dns/dnsmasq: regression fixes from upstream Git

Apparently there are situations where dnsmasq 2.83 can confuse
its peers or sockets, and the upstream Git contains fixes for them.

These four fixes essentially take dnsmasq to 2.84test3.

Obtained from:	Simon Kelley <simon@thekelleys.org.uk>'s Git repository

dns/dnsmasq/Makefile

@@ -4,11 +4,12 @@
 PORTNAME=	dnsmasq
 DISTVERSION=	2.83
 # Leave the PORTREVISION in even if 0 to avoid accidental PORTEPOCH bumps:
-PORTREVISION=	0
+PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	dns
-MASTER_SITES=	http://www.thekelleys.org.uk/dnsmasq/ \
+MASTER_SITES=	https://www.thekelleys.org.uk/dnsmasq/ \
 		LOCAL/mandree/
+PATCH_STRIP=	-p1
 
 MAINTAINER=	mandree@FreeBSD.org
 COMMENT=	Lightweight DNS forwarder, DHCP, and TFTP server

dns/dnsmasq/files/patch-zgit-1

@@ -0,0 +1,65 @@
+From 04490bf622ac84891aad6f2dd2edf83725decdee Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 22 Jan 2021 16:49:12 +0000
+Subject: [PATCH] Move fd into frec_src, fixes
+ 15b60ddf935a531269bb8c68198de012a4967156
+
+If identical queries from IPv4 and IPv6 sources are combined by the
+new code added in 15b60ddf935a531269bb8c68198de012a4967156 then replies
+can end up being sent via the wrong family of socket. The ->fd
+should be per query, not per-question.
+
+In bind-interfaces mode, this could also result in replies being sent
+via the wrong socket even when IPv4/IPV6 issues are not in play.
+---
+ src/dnsmasq.h | 3 ++-
+ src/forward.c | 4 ++--
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index 914f469..360c226 100644
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -664,6 +664,7 @@ struct frec {
+     union mysockaddr source;
+     union all_addr dest;
+     unsigned int iface, log_id;
++    int fd;
+     unsigned short orig_id;
+     struct frec_src *next;
+   } frec_src;
+@@ -671,7 +672,7 @@ struct frec {
+   struct randfd *rfd4;
+   struct randfd *rfd6;
+   unsigned short new_id;
+-  int fd, forwardall, flags;
++  int forwardall, flags;
+   time_t time;
+   unsigned char *hash[HASH_SIZE];
+ #ifdef HAVE_DNSSEC 
+diff --git a/src/forward.c b/src/forward.c
+index 7a95ddf..43d0ae7 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -402,8 +402,8 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
+ 	  forward->frec_src.dest = *dst_addr;
+ 	  forward->frec_src.iface = dst_iface;
+ 	  forward->frec_src.next = NULL;
++	  forward->frec_src.fd = udpfd;
+ 	  forward->new_id = get_id();
+-	  forward->fd = udpfd;
+ 	  memcpy(forward->hash, hash, HASH_SIZE);
+ 	  forward->forwardall = 0;
+ 	  forward->flags = fwd_flags;
+@@ -1300,7 +1300,7 @@ void reply_query(int fd, int family, time_t now)
+ 	      dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &src->source);
+ #endif
+ 	      
+-	      send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, 
++	      send_from(src->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, 
+ 			&src->source, &src->dest, src->iface);
+ 
+ 	      if (option_bool(OPT_EXTRALOG) && src != &forward->frec_src)
+-- 
+2.20.1
+

dns/dnsmasq/files/patch-zgit-2

@@ -0,0 +1,24 @@
+From 12af2b171de0d678d98583e2190789e544440e02 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 22 Jan 2021 18:24:03 +0000
+Subject: [PATCH] Fix to 75e2f0aec33e58ef5b8d4d107d821c215a52827c
+
+---
+ src/forward.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/forward.c b/src/forward.c
+index 43d0ae7..1def931 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -378,6 +378,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
+ 	      new->dest = *dst_addr;
+ 	      new->log_id = daemon->log_id;
+ 	      new->iface = dst_iface;
++	      forward->frec_src.fd = udpfd;
+ 	    }
+ 	  
+ 	  return 1;
+-- 
+2.20.1
+

