This patch stops SIGHUP from enabling dnssec timechecks if disabled by use of --dnssec-no-timecheck option. --dnssec-timestamp continues to work correctly.
Enabling dnssec timechecks now requires restarting dnsmasq without the --dnssec-no-timecheck configuration option and closes a potential denial of service exploit by sending SIGHUP when system time does not correspond with Internet time. This change may be useful for future ntpd/dnsmasq hotplug integration. Signed-off-by: Kevin Darbyshire-Bryant <ke...@darbyshire-bryant.me.uk> --- .../dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 package/network/services/dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch diff --git a/package/network/services/dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch b/package/network/services/dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch new file mode 100644 index 0000000..2ea1ee8 --- /dev/null +++ b/package/network/services/dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch @@ -0,0 +1,13 @@ +Index: dnsmasq-2.75/src/dnsmasq.c +=================================================================== +--- dnsmasq-2.75.orig/src/dnsmasq.c 2015-07-30 20:59:07.000000000 +0100 ++++ dnsmasq-2.75/src/dnsmasq.c 2015-10-01 10:47:38.832034041 +0100 +@@ -1054,7 +1054,7 @@ + int event, errsave = errno; + + if (sig == SIGHUP) +- event = EVENT_RELOAD; ++ event = EVENT_INIT; + else if (sig == SIGCHLD) + event = EVENT_CHILD; + else if (sig == SIGALRM) -- 1.9.1 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
