diff options
Diffstat (limited to 'meta-networking/recipes-support/dnsmasq')
-rw-r--r-- | meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch | 63 | ||||
-rw-r--r-- | meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb | 1 |
2 files changed, 64 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch new file mode 100644 index 0000000000..dd3bd27408 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch @@ -0,0 +1,63 @@ +From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Tue, 7 Mar 2023 22:07:46 +0000 +Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232. + +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5] +CVE: CVE-2023-28450 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + CHANGELOG | 8 ++++++++ + man/dnsmasq.8 | 3 ++- + src/config.h | 2 +- + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index d1d7e41..7a560d3 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -91,6 +91,14 @@ version 2.81 + Fix write-after-free error in DHCPv6 server code. + CVE-2022-0934 refers. + ++ Set the default maximum DNS UDP packet sice to 1232. This ++ has been the recommended value since 2020 because it's the ++ largest value that avoid fragmentation, and fragmentation ++ is just not reliable on the modern internet, especially ++ for IPv6. It's still possible to override this with ++ --edns-packet-max for special circumstances. ++ ++ + version 2.80 + Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method + for the initial patch and motivation. +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index f2803f9..3cca4bc 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -168,7 +168,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP. + .TP + .B \-P, --edns-packet-max=<size> + Specify the largest EDNS.0 UDP packet which is supported by the DNS +-forwarder. Defaults to 4096, which is the RFC5625-recommended size. ++forwarder. Defaults to 1232, which is the recommended size following the ++DNS flag day in 2020. Only increase if you know what you are doing. + .TP + .B \-Q, --query-port=<query_port> + Send outbound DNS queries from, and listen for their replies on, the +diff --git a/src/config.h b/src/config.h +index 54f6f48..29ac3e7 100644 +--- a/src/config.h ++++ b/src/config.h +@@ -19,7 +19,7 @@ + #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ + #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ + #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ +-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ ++#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ + #define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */ + #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ + #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ +-- +2.18.2 + diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb index 8db57edb79..f2b8feac56 100644 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb @@ -12,4 +12,5 @@ SRC_URI += "\ file://CVE-2020-25686-2.patch \ file://CVE-2021-3448.patch \ file://CVE-2022-0934.patch \ + file://CVE-2023-28450.patch \ " |