From ee3f26bb3d989c68868800321a228208d4892ade Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 21 Oct 2020 10:56:51 +0200 Subject: [PATCH 01/15] Add verbosity to debug occasional missing q1-10.example.net, from timer. --- testdata/dnstap.tdir/dnstap.pre | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testdata/dnstap.tdir/dnstap.pre b/testdata/dnstap.tdir/dnstap.pre index 95216949c..6561d77e9 100644 --- a/testdata/dnstap.tdir/dnstap.pre +++ b/testdata/dnstap.tdir/dnstap.pre @@ -45,7 +45,7 @@ fi # make config file sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < dnstap.conf > ub.conf # start unbound in the background -$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +$PRE/unbound -d -c ub.conf -vvvv >unbound.log 2>&1 & UNBOUND_PID=$! echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test From 7c39cbc0a9a5917f3e1e4e6e5ab773364c563d21 Mon Sep 17 00:00:00 2001 From: George Thessalonikefs Date: Wed, 21 Oct 2020 16:45:18 +0200 Subject: [PATCH 02/15] - Fix #327: net/if.h check fails on some darwin versions; contribution by Joshua Root. --- configure | 30 +++++++++++++++++++++++++++++- configure.ac | 18 +++++++++++++++++- doc/Changelog | 4 ++++ 3 files changed, 50 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 9a96bb232..3e5e562ae 100755 --- a/configure +++ b/configure @@ -14745,7 +14745,7 @@ $as_echo "no" >&6; } fi # Checks for header files. -for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h net/if.h +for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default @@ -14759,6 +14759,34 @@ fi done +# net/if.h portability for Darwin see: +# https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Header-Portability.html +for ac_header in net/if.h +do : + ac_fn_c_check_header_compile "$LINENO" "net/if.h" "ac_cv_header_net_if_h" " +#include +#ifdef STDC_HEADERS +# include +# include +#else +# ifdef HAVE_STDLIB_H +# include +# endif +#endif +#ifdef HAVE_SYS_SOCKET_H +# include +#endif + +" +if test "x$ac_cv_header_net_if_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_NET_IF_H 1 +_ACEOF + +fi + +done + # Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH for ac_header in TargetConditionals.h diff --git a/configure.ac b/configure.ac index 2bd44353d..b4caa37dd 100644 --- a/configure.ac +++ b/configure.ac @@ -400,7 +400,23 @@ ACX_LIBTOOL_C_ONLY PKG_PROG_PKG_CONFIG # Checks for header files. -AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h net/if.h],,, [AC_INCLUDES_DEFAULT]) +AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h],,, [AC_INCLUDES_DEFAULT]) +# net/if.h portability for Darwin see: +# https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Header-Portability.html +AC_CHECK_HEADERS([net/if.h],,, [ +#include +#ifdef STDC_HEADERS +# include +# include +#else +# ifdef HAVE_STDLIB_H +# include +# endif +#endif +#ifdef HAVE_SYS_SOCKET_H +# include +#endif +]) # Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH AC_CHECK_HEADERS([TargetConditionals.h]) diff --git a/doc/Changelog b/doc/Changelog index b7e5928ca..9d484a96d 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +21 October 2020: George + - Fix #327: net/if.h check fails on some darwin versions; contribution by + Joshua Root. + 21 October 2020: Wouter - Merge PR #228 : infra-keep-probing option to probe hosts that are down. Add infra-keep-probing: yes option. Hosts that are down are From 0272889c44139b187ba1b0bc681c81b4894f8956 Mon Sep 17 00:00:00 2001 From: George Thessalonikefs Date: Wed, 21 Oct 2020 17:44:04 +0200 Subject: [PATCH 03/15] - Fix #320: potential memory corruption due to size miscomputation upton custom region alloc init. --- doc/Changelog | 2 ++ util/regional.c | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index 9d484a96d..d3aa5d2ad 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,8 @@ 21 October 2020: George - Fix #327: net/if.h check fails on some darwin versions; contribution by Joshua Root. + - Fix #320: potential memory corruption due to size miscomputation upton + custom region alloc init. 21 October 2020: Wouter - Merge PR #228 : infra-keep-probing option to probe hosts that are diff --git a/util/regional.c b/util/regional.c index 01a042b61..bd67ecf50 100644 --- a/util/regional.c +++ b/util/regional.c @@ -89,8 +89,9 @@ regional_init(struct regional* r) static struct regional* regional_create_custom_large_object(size_t size, size_t large_object_size) { - struct regional* r = (struct regional*)malloc(size); + struct regional* r; size = ALIGN_UP(size, ALIGNMENT); + r = (struct regional*)malloc(size); log_assert(sizeof(struct regional) <= size); if(!r) return NULL; r->first_size = size; From ca39cfd6ae73e3c97dd2a21f62b5134994e4b146 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 22 Oct 2020 08:47:40 +0200 Subject: [PATCH 04/15] - Fix #333: Unbound Segmentation Fault w/ log_info Functions From Python Mod. --- doc/Changelog | 4 ++++ pythonmod/interface.i | 26 ++++++++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index d3aa5d2ad..776643c46 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +22 October 2020: Wouter + - Fix #333: Unbound Segmentation Fault w/ log_info Functions From + Python Mod. + 21 October 2020: George - Fix #327: net/if.h check fails on some darwin versions; contribution by Joshua Root. diff --git a/pythonmod/interface.i b/pythonmod/interface.i index 71f2bf774..cbee4f714 100644 --- a/pythonmod/interface.i +++ b/pythonmod/interface.i @@ -1413,6 +1413,19 @@ struct delegpt* find_delegation(struct module_qstate* qstate, char *nm, size_t n /****************************** * Various debugging functions * ******************************/ + +/* rename the variadic functions because python does the formatting already*/ +%rename (unbound_log_info) log_info; +%rename (unbound_log_err) log_err; +%rename (unbound_log_warn) log_warn; +%rename (unbound_verbose) verbose; +/* provide functions that take one string as argument, so python can cook +the string */ +%rename (log_info) pymod_log_info; +%rename (log_warn) pymod_log_warn; +%rename (log_err) pymod_log_err; +%rename (verbose) pymod_verbose; + void verbose(enum verbosity_value level, const char* format, ...); void log_info(const char* format, ...); void log_err(const char* format, ...); @@ -1422,6 +1435,19 @@ void log_dns_msg(const char* str, struct query_info* qinfo, struct reply_info* r void log_query_info(enum verbosity_value v, const char* str, struct query_info* qinf); void regional_log_stats(struct regional *r); +/* the one argument string log functions */ +void pymod_log_info(const char* str); +void pymod_log_err(const char* str); +void pymod_log_warn(const char* str); +void pymod_verbose(enum verbosity_value level, const char* str); +%{ +void pymod_log_info(const char* str) { log_info("%s", str); } +void pymod_log_err(const char* str) { log_err("%s", str); } +void pymod_log_warn(const char* str) { log_warn("%s", str); } +void pymod_verbose(enum verbosity_value level, const char* str) { + verbose(level, "%s", str); } +%} + /*************************************************************************** * Free allocated memory from marked sources returning corresponding types * ***************************************************************************/ From 4990dae87d6c28c8b2323d353ceca8489a3c4ca9 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 22 Oct 2020 09:26:27 +0200 Subject: [PATCH 05/15] - Fix that minimal-responses does not remove addresses from a priming query response. --- doc/Changelog | 2 ++ util/data/msgencode.c | 3 +++ 2 files changed, 5 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 776643c46..1201081d2 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,8 @@ 22 October 2020: Wouter - Fix #333: Unbound Segmentation Fault w/ log_info Functions From Python Mod. + - Fix that minimal-responses does not remove addresses from a priming + query response. 