[OpenWrt-Devel] [PATCH] dnsmasq: remove dnssec timecheck enable on SIGHUP

Kevin Darbyshire-Bryant kevin at darbyshire-bryant.me.uk
Thu Oct 1 06:19:59 EDT 2015


This patch stops SIGHUP from enabling dnssec timechecks if disabled by
use of --dnssec-no-timecheck option.  --dnssec-timestamp continues to
work correctly.

Enabling dnssec timechecks now requires restarting dnsmasq without
the --dnssec-no-timecheck configuration option and closes a
potential denial of service exploit by sending SIGHUP when system
time does not correspond with Internet time.

This change may be useful for future ntpd/dnsmasq hotplug integration.


Signed-off-by: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
---
 .../dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch  | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 package/network/services/dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch

diff --git a/package/network/services/dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch b/package/network/services/dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch
new file mode 100644
index 0000000..2ea1ee8
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch
@@ -0,0 +1,13 @@
+Index: dnsmasq-2.75/src/dnsmasq.c
+===================================================================
+--- dnsmasq-2.75.orig/src/dnsmasq.c	2015-07-30 20:59:07.000000000 +0100
++++ dnsmasq-2.75/src/dnsmasq.c	2015-10-01 10:47:38.832034041 +0100
+@@ -1054,7 +1054,7 @@
+       int event, errsave = errno;
+       
+       if (sig == SIGHUP)
+-	event = EVENT_RELOAD;
++	event = EVENT_INIT;
+       else if (sig == SIGCHLD)
+ 	event = EVENT_CHILD;
+       else if (sig == SIGALRM)
-- 
1.9.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list