 27 Aug 2018 21:24:20 +0800 +Subject: [PATCH] `named/lwresd -V' and start log hide build options + +The build options expose build path directories, so hide them. +[snip] +$ named -V +|built by make with *** (options are hidden) +[snip] + +Upstream-Status: Inappropriate [oe-core specific] + +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + bin/named/include/named/globals.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h +index ba3457e..7741da7 100644 +--- a/bin/named/include/named/globals.h ++++ b/bin/named/include/named/globals.h +@@ -68,7 +68,7 @@ EXTERN const char * ns_g_version INIT(VERSION); + EXTERN const char * ns_g_product INIT(PRODUCT); + EXTERN const char * ns_g_description INIT(DESCRIPTION); + EXTERN const char * ns_g_srcid INIT(SRCID); +-EXTERN const char * ns_g_configargs INIT(CONFIGARGS); ++EXTERN const char * ns_g_configargs INIT("*** (options are hidden)"); + EXTERN const char * ns_g_builder INIT(BUILDER); + EXTERN in_port_t ns_g_port INIT(0); + EXTERN isc_dscp_t ns_g_dscp INIT(-1); +-- +2.7.4 + diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch deleted file mode 100644 index 2149bd180d..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch +++ /dev/null @@ -1,154 +0,0 @@ -From 70037e040e587329cec82123e12b9f4f7c945f67 Mon Sep 17 00:00:00 2001 -From: Mark Andrews <marka@isc.org> -Date: Thu, 18 Feb 2016 12:11:27 +1100 -Subject: [PATCH] 4318. [security] Malformed control messages can - trigger assertions in named and rndc. (CVE-2016-1285) - [RT #41666] - -(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e) - -CVE: CVE-2016-1285 -Upstream-Status: Backport -[Removed doc/arm/notes.xml changes from upstream patch] - -Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> ---- - CHANGES | 3 +++ - bin/named/control.c | 2 +- - bin/named/controlconf.c | 2 +- - bin/rndc/rndc.c | 8 ++++---- - doc/arm/notes.xml | 11 +++++++++++ - lib/isccc/cc.c | 14 +++++++------- - 6 files changed, 27 insertions(+), 13 deletions(-) - -diff --git a/CHANGES b/CHANGES -index b9bd9ef..2c727d5 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -1,3 +1,6 @@ -+4318. [security] Malformed control messages can trigger assertions -+ in named and rndc. (CVE-2016-1285) [RT #41666] -+ - --- 9.10.3-P3 released --- - - 4288. [bug] Fixed a regression in resolver.c:possibly_mark() -diff --git a/bin/named/control.c b/bin/named/control.c -index 8554335..81340ca 100644 ---- a/bin/named/control.c -+++ b/bin/named/control.c -@@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { - #endif - - data = isccc_alist_lookup(message, "_data"); -- if (data == NULL) { -+ if (!isccc_alist_alistp(data)) { - /* - * No data section. - */ -diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c -index 765afdd..a39ab8b 100644 ---- a/bin/named/controlconf.c -+++ b/bin/named/controlconf.c -@@ -402,7 +402,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { - * Limit exposure to replay attacks. - */ - _ctrl = isccc_alist_lookup(request, "_ctrl"); -- if (_ctrl == NULL) { -+ if (!isccc_alist_alistp(_ctrl)) { - log_invalid(&conn->ccmsg, ISC_R_FAILURE); - goto cleanup_request; - } -diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c -index cb17050..b6e05c8 100644 ---- a/bin/rndc/rndc.c -+++ b/bin/rndc/rndc.c -@@ -255,8 +255,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) { - isccc_cc_fromwire(&source, &response, algorithm, &secret)); - - data = isccc_alist_lookup(response, "_data"); -- if (data == NULL) -- fatal("no data section in response"); -+ if (!isccc_alist_alistp(data)) -+ fatal("bad or missing data section in response"); - result = isccc_cc_lookupstring(data, "err", &errormsg); - if (result == ISC_R_SUCCESS) { - failed = ISC_TRUE; -@@ -321,8 +321,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) { - isccc_cc_fromwire(&source, &response, algorithm, &secret)); - - _ctrl = isccc_alist_lookup(response, "_ctrl"); -- if (_ctrl == NULL) -- fatal("_ctrl section missing"); -+ if (!isccc_alist_alistp(_ctrl)) -+ fatal("bad or missing ctrl section in response"); - nonce = 0; - if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS) - nonce = 0; -diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c -index 47a3b74..2bb961e 100644 ---- a/lib/isccc/cc.c -+++ b/lib/isccc/cc.c -@@ -403,13 +403,13 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, - * Extract digest. - */ - _auth = isccc_alist_lookup(alist, "_auth"); -- if (_auth == NULL) -+ if (!isccc_alist_alistp(_auth)) - return (ISC_R_FAILURE); - if (algorithm == ISCCC_ALG_HMACMD5) - hmac = isccc_alist_lookup(_auth, "hmd5"); - else - hmac = isccc_alist_lookup(_auth, "hsha"); -- if (hmac == NULL) -+ if (!isccc_sexpr_binaryp(hmac)) - return (ISC_R_FAILURE); - /* - * Compute digest. -@@ -728,7 +728,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok, - REQUIRE(ackp != NULL && *ackp == NULL); - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL || -+ if (!isccc_alist_alistp(_ctrl) || - isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || - isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS) - return (ISC_R_FAILURE); -@@ -773,7 +773,7 @@ isccc_cc_isack(isccc_sexpr_t *message) - isccc_sexpr_t *_ctrl; - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL) -+ if (!isccc_alist_alistp(_ctrl)) - return (ISC_FALSE); - if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS) - return (ISC_TRUE); -@@ -786,7 +786,7 @@ isccc_cc_isreply(isccc_sexpr_t *message) - isccc_sexpr_t *_ctrl; - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL) -+ if (!isccc_alist_alistp(_ctrl)) - return (ISC_FALSE); - if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS) - return (ISC_TRUE); -@@ -806,7 +806,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now, - - _ctrl = isccc_alist_lookup(message, "_ctrl"); - _data = isccc_alist_lookup(message, "_data"); -- if (_ctrl == NULL || _data == NULL || -+ if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) || - isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || - isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS) - return (ISC_R_FAILURE); -@@ -995,7 +995,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message, - isccc_sexpr_t *_ctrl; - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL || -+ if (!isccc_alist_alistp(_ctrl) || - isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS || - isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS) - return (ISC_R_FAILURE); --- -1.9.1 - diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch deleted file mode 100644 index ae5cc48d9c..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch +++ /dev/null @@ -1,79 +0,0 @@ -From a3d327bf1ceaaeabb20223d8de85166e940b9f12 Mon Sep 17 00:00:00 2001 -From: Mukund Sivaraman <muks@isc.org> -Date: Mon, 22 Feb 2016 12:22:43 +0530 -Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling - (CVE-2016-1286) (#41753) - -(cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673) - -CVE: CVE-2016-1286 -Upstream-Status: Backport - -[Removed doc/arm/notes.xml changes from upstream patch.] - -Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> ---- -diff -ruN a/CHANGES b/CHANGES ---- a/CHANGES 2016-04-13 07:28:44.940873629 +0200 -+++ b/CHANGES 2016-04-13 07:38:38.923167851 +0200 -@@ -1,3 +1,7 @@ -+4319. [security] Fix resolver assertion failure due to improper -+ DNAME handling when parsing fetch reply messages. -+ (CVE-2016-1286) [RT #41753] -+ - 4318. [security] Malformed control messages can trigger assertions - in named and rndc. (CVE-2016-1285) [RT #41666] - -diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c ---- a/lib/dns/resolver.c 2016-04-13 07:28:43.088953790 +0200 -+++ b/lib/dns/resolver.c 2016-04-13 07:38:20.411968925 +0200 -@@ -6967,21 +6967,26 @@ - isc_boolean_t found_dname = ISC_FALSE; - dns_name_t *dname_name; - -+ /* -+ * Only pass DNAME or RRSIG(DNAME). -+ */ -+ if (rdataset->type != dns_rdatatype_dname && -+ (rdataset->type != dns_rdatatype_rrsig || -+ rdataset->covers != dns_rdatatype_dname)) -+ continue; -+ -+ /* -+ * If we're not chaining, then the DNAME and -+ * its signature should not