21 October 2020: George - Fix #327: net/if.h check fails on some darwin versions; contribution by diff --git a/util/data/msgencode.c b/util/data/msgencode.c index be69f628a..1746cfbb8 100644 --- a/util/data/msgencode.c +++ b/util/data/msgencode.c @@ -624,6 +624,9 @@ positive_answer(struct reply_info* rep, uint16_t qtype) { for(i=0;ian_numrrsets; i++) { if(ntohs(rep->rrsets[i]->rk.type) == qtype) { + /* for priming queries, type NS, include addresses */ + if(qtype == LDNS_RR_TYPE_NS) + return 0; /* in case it is a wildcard with DNSSEC, there will * be NSEC/NSEC3 records in the authority section * that we cannot remove */ From d104727c911cc6147bdec458831c606ecc853da6 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 27 Oct 2020 09:00:26 +0100 Subject: [PATCH 06/15] - In man page note that tls-cert-bundle is read before permission drop and chroot. --- doc/Changelog | 4 ++++ doc/unbound.conf.5.in | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index 1201081d2..181aaad05 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +27 October 2020: Wouter + - In man page note that tls-cert-bundle is read before permission + drop and chroot. + 22 October 2020: Wouter - Fix #333: Unbound Segmentation Fault w/ log_info Functions From Python Mod. diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 0b73480aa..84805f90f 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -522,7 +522,8 @@ Alternate syntax for \fBtls\-port\fR. If null or "", no file is used. Set it to the certificate bundle file, for example "/etc/pki/tls/certs/ca\-bundle.crt". These certificates are used for authenticating connections made to outside peers. For example auth\-zone -urls, and also DNS over TLS connections. +urls, and also DNS over TLS connections. It is read at start up before +permission drop and chroot. .TP .B ssl\-cert\-bundle: \fI Alternate syntax for \fBtls\-cert\-bundle\fR. From 18226f1c17e552e60800f4bc734f6c23e6054ea2 Mon Sep 17 00:00:00 2001 From: ihsinme <61293369+ihsinme@users.noreply.github.com> Date: Mon, 9 Nov 2020 18:41:22 +0300 Subject: [PATCH 07/15] fixing a possible memory leak. --- services/listen_dnsport.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c index e506eeb31..744f204ac 100644 --- a/services/listen_dnsport.c +++ b/services/listen_dnsport.c @@ -1404,6 +1404,7 @@ static int resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char ***ip_addresses, int *ip_addresses_size) { struct ifaddrs *ifa; + void * tmpbuf; int last_ip_addresses_size = *ip_addresses_size; for(ifa = ifas; ifa != NULL; ifa = ifa->ifa_next) { @@ -1468,10 +1469,13 @@ resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char ***ip_addres } verbose(4, "interface %s has address %s", search_ifa, addr_buf); - *ip_addresses = realloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1)); - if(!*ip_addresses) { + tmpbuf = realloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1)); + if(!tmpbuf) { + free(*ip_addresses); log_err("realloc failed: out of memory"); return 0; + } else { + *ip_addresses = tmpbuf; } (*ip_addresses)[*ip_addresses_size] = strdup(addr_buf); if(!(*ip_addresses)[*ip_addresses_size]) { @@ -1482,10 +1486,13 @@ resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char ***ip_addres } if (*ip_addresses_size == last_ip_addresses_size) { - *ip_addresses = realloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1)); - if(!*ip_addresses) { + tmpbuf = realloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1)); + if(!tmpbuf) { + free(*ip_addresses); log_err("realloc failed: out of memory"); return 0; + } else { + *ip_addresses = tmpbuf; } (*ip_addresses)[*ip_addresses_size] = strdup(search_ifa); if(!(*ip_addresses)[*ip_addresses_size]) { From 3926035f30b4eaeece1453dbfb5a7b866530a05c Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 10 Nov 2020 08:07:28 +0100 Subject: [PATCH 08/15] Changelog note for #341 and layout change. - Fix #341: fixing a possible memory leak. --- doc/Changelog | 3 +++ services/listen_dnsport.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index 181aaad05..e8314747e 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +10 November 2020: Wouter + - Fix #341: fixing a possible memory leak. + 27 October 2020: Wouter - In man page note that tls-cert-bundle is read before permission drop and chroot. diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c index 744f204ac..71c8eb159 100644 --- a/services/listen_dnsport.c +++ b/services/listen_dnsport.c @@ -1404,7 +1404,7 @@ static int resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char ***ip_addresses, int *ip_addresses_size) { struct ifaddrs *ifa; - void * tmpbuf; + void *tmpbuf; int last_ip_addresses_size = *ip_addresses_size; for(ifa = ifas; ifa != NULL; ifa = ifa->ifa_next) { From 7977e1c4cb78c99e5a7aa449275b7a8e8998221c Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 10 Nov 2020 13:51:56 +0100 Subject: [PATCH 09/15] - Fix memory leak after fix for possible memory leak failure. --- doc/Changelog | 1 + services/listen_dnsport.c | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index e8314747e..c9e871011 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,6 @@ 10 November 2020: Wouter - Fix #341: fixing a possible memory leak. + - Fix memory leak after fix for possible memory leak failure. 