Sync upstream patches

Fix-a-problem-in-overload-handling.patch

@@ -0,0 +1,43 @@
+From c4b9bc63e0029cf1beaf8bdcbd92fa09f33b599d Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 9 Sep 2022 12:53:49 +0100
+Subject: [PATCH] Fix a problem in overload handling.
+
+Sending the same query repeatedly to a dnsmasq instance which
+doesn't get replies from upstream will eventually hit the
+hard limit on frec_src structures and start gettin REFUSED
+replies. This is OK, except that since the queries are no longer
+being forwarded, an upstream server coming back doesn't reset the
+situation. If there is any other traffic, frec allocation will
+eventually delete the timed-out frec and get things moving again,
+but that's not guaranteed.
+
+To fix this we explicitly delete the frec once timed out in this case.
+
+Thanks to Filip Jenicek for noticing and characterising this problem.
+---
+ src/forward.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/forward.c b/src/forward.c
+index 8562b2d..fa80251 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -244,6 +244,14 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
+ 	  if (!daemon->free_frec_src)
+ 	    {
+ 	      query_full(now, NULL);
++	      /* This is tricky; if we're blasted with the same query
++		 over and over, we'll end up taking this path each time
++		 and never resetting until the frec gets deleted by
++		 aging followed by the receipt of a different query. This
++		 is a bit of a DoS vuln. Avoid by explicitly deleting the
++		 frec once it expires. */
++	      if (difftime(now, forward->time) >= TIMEOUT)
++		free_frec(forward);
+ 	      goto reply;
+ 	    }
+ 	  
+-- 
+2.25.1
+

Fix-logic-when-a-SERVFAIL-reply-is-received-after-go.patch

@@ -0,0 +1,38 @@
+From 04cc2ae1a605c9b9d346d010178abf597fd0fe77 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 19 Aug 2022 13:28:00 +0100
+Subject: [PATCH] Fix logic when a SERVFAIL reply is received after good replt
+ for DNSSEC.
+
+If we get a SERVFAIL or REFUSED answer to a DNSSEC query for which
+we already have a good answer, just ignore it.
+---
+ src/forward.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/forward.c b/src/forward.c
+index f90be2f..8562b2d 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -1073,12 +1073,15 @@ void reply_query(int fd, time_t now)
+       size_t nn = 0;
+       
+ #ifdef HAVE_DNSSEC
+-      /* DNSSEC queries have a copy of the original query stashed. 
+-	 The query MAY have got a good answer, and be awaiting
++      /* The query MAY have got a good answer, and be awaiting
+ 	 the results of further queries, in which case
+ 	 The Stash contains something else and we don't need to retry anyway. */
+-      if ((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) && !forward->blocking_query)
++      if (forward->blocking_query)
++	return;
++      
++      if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
+ 	{
++	  /* DNSSEC queries have a copy of the original query stashed. */
+ 	  blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
+ 	  nn = forward->stash_len;
+ 	  udp_size = daemon->edns_pktsz;
+-- 
+2.25.1
+

Free-sockets-awaiting-upstream-DNS-replies-ASAP.patch

@@ -0,0 +1,33 @@
+From d6c69f6bdba8e2a138faa6c422f5fd29545f1f06 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Tue, 6 Sep 2022 15:35:54 +0100
+Subject: [PATCH] Free sockets awaiting upstream DNS replies ASAP.
+
+Once we have a good answer, close the socket so that the fd can
+be reused during DNSSEC validation and we don't have to read and
+discard more replies from other servers.
+---
+ src/forward.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/forward.c b/src/forward.c
+index e8249a6..f90be2f 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -1144,6 +1144,13 @@ void reply_query(int fd, time_t now)
+     }
+ 
+   forward->sentto = server;
++
++  /* We have a good answer, and will now validate it or return it. 
++     It may be some time before this the validation completes, but we don't need
++     any more answers, so close the socket(s) on which we were expecting
++     answers, to conserve file descriptors, and to save work reading and
++     discarding answers for other upstreams. */
++  free_rfds(&forward->rfds);
+   
+ #ifdef HAVE_DNSSEC
+   if ((forward->sentto->flags & SERV_DO_DNSSEC) && 
+-- 
+2.25.1
+

dnsmasq.spec

@@ -1,6 +1,6 @@
 Name:           dnsmasq
 Version:        2.86
-Release:        2
+Release:        3
 Summary:        Dnsmasq provides network infrastructure for small networks
 License:        GPLv2 or GPLv3
 URL:            http://www.thekelleys.org.uk/dnsmasq/
@@ -32,6 +32,9 @@ Patch21:        backport-dnsmasq-2.87-tcp-strcasecmp.patch
 Patch22:        bugfix-allow-binding-mac-with-ipv6.patch
 Patch23:        bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6.patch
 Patch24:      	backport-Fix-write-after-free-in-DHCPv6-code-CVE-2022-0934.patch 
+Patch25:      	Fix-logic-when-a-SERVFAIL-reply-is-received-after-go.patch
+Patch26:	Free-sockets-awaiting-upstream-DNS-replies-ASAP.patch
+Patch27:	Fix-a-problem-in-overload-handling.patch
 
 
 BuildRequires:  gcc
@@ -122,6 +125,14 @@ install -Dpm644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysusersdir}/dnsmasq.conf
 %{_mandir}/man8/dnsmasq*
 
 %changelog
+* Mon Oct 17 2022 zhangjun <zhangjun@kylinos.cn> - 2.86-3
+- Type:bugfix
+- Id:NA
+- SUG:NA
+- DESC:Fix logic when a SERVFAIL reply is received after good replt for DNSSEC
+       Free sockets awaiting upstream DNS replies ASAP
+       Fix a problem in overload handling
+
 * Sat Jul 30 2022 renmingshuai <renmingshuai@huawei.com> - 2.86-2
 - Type:CVE
 - Id:CVE-2022-0934