be external. -+ */ -+ if (!chaining && external) { -+ log_formerr(fctx, "external DNAME"); -+ return (DNS_R_FORMERR); -+ } -+ - found = ISC_FALSE; - aflag = 0; - if (rdataset->type == dns_rdatatype_dname) { -- /* -- * We're looking for something else, -- * but we found a DNAME. -- * -- * If we're not chaining, then the -- * DNAME should not be external. -- */ -- if (!chaining && external) { -- log_formerr(fctx, -- "external DNAME"); -- return (DNS_R_FORMERR); -- } - found = ISC_TRUE; - want_chaining = ISC_TRUE; - POST(want_chaining); -@@ -7010,9 +7015,7 @@ - &fctx->domain)) { - return (DNS_R_SERVFAIL); - } -- } else if (rdataset->type == dns_rdatatype_rrsig -- && rdataset->covers == -- dns_rdatatype_dname) { -+ } else { - /* - * We've found a signature that - * covers the DNAME. diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch deleted file mode 100644 index 5f5cb0d340..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch +++ /dev/null @@ -1,317 +0,0 @@ -From 7602be276a73a6eb5431c5acd9718e68a55e8b61 Mon Sep 17 00:00:00 2001 -From: Mark Andrews <marka@isc.org> -Date: Mon, 29 Feb 2016 07:16:48 +1100 -Subject: [PATCH] Part 2 of: 4319. [security] Fix resolver assertion - failure due to improper DNAME handling when parsing - fetch reply messages. (CVE-2016-1286) [RT #41753] - -CVE: CVE-2016-1286 -Upstream-Status: Backport - -(cherry picked from commit 2de89ee9de8c8da9dc153a754b02dcdbb7fe2374) -Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> ---- - lib/dns/resolver.c | 192 ++++++++++++++++++++++++++--------------------------- - 1 file changed, 93 insertions(+), 99 deletions(-) - -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index 70aba87..41e9df4 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -6074,14 +6074,11 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) { - } - - static inline isc_result_t --dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, -- dns_name_t *oname, dns_fixedname_t *fixeddname) -+dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, -+ unsigned int nlabels, dns_fixedname_t *fixeddname) - { - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; -- unsigned int nlabels; -- int order; -- dns_namereln_t namereln; - dns_rdata_dname_t dname; - dns_fixedname_t prefix; - -@@ -6096,21 +6093,6 @@ dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, - if (result != ISC_R_SUCCESS) - return (result); - -- /* -- * Get the prefix of qname. -- */ -- namereln = dns_name_fullcompare(qname, oname, &order, &nlabels); -- if (namereln != dns_namereln_subdomain) { -- char qbuf[DNS_NAME_FORMATSIZE]; -- char obuf[DNS_NAME_FORMATSIZE]; -- -- dns_rdata_freestruct(&dname); -- dns_name_format(qname, qbuf, sizeof(qbuf)); -- dns_name_format(oname, obuf, sizeof(obuf)); -- log_formerr(fctx, "unrelated DNAME in answer: " -- "%s is not in %s", qbuf, obuf); -- return (DNS_R_FORMERR); -- } - dns_fixedname_init(&prefix); - dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); - dns_fixedname_init(fixeddname); -@@ -6736,13 +6718,13 @@ static isc_result_t - answer_response(fetchctx_t *fctx) { - isc_result_t result; - dns_message_t *message; -- dns_name_t *name, *qname, tname, *ns_name; -+ dns_name_t *name, *dname, *qname, tname, *ns_name; - dns_rdataset_t *rdataset, *ns_rdataset; - isc_boolean_t done, external, chaining, aa, found, want_chaining; - isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; - unsigned int aflag; - dns_rdatatype_t type; -- dns_fixedname_t dname, fqname; -+ dns_fixedname_t fdname, fqname; - dns_view_t *view; - - FCTXTRACE("answer_response"); -@@ -6770,10 +6752,15 @@ answer_response(fetchctx_t *fctx) { - view = fctx->res->view; - result = dns_message_firstname(message, DNS_SECTION_ANSWER); - while (!done && result == ISC_R_SUCCESS) { -+ dns_namereln_t namereln; -+ int order; -+ unsigned int nlabels; -+ - name = NULL; - dns_message_currentname(message, DNS_SECTION_ANSWER, &name); - external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); -- if (dns_name_equal(name, qname)) { -+ namereln = dns_name_fullcompare(qname, name, &order, &nlabels); -+ if (namereln == dns_namereln_equal) { - wanted_chaining = ISC_FALSE; - for (rdataset = ISC_LIST_HEAD(name->list); - rdataset != NULL; -@@ -6898,10 +6885,11 @@ answer_response(fetchctx_t *fctx) { - */ - INSIST(!external); - if (aflag == -- DNS_RDATASETATTR_ANSWER) -+ DNS_RDATASETATTR_ANSWER) { - have_answer = ISC_TRUE; -- name->attributes |= -- DNS_NAMEATTR_ANSWER; -+ name->attributes |= -+ DNS_NAMEATTR_ANSWER; -+ } - rdataset->attributes |= aflag; - if (aa) - rdataset->trust = -@@ -6956,6 +6944,8 @@ answer_response(fetchctx_t *fctx) { - if (wanted_chaining) - chaining = ISC_TRUE; - } else { -+ dns_rdataset_t *dnameset = NULL; -+ - /* - * Look for a DNAME (or its SIG). Anything else is - * ignored. -@@ -6963,10 +6953,8 @@ answer_response(fetchctx_t *fctx) { - wanted_chaining = ISC_FALSE; - for (rdataset = ISC_LIST_HEAD(name->list); - rdataset != NULL; -- rdataset = ISC_LIST_NEXT(rdataset, link)) { -- isc_boolean_t found_dname = ISC_FALSE; -- dns_name_t *dname_name; -- -+ rdataset = ISC_LIST_NEXT(rdataset, link)) -+ { - /* - * Only pass DNAME or RRSIG(DNAME). - */ -@@ -6980,20 +6968,41 @@ answer_response(fetchctx_t *fctx) { - * its signature should not be external. - */ - if (!chaining && external) { -- log_formerr(fctx, "external DNAME"); -+ char qbuf[DNS_NAME_FORMATSIZE]; -+ char obuf[DNS_NAME_FORMATSIZE]; -+ -+ dns_name_format(name, qbuf, -+ sizeof(qbuf)); -+ dns_name_format(&fctx->domain, obuf, -+ sizeof(obuf)); -+ log_formerr(fctx, "external DNAME or " -+ "RRSIG covering DNAME " -+ "in answer: %s is " -+ "not in %s", qbuf, obuf); -+ return (DNS_R_FORMERR); -+ } -+ -+ if (namereln != dns_namereln_subdomain) { -+ char qbuf[DNS_NAME_FORMATSIZE]; -+ char obuf[DNS_NAME_FORMATSIZE]; -+ -+ dns_name_format(qname, qbuf, -+ sizeof(qbuf)); -+ dns_name_format(name, obuf, -+ sizeof(obuf)); -+ log_formerr(fctx, "unrelated DNAME " -+ "in answer: %s is " -+ "not in %s", qbuf, obuf); - return (DNS_R_FORMERR); - } - -- found = ISC_FALSE; - aflag = 0; - if (rdataset->type == dns_rdatatype_dname) { -- found = ISC_TRUE; - want_chaining = ISC_TRUE; - POST(want_chaining); - aflag = DNS_RDATASETATTR_ANSWER; -- result = dname_target(fctx, rdataset, -- qname, name, -- &dname); -+ result = dname_target(rdataset, qname, -+ nlabels, &fdname); - if (result == ISC_R_NOSPACE) { - /* - * We can't construct the -@@ -7005,14 +7014,12 @@ answer_response(fetchctx_t *fctx) { - } else if (result != ISC_R_SUCCESS) - return (result); - else -- found_dname = ISC_TRUE; -+ dnameset = rdataset; - -- dname_name = dns_fixedname_name(&dname); -+ dname = dns_fixedname_name(&fdname); - if (!is_answertarget_allowed(view, -- qname, -- rdataset->type, -- dname_name, -- &fctx->domain)) { -+ qname, rdataset->type, -+ dname, &fctx->domain)) { - return (DNS_R_SERVFAIL); - } - } else { -@@ -7020,73 +7027,60 @@ answer_response(fetchctx_t *fctx) { - * We've found a signature that - * covers the DNAME. - */ -- found = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWERSIG; - } - -- if (found) { -+ /* -+ * We've found an answer to our -+ * question. -+ */ -+ name->attributes |= DNS_NAMEATTR_CACHE; -+ rdataset->attributes |= DNS_RDATASETATTR_CACHE; -+ rdataset->trust = dns_trust_answer; -+ if (!chaining) { - /* -- * We've found an answer to our -- * question. -+ * This data is "the" answer to -+ * our question only if we're -+ * not chaining. - */ -- name->attributes |= -- DNS_NAMEATTR_CACHE; -- rdataset->attributes |= -- DNS_RDATASETATTR_CACHE; -- rdataset->trust = dns_trust_answer; -- if (!chaining) { -- /* -- * This data is "the" answer -- * to our question only if -- * we're not chaining. -- */ -- INSIST(!external); -- if (aflag == -- DNS_RDATASETATTR_ANSWER) -- have_answer = ISC_TRUE; -+ INSIST(!external); -+ if (aflag == DNS_RDATASETATTR_ANSWER) { -+ have_answer = ISC_TRUE; - name->attributes |= - DNS_NAMEATTR_ANSWER; -- rdataset->attributes |= aflag; -- if (aa) -- rdataset->trust = -- dns_trust_authanswer; -- } else if (external) { -- rdataset->attributes |= -- DNS_RDATASETATTR_EXTERNAL; -- } -- -- /* -- * DNAME chaining. -- */ -- if (found_dname) { -- /* -- * Copy the dname into the -- * qname fixed name. -- * -- * Although we check for -- * failure of the copy -- * operation, in practice it -- * should never fail since -- * we already know that the -- * result fits in a fixedname. -- */ -- dns_fixedname_init(&fqname); -- result = dns_name_copy( -- dns_fixedname_name(&dname), -- dns_fixedname_name(&fqname), -- NULL); -- if (result != ISC_R_SUCCESS) -- return (result); -- wanted_chaining = ISC_TRUE; -- name->attributes |= -- DNS_NAMEATTR_CHAINING; -- rdataset->attributes |= -- DNS_RDATASETATTR_CHAINING; -- qname = dns_fixedname_name( -- &fqname); - } -+ rdataset->attributes |= aflag; -+ if (aa) -+ rdataset->trust = -+ dns_trust_authanswer; -+ } else if (external) { -+ rdataset->attributes |= -+ DNS_RDATASETATTR_EXTERNAL; - } - } -+ -+ /* -+ * DNAME chaining. -+ */ -+ if (dnameset != NULL) { -+ /* -+ * Copy the dname into the qname fixed name. -+ * -+ * Although we check for failure of the copy -+ * operation, in practice it should never fail -+ * since we already know that the result fits -+ * in a fixedname. -+ */ -+ dns_fixedname_init(&fqname); -+ qname = dns_fixedname_name(&fqname); -+ result = dns_name_copy(dname, qname, NULL); -+ if (result != ISC_R_SUCCESS) -+ return (result); -+ wanted_chaining = ISC_TRUE; -+ name->attributes |= DNS_NAMEATTR_CHAINING; -+ dnameset->attributes |= -+ DNS_RDATASETATTR_CHAINING; -+ } - if (wanted_chaining) - chaining = ISC_TRUE; - } --- -1.9.1 - diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch deleted file mode 100644 index 1b84d46b78..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch +++ /dev/null @@ -1,247 +0,0 @@ -CVE-2016-2088 - -Backport commit d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 from the -v9_10_3_patch branch. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2088 -https://kb.isc.org/article/AA-01351 - -CVE: CVE-2016-2088 -Upstream-Status: Backport -Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> - - -Original commit message from Mark Andrews <marka@isc.org> below: - -4322. [security] Duplicate EDNS COOKIE options in a response could - trigger an assertion failure. (CVE-2016-2088) - [RT #41809] - -(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029) -(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3) ---- - CHANGES | 4 ++++ - bin/dig/dighost.c | 9 +++++++++ - bin/named/client.c | 33 +++++++++++++++++++++++---------- - doc/arm/notes.xml | 7 +++++++ - lib/dns/resolver.c | 14 +++++++++++++- - 5 files changed, 56 insertions(+), 11 deletions(-) - -diff --git a/CHANGES b/CHANGES -index c5b5d2b..d2e3360 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -1,3 +1,7 @@ -+4322. [security] Duplicate EDNS COOKIE options in a response could -+ trigger an assertion failure. (CVE-2016-2088) -+ [RT #41809] -+ - 4319. [security] Fix resolver assertion failure due to improper - DNAME handling when parsing fetch reply messages. - (CVE-2016-1286) [RT #41753] -diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index ca82f8e..340904f 100644 ---- a/bin/dig/dighost.c -+++ b/bin/dig/dighost.c -@@ -3458,6 +3458,7 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) { - isc_buffer_t optbuf; - isc_uint16_t optcode, optlen; - dns_rdataset_t *opt = msg->opt; -+ isc_boolean_t seen_cookie = ISC_FALSE; - - result = dns_rdataset_first(opt); - if (result == ISC_R_SUCCESS) { -@@ -3470,7 +3471,15 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) { - optlen = isc_buffer_getuint16(&optbuf); - switch (optcode) { - case DNS_OPT_COOKIE: -+ /* -+ * Only process the first cookie option. -+ */ -+ if (seen_cookie) { -+ isc_buffer_forward(&optbuf, optlen); -+ break; -+ } - process_sit(l, msg, &optbuf, optlen); -+ seen_cookie = ISC_TRUE; - break; - default: - isc_buffer_forward(&optbuf, optlen); -diff --git a/bin/named/client.c b/bin/named/client.c -index 683305c..0d7331a 100644 ---- a/bin/named/client.c -+++ b/bin/named/client.c -@@ -120,7 +120,10 @@ - */ - #endif - --#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */ -+#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */ -+ -+#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0) -+#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0) - - /*% nameserver client manager structure */ - struct ns_clientmgr { -@@ -1395,7 +1398,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, - { - char nsid[BUFSIZ], *nsidp; - #ifdef ISC_PLATFORM_USESIT -- unsigned char sit[SIT_SIZE]; -+ unsigned char sit[COOKIE_SIZE]; - #endif - isc_result_t result; - dns_view_t *view; -@@ -1420,7 +1423,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, - flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE; - - /* Set EDNS options if applicable */ -- if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 && -+ if (WANTNSID(client) && - (ns_g_server->server_id != NULL || - ns_g_server->server_usehostname)) { - if (ns_g_server->server_usehostname) { -@@ -1453,7 +1456,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, - - INSIST(count < DNS_EDNSOPTIONS); - ednsopts[count].code = DNS_OPT_COOKIE; -- ednsopts[count].length = SIT_SIZE; -+ ednsopts[count].length = COOKIE_SIZE; - ednsopts[count].value = sit; - count++; - } -@@ -1661,19 +1664,26 @@ compute_sit(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce, - - static void - process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { -- unsigned char dbuf[SIT_SIZE]; -+ unsigned char dbuf[COOKIE_SIZE]; - unsigned char *old; - isc_stdtime_t now; - isc_uint32_t when; - isc_uint32_t nonce; - isc_buffer_t db; - -+ /* -+ * If we have already seen a ECS option skip this ECS option. -+ */ -+ if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) { -+ isc_buffer_forward(buf, optlen); -+ return; -+ } - client->attributes |= NS_CLIENTATTR_WANTSIT; - - isc_stats_increment(ns_g_server->nsstats, - dns_nsstatscounter_sitopt); - -- if (optlen != SIT_SIZE) { -+ if (optlen != COOKIE_SIZE) { - /* - * Not our token. - */ -@@ -1717,14 +1727,13 @@ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { - isc_buffer_init(&db, dbuf, sizeof(dbuf)); - compute_sit(client, when, nonce, &db); - -- if (!isc_safe_memequal(old, dbuf, SIT_SIZE)) { -+ if (!isc_safe_memequal(old, dbuf, COOKIE_SIZE)) { - isc_stats_increment(ns_g_server->nsstats, - dns_nsstatscounter_sitnomatch); - return; - } - isc_stats_increment(ns_g_server->nsstats, - dns_nsstatscounter_sitmatch); -- - client->attributes |= NS_CLIENTATTR_HAVESIT; - } - #endif -@@ -1783,7 +1792,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) { - optlen = isc_buffer_getuint16(&optbuf); - switch (optcode) { - case DNS_OPT_NSID: -- isc_stats_increment(ns_g_server->nsstats, -+ if (!WANTNSID(client)) -+ isc_stats_increment( -+ ns_g_server->nsstats, - dns_nsstatscounter_nsidopt); - client->attributes |= NS_CLIENTATTR_WANTNSID; - isc_buffer_forward(&optbuf, optlen); -@@ -1794,7 +1805,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) { - break; - #endif - case DNS_OPT_EXPIRE: -- isc_stats_increment(ns_g_server->nsstats, -+ if (!WANTEXPIRE(client)) -+ isc_stats_increment( -+ ns_g_server->nsstats, - dns_nsstatscounter_expireopt); - client->attributes |= NS_CLIENTATTR_WANTEXPIRE; - isc_buffer_forward(&optbuf, optlen); -diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml -index ebf4f55..095eb5b 100644 ---- a/doc/arm/notes.xml -+++ b/doc/arm/notes.xml -@@ -51,6 +51,13 @@ - <title>Security Fixes</title> - <itemizedlist> - <listitem> -+ <para> -+ Duplicate EDNS COOKIE options in a response could trigger -+ an assertion failure. This flaw is disclosed in CVE-2016-2088. -+ [RT #41809] -+ </para> -+ </listitem> -+ <listitem> - <para> - Specific APL data could trigger an INSIST. This flaw - was discovered by Brian Mitchell and is disclosed in -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index a797e3f..ba1ae23 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -7502,7 +7502,9 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) { - unsigned char *sit; - dns_adbaddrinfo_t *addrinfo; - unsigned char cookie[8]; -+ isc_boolean_t seen_cookie = ISC_FALSE; - #endif -+ isc_boolean_t seen_nsid = ISC_FALSE; - - result = dns_rdataset_first(opt); - if (result == ISC_R_SUCCESS) { -@@ -7516,14 +7518,23 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) { - INSIST(optlen <= isc_buffer_remaininglength(&optbuf)); - switch (optcode) { - case DNS_OPT_NSID: -- if (query->options & DNS_FETCHOPT_WANTNSID) -+ if (!seen_nsid && -+ query->options & DNS_FETCHOPT_WANTNSID) - log_nsid(&optbuf, optlen, query, - ISC_LOG_DEBUG(3), - query->fctx->res->mctx); - isc_buffer_forward(&optbuf, optlen); -+ seen_nsid = ISC_TRUE; - break; - #ifdef ISC_PLATFORM_USESIT - case DNS_OPT_COOKIE: -+ /* -+ * Only process the first cookie option. -+ */ -+ if (seen_cookie) { -+ isc_buffer_forward(&optbuf, optlen); -+ break; -+ } - sit = isc_buffer_current(&optbuf); - compute_cc(query, cookie, sizeof(cookie)); - INSIST(query->fctx->rmessage->sitbad == 0 && -@@ -7541,6 +7552,7 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) { - isc_buffer_forward(&optbuf, optlen); - inc_stats(query->fctx->res, - dns_resstatscounter_sitin); -+ seen_cookie = ISC_TRUE; - break; - #endif - default: --- -2.1.4 - diff --git a/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch b/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch deleted file mode 100644 index 096d5d84fc..0000000000 --- a/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 9b40619ff6fddfef2758ba797789f8487f412df3 Mon Sep 17 00:00:00 2001 -From: Robert Yang <liezhi.yang@windriver.com> -Date: Mon, 16 Feb 2015 00:50:01 -0800 -Subject: [PATCH] confgen: don't build unix.o twice - -Fixed: -unix/os.o: file not recognized: File truncated -collect2: error: ld returned 1 exit status - -This is because os.o was built twice: -* The implicity rule (depends on unix/os.o) -* The "make all" in unix subdir (depends on unix/os.o) - -Depend on subdirs which is unix only rather than unix/os.o will fix the -problem. - -Upstream-Status: Pending - -Signed-off-by: Robert Yang <liezhi.yang@windriver.com> ---- - bin/confgen/Makefile.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in -index 8b3e5aa..4868a24 100644 ---- a/bin/confgen/Makefile.in -+++ b/bin/confgen/Makefile.in -@@ -74,11 +74,11 @@ rndc-confgen.@O@: rndc-confgen.c - ddns-confgen.@O@: ddns-confgen.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c - --rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} -+rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS) - export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \ - ${FINALBUILDCMD} - --ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} -+ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS) - export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \ - ${FINALBUILDCMD} - --- -1.7.9.5 - diff --git a/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch index 13df3bb0e9..84559e5f37 100644 --- a/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch +++ b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch @@ -1,4 +1,4 @@ -From 9473d29843579802e96b0293a3e953fed93de82c Mon Sep 17 00:00:00 2001 +From edda20fb5a6e88548f85e39d34d6c074306e15bc Mon Sep 17 00:00:00 2001 From: Paul Gortmaker <paul.gortmaker@windriver.com> Date: Tue, 9 Jun 2015 11:22:00 -0400 Subject: [PATCH] bind: ensure searching for json headers searches sysroot @@ -27,15 +27,16 @@ to make use of the combination some day. Upstream-Status: Inappropriate [OE Specific] Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + --- - configure.in | 2 +- + configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/configure.in b/configure.in -index c9ef3a601343..17a1f613e9ac 100644 ---- a/configure.in -+++ b/configure.in -@@ -2139,7 +2139,7 @@ case "$use_libjson" in +diff --git a/configure.ac b/configure.ac +index 17392fd..e85a5c6 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2449,7 +2449,7 @@ case "$use_libjson" in libjson_libs="" ;; auto|yes) @@ -44,6 +45,3 @@ index c9ef3a601343..17a1f613e9ac 100644 do if test -f "${d}/include/json/json.h" then --- -2.4.2 - diff --git a/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch b/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch deleted file mode 100644 index b02ecb1061..0000000000 --- a/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch +++ /dev/null @@ -1,17 +0,0 @@ -Upstream-Status: Pending - -Signed-off-by: Saul Wold <sgw@linux.intel.com> - -Index: bind-9.9.5/bin/Makefile.in -=================================================================== ---- bind-9.9.5.orig/bin/Makefile.in -+++ bind-9.9.5/bin/Makefile.in -@@ -19,7 +19,7 @@ srcdir = @srcdir@ - VPATH = @srcdir@ - top_srcdir = @top_srcdir@ - --SUBDIRS = named rndc dig delv dnssec tools tests nsupdate \ -+SUBDIRS = named rndc dig delv dnssec tools nsupdate \ - check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ - TARGETS = - diff --git a/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh b/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh index db201270fa..ef915c0ae5 100644 --- a/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh +++ b/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh @@ -3,5 +3,6 @@ if [ ! -s /etc/bind/rndc.key ]; then echo -n "Generating /etc/bind/rndc.key:" /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom + chown root:bind /etc/bind/rndc.key chmod 0640 /etc/bind/rndc.key fi diff --git a/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff b/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff deleted file mode 100644 index 2930796b6a..0000000000 --- a/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff +++ /dev/null @@ -1,104 +0,0 @@ -bind: port a patch to fix a build failure - -mips1 does not support ll and sc instructions, and lead to below error, now -we port a patch from debian to fix it -[http://security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.8.4.dfsg.P1-6+nmu2+deb7u1.diff.gz] - -| {standard input}: Assembler messages: -| {standard input}:47: Error: Opcode not supported on this processor: mips1 (mips1) `ll $3,0($6)' -| {standard input}:50: Error: Opcode not supported on this processor: mips1 (mips1) `sc $3,0($6)' - -Upstream-Status: Pending - -Signed-off-by: Roy Li <rongqing.li@windriver.com> - ---- bind9-9.8.4.dfsg.P1.orig/lib/isc/mips/include/isc/atomic.h -+++ bind9-9.8.4.dfsg.P1/lib/isc/mips/include/isc/atomic.h -@@ -31,18 +31,20 @@ - isc_atomic_xadd(isc_int32_t *p, int val) { - isc_int32_t orig; - -- /* add is a cheat, since MIPS has no mov instruction */ -- __asm__ volatile ( -- "1:" -- "ll $3, %1\n" -- "add %0, $0, $3\n" -- "add $3, $3, %2\n" -- "sc $3, %1\n" -- "beq $3, 0, 1b" -- : "=&r"(orig) -- : "m"(*p), "r"(val) -- : "memory", "$3" -- ); -+ __asm__ __volatile__ ( -+ " .set push \n" -+ " .set mips2 \n" -+ " .set noreorder \n" -+ " .set noat \n" -+ "1: ll $1, %1 \n" -+ " addu %0, $1, %2 \n" -+ " sc %0, %1 \n" -+ " beqz %0, 1b \n" -+ " move %0, $1 \n" -+ " .set pop \n" -+ : "=&r" (orig), "+R" (*p) -+ : "r" (val) -+ : "memory"); - - return (orig); - } -@@ -52,16 +54,7 @@ - */ - static inline void - isc_atomic_store(isc_int32_t *p, isc_int32_t val) { -- __asm__ volatile ( -- "1:" -- "ll $3, %0\n" -- "add $3, $0, %1\n" -- "sc $3, %0\n" -- "beq $3, 0, 1b" -- : -- : "m"(*p), "r"(val) -- : "memory", "$3" -- ); -+ *p = val; - } - - /* -@@ -72,20 +65,23 @@ - static inline isc_int32_t - isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) { - isc_int32_t orig; -+ isc_int32_t tmp; - -- __asm__ volatile( -- "1:" -- "ll $3, %1\n" -- "add %0, $0, $3\n" -- "bne $3, %2, 2f\n" -- "add $3, $0, %3\n" -- "sc $3, %1\n" -- "beq $3, 0, 1b\n" -- "2:" -- : "=&r"(orig) -- : "m"(*p), "r"(cmpval), "r"(val) -- : "memory", "$3" -- ); -+ __asm__ __volatile__ ( -+ " .set push \n" -+ " .set mips2 \n" -+ " .set noreorder \n" -+ " .set noat \n" -+ "1: ll $1, %1 \n" -+ " bne $1, %3, 2f \n" -+ " move %2, %4 \n" -+ " sc %2, %1 \n" -+ " beqz %2, 1b \n" -+ "2: move %0, $1 \n" -+ " .set pop \n" -+ : "=&r"(orig), "+R" (*p), "=r" (tmp) -+ : "r"(cmpval), "r"(val) -+ : "memory"); - - return (orig); - } |