27 October 2020: Wouter - In man page note that tls-cert-bundle is read before permission diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c index 71c8eb159..15ee6a389 100644 --- a/services/listen_dnsport.c +++ b/services/listen_dnsport.c @@ -1471,7 +1471,6 @@ resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char ***ip_addres tmpbuf = realloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1)); if(!tmpbuf) { - free(*ip_addresses); log_err("realloc failed: out of memory"); return 0; } else { @@ -1488,7 +1487,6 @@ resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char ***ip_addres if (*ip_addresses_size == last_ip_addresses_size) { tmpbuf = realloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1)); if(!tmpbuf) { - free(*ip_addresses); log_err("realloc failed: out of memory"); return 0; } else { From 5385e2e09444d60df1bcbd3a173846ba933b03df Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 10 Nov 2020 15:31:20 +0100 Subject: [PATCH 10/15] - Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX' undeclared. --- doc/Changelog | 2 ++ services/listen_dnsport.c | 1 + 2 files changed, 3 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index c9e871011..47fcd9178 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,8 @@ 10 November 2020: Wouter - Fix #341: fixing a possible memory leak. - Fix memory leak after fix for possible memory leak failure. + - Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX' + undeclared. 27 October 2020: Wouter - In man page note that tls-cert-bundle is read before permission diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c index 15ee6a389..10a7aec60 100644 --- a/services/listen_dnsport.c +++ b/services/listen_dnsport.c @@ -43,6 +43,7 @@ # include #endif #include +#include #ifdef USE_TCP_FASTOPEN #include #endif From 26aa550bd246079b26366627fecbbe7d6e30dabd Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 12 Nov 2020 12:27:41 +0100 Subject: [PATCH 11/15] - Fix to connect() to UDP destinations, default turned on, this lowers vulnerability to ICMP side channels. --- services/outside_network.c | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/services/outside_network.c b/services/outside_network.c index 41a1d83f1..cef76053c 100644 --- a/services/outside_network.c +++ b/services/outside_network.c @@ -1115,13 +1115,23 @@ select_ifport(struct outside_network* outnet, struct pending* pend, my_if = ub_random_max(outnet->rnd, num_if); pif = &ifs[my_if]; #ifndef DISABLE_EXPLICIT_PORT_RANDOMISATION - my_port = ub_random_max(outnet->rnd, pif->avail_total); - if(my_port < pif->inuse) { - /* port already open */ - pend->pc = pif->out[my_port]; - verbose(VERB_ALGO, "using UDP if=%d port=%d", - my_if, pend->pc->number); - break; + if(1) { + /* if we connect() we cannot reuse fds for a port */ + if(pif->inuse >= pif->avail_total) { + log_err("failed to find an open port, drop msg"); + return 0; + } + my_port = pif->inuse + ub_random_max(outnet->rnd, + pif->avail_total - pif->inuse); + } else { + my_port = ub_random_max(outnet->rnd, pif->avail_total); + if(my_port < pif->inuse) { + /* port already open */ + pend->pc = pif->out[my_port]; + verbose(VERB_ALGO, "using UDP if=%d port=%d", + my_if, pend->pc->number); + break; + } } /* try to open new port, if fails, loop to try again */ log_assert(pif->inuse < pif->maxout); @@ -1138,6 +1148,17 @@ select_ifport(struct outside_network* outnet, struct pending* pend, if(fd != -1) { verbose(VERB_ALGO, "opened UDP if=%d port=%d", my_if, portno); + if(1) { + /* connect() to the destination */ + if(connect(fd, (struct sockaddr*)&pend->addr, + pend->addrlen) < 0) { + log_err_addr("udp connect failed", + strerror(errno), &pend->addr, + pend->addrlen); + sock_close(fd); + return 0; + } + } /* grab fd */ pend->pc = outnet->unused_fds; outnet->unused_fds = pend->pc->next; From 48b40b305a946c590a005a1923070b95b5b61c3c Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 12 Nov 2020 12:28:10 +0100 Subject: [PATCH 12/15] Changelog note. --- doc/Changelog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 47fcd9178..e9b8649fd 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +12 November 2020: Wouter + - Fix to connect() to UDP destinations, default turned on, + this lowers vulnerability to ICMP side channels. + 10 November 2020: Wouter - Fix #341: fixing a possible memory leak. - Fix memory leak after fix for possible memory leak failure. From b891fe113ca9d9a2a19552531d8e91b8dcf02164 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 12 Nov 2020 13:36:37 +0100 Subject: [PATCH 13/15] - Retry for interfaces with unused ports if possible. --- doc/Changelog | 1 + services/outside_network.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index e9b8649fd..613d14cb7 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,7 @@ 12 November 2020: Wouter - Fix to connect() to UDP destinations, default turned on, this lowers vulnerability to ICMP side channels. + - Retry for interfaces with unused ports if possible. 10 November 2020: Wouter - Fix #341: fixing a possible memory leak. diff --git a/services/outside_network.c b/services/outside_network.c index cef76053c..d184da545 100644 --- a/services/outside_network.c +++ b/services/outside_network.c @@ -1118,6 +1118,9 @@ select_ifport(struct outside_network* outnet, struct pending* pend, if(1) { /* if we connect() we cannot reuse fds for a port */ if(pif->inuse >= pif->avail_total) { + tries++; + if(tries < MAX_PORT_RETRY) + continue; log_err("failed to find an open port, drop msg"); return 0; } From c48f01445e22686a0cb83451ab055cb405940b58 Mon Sep 17 00:00:00 2001 From: David Runge Date: Sat, 21 Nov 2020 14:10:39 +0100 Subject: [PATCH 14/15] Add AF_NETLINK to set of allowed socket address families contrib/unbound{,_portable}.service.in: With the changes introduced in f6a527c25ad2e60e2dc129fff3605e6ec48c30f2 it is now necessary to also allow access to the AF_NETLINK socket address family to be able to get information from interfaces. Without the AF_NETLINK address family the systemd service errors with: ``` error: failed to list interfaces: getifaddrs: Address family not supported by protocol ``` Fixes #350 --- contrib/unbound.service.in | 2 +- contrib/unbound_portable.service.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index c95ab94b3..a4596978d 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -66,7 +66,7 @@ ProtectSystem=strict RuntimeDirectory=unbound ConfigurationDirectory=unbound StateDirectory=unbound -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX RestrictRealtime=true SystemCallArchitectures=native SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in index 998b66dec..e763763f0 100644 --- a/contrib/unbound_portable.service.in +++ b/contrib/unbound_portable.service.in @@ -38,7 +38,7 @@ ProtectSystem=strict RuntimeDirectory=unbound ConfigurationDirectory=unbound StateDirectory=unbound -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX RestrictRealtime=true SystemCallArchitectures=native SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources From 097e530c49ef418fdfe423a6557a374cae2cc95e Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 23 Nov 2020 08:58:41 +0100 Subject: [PATCH 15/15] Changelog notes for #350 and #351 - Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket address families. - Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error: failed to list interfaces: getifaddrs: Address family not supported by protocol. --- doc/Changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 613d14cb7..a4c4792ff 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,10 @@ +23 November 2020: Wouter + - Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket + address families. + - Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error: + failed to list interfaces: getifaddrs: Address family not + supported by protocol. + 12 November 2020: Wouter - Fix to connect() to UDP destinations, default turned on, this lowers vulnerability to ICMP side channels.