dns/dnsmasq/files/patch-zgit-3

@@ -0,0 +1,103 @@
+From 8ebdc364afd886461d209284ad4c946ac65e6d2b Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 22 Jan 2021 18:50:43 +0000
+Subject: [PATCH] Optimise sort_rrset for the case where the RR type no
+ canonicalisation.
+
+---
+ src/dnssec.c | 69 ++++++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 48 insertions(+), 21 deletions(-)
+
+diff --git a/src/dnssec.c b/src/dnssec.c
+index 93cc7bf..3ee1e9e 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -334,37 +334,64 @@ static int sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int
+ 	  if (!CHECK_LEN(header, state2.ip, plen, rdlen2))
+ 	    return rrsetidx; /* short packet */
+ 	  state2.end = state2.ip + rdlen2; 
+-	  	  
+-	  while (1)
++
++	  /* If the RR has no names in it then canonicalisation
++	     is the identity function and we can compare
++	     the RRs directly. If not we compare the 
++	     canonicalised RRs one byte at a time. */
++	  if (*rr_desc == (u16)-1)	  
+ 	    {
+-	      int ok1, ok2;
++	      int rdmin = rdlen1 > rdlen2 ? rdlen2 : rdlen1;
++	      int cmp = memcmp(state1.ip, state2.ip, rdmin);
+ 	      
+-	      ok1 = get_rdata(header, plen, &state1);
+-	      ok2 = get_rdata(header, plen, &state2);
+-
+-	      if (!ok1 && !ok2)
++	      if (cmp > 0 || (cmp == 0 && rdlen1 > rdmin))
++		{
++		  unsigned char *tmp = rrset[i+1];
++		  rrset[i+1] = rrset[i];
++		  rrset[i] = tmp;
++		  swap = 1;
++		}
++	      else if (cmp == 0 && (rdlen1 == rdlen2))
+ 		{
+ 		  /* Two RRs are equal, remove one copy. RFC 4034, para 6.3 */
+ 		  for (j = i+1; j < rrsetidx-1; j++)
+ 		    rrset[j] = rrset[j+1];
+ 		  rrsetidx--;
+ 		  i--;
+-		  break;
+ 		}
+-	      else if (ok1 && (!ok2 || *state1.op > *state2.op)) 
+-		{
+-		  unsigned char *tmp = rrset[i+1];
+-		  rrset[i+1] = rrset[i];
+-		  rrset[i] = tmp;
+-		  swap = 1;
+-		  break;
+-		}
+-	      else if (ok2 && (!ok1 || *state2.op > *state1.op))
+-		break;
+-	      
+-	      /* arrive here when bytes are equal, go round the loop again
+-		 and compare the next ones. */
+ 	    }
++	  else
++	    /* Comparing canonicalised RRs, byte-at-a-time. */
++	    while (1)
++	      {
++		int ok1, ok2;
++		
++		ok1 = get_rdata(header, plen, &state1);
++		ok2 = get_rdata(header, plen, &state2);
++		
++		if (!ok1 && !ok2)
++		  {
++		    /* Two RRs are equal, remove one copy. RFC 4034, para 6.3 */
++		    for (j = i+1; j < rrsetidx-1; j++)
++		      rrset[j] = rrset[j+1];
++		    rrsetidx--;
++		    i--;
++		    break;
++		  }
++		else if (ok1 && (!ok2 || *state1.op > *state2.op)) 
++		  {
++		    unsigned char *tmp = rrset[i+1];
++		    rrset[i+1] = rrset[i];
++		    rrset[i] = tmp;
++		    swap = 1;
++		    break;
++		  }
++		else if (ok2 && (!ok1 || *state2.op > *state1.op))
++		  break;
++		
++		/* arrive here when bytes are equal, go round the loop again
++		   and compare the next ones. */
++	      }
+ 	}
+     } while (swap);
+ 
+-- 
+2.20.1
+

dns/dnsmasq/files/patch-zgit-4

@@ -0,0 +1,25 @@
+From 3f535da79e7a42104543ef5c7b5fa2bed819a78b Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 22 Jan 2021 22:26:25 +0000
+Subject: [PATCH] Fix for 12af2b171de0d678d98583e2190789e544440e02
+
+---
+ src/forward.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/forward.c b/src/forward.c
+index 1def931..5c9cbbb 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -378,7 +378,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
+ 	      new->dest = *dst_addr;
+ 	      new->log_id = daemon->log_id;
+ 	      new->iface = dst_iface;
+-	      forward->frec_src.fd = udpfd;
++	      new->fd = udpfd;
+ 	    }
+ 	  
+ 	  return 1;
+-- 
+2.20.1
+

dns/dnsmasq/files/pkg-message.in

@@ -1,3 +1,6 @@
+[
+{
+message: <<EOM
 To enable dnsmasq, edit %%PREFIX%%/etc/dnsmasq.conf and
 set dnsmasq_enable="YES" in /etc/rc.conf[.local]
 
@@ -10,3 +13,6 @@ It is recommended to enable the wpad-related options
 at the end of the configuration file (you may need to
 copy them from the example file to yours) to fix
 CERT Vulnerability VU#598349.
+EOM
+}
+]