!130 Fix buffer overflow when configured lease-change script name

From: @xiangyu2020 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12

backport-CVE-2023-49441-Fix-standalone-SHA256-implementation.patch

@@ -0,0 +1,49 @@
+From 65c2d6afd67a032f45f40d7e4d620f5d73e5f07d Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 22 Nov 2023 22:02:05 +0000
+Subject: [PATCH] Fix standalone SHA256 implementation.
+
+Bug report here:
+https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2023q4/017332.html
+
+This error probably has no practical effect since even if the hash
+is wrong, it's only compared internally to other hashes computed using
+the same code.
+
+Understanding the error:
+
+hash-questions.c:168:21: runtime error: left shift of 128 by 24 places
+cannot be represented in type 'int'
+
+requires a certain amount of c-lawyerliness. I think the problem is that
+
+m[i] = data[j] << 24
+
+promotes the unsigned char data array value to int before doing the shift and
+then promotes the result to unsigned char to match the type of m[i].
+What needs to happen is to cast the unsigned char to unsigned int
+BEFORE the shift.
+
+This patch does that with explicit casts.
+
+Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=65c2d6afd67a032f45f40d7e4d620f5d73e5f07d
+---
+ src/hash_questions.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/hash_questions.c b/src/hash_questions.c
+index c1ee135..e6304ac 100644
+--- a/src/hash_questions.c
++++ b/src/hash_questions.c
+@@ -165,7 +165,7 @@ static void sha256_transform(SHA256_CTX *ctx, const BYTE data[])
+   WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64];
+   
+   for (i = 0, j = 0; i < 16; ++i, j += 4)
+-    m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]);
++    m[i] = (((WORD)data[j]) << 24) | (((WORD)data[j + 1]) << 16) | (((WORD)data[j + 2]) << 8) | (((WORD)data[j + 3]));
+   for ( ; i < 64; ++i)
+     m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16];
+ 
+-- 
+2.33.0
+

backport-Fix-buffer-overflow-when-configured-lease-change-scr.patch

@@ -0,0 +1,32 @@
+From ae85ea38581e97445622d2dad79cd09775cb201a Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 21 Nov 2024 15:42:49 +0000
+Subject: [PATCH] Fix buffer overflow when configured lease-change script name
+ is too long.
+ 
+Thanks to Daniel Rhea for finding this one.
+ 
+Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=ae85ea38581e97445622d2dad79cd09775cb201a
+Conflict:NA
+---
+ src/lease.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+ 
+diff --git a/src/lease.c b/src/lease.c
+index 1a9f1c6..a944fbb 100644
+--- a/src/lease.c
++++ b/src/lease.c
+@@ -155,6 +155,10 @@ void lease_init(time_t now)
+ #ifdef HAVE_SCRIPT
+       if (daemon->lease_change_command)
+ 	{
++	  /* 6 == strlen(" init") plus terminator */
++	  if (strlen(daemon->lease_change_command) + 6 > DHCP_BUFF_SZ)
++	    die(_("lease-change script name is too long"), NULL, EC_FILE);
++	  
+ 	  strcpy(daemon->dhcp_buff, daemon->lease_change_command);
+ 	  strcat(daemon->dhcp_buff, " init");
+ 	  leasestream = popen(daemon->dhcp_buff, "r");
+-- 
+2.33.0
+ 

backport-Fix-crash-when-reloading-DHCP-config-on-SIGHUP.patch

@@ -0,0 +1,50 @@
+From f006be7842104a9f86fbf419326b7aad08ade61d Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 4 Oct 2024 16:59:14 +0100
+Subject: [PATCH] Fix crash when reloading DHCP config on SIGHUP.
+ 
+ Confusion in the code to free old DHCP configuration when it's
+ being reloaded causes invalid pointers to be followed and a crash.
+ 
+ https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q4/017764.html
+ 
+ has a more complete explanation of the problem.
+ 
+Conflict:NA
+Reference:https://github.com/rhuijben/dnsmasq/commit/f006be7842104a9f86fbf419326b7aad08ade61d
+ 
+---
+ src/option.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+ 
+diff --git a/src/option.c b/src/option.c
+index f4ff7c0..ed0d9e1 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -1336,7 +1336,7 @@ static void dhcp_netid_free(struct dhcp_netid *nid)
+ 
+ /* Parse one or more tag:s before parameters.
+  * Moves arg to the end of tags. */
+-static struct dhcp_netid * dhcp_tags(char **arg)
++static struct dhcp_netid *dhcp_tags(char **arg)
+ {
+   struct dhcp_netid *id = NULL;
+ 
+@@ -1360,7 +1360,13 @@ static void dhcp_netid_list_free(struct dhcp_netid_list *netid)
+     {
+       struct dhcp_netid_list *tmplist = netid;
+       netid = netid->next;
+-      dhcp_netid_free(tmplist->list);
++      /* Note: don't use dhcp_netid_free() here, since that 
++	 frees a list linked on netid->next. Where a netid_list
++	 is used that's because the the ->next pointers in the
++	 netids are being used to temporarily construct 
++	 a list of valid tags. */
++      free(tmplist->list->net);
++      free(tmplist->list);
+       free(tmplist);
+     }
+ }
+-- 
+2.33.0
+

backport-Fix-memory-leak-when-using-dhcp-optsfile-with-DHCPv6.patch

@@ -0,0 +1,48 @@
+From d16b995756dc079b1fdc2e63665793979f766a26 Mon Sep 17 00:00:00 2001
+From: renmingshuai <renmingshuai@huawei.com>
+Date: Sat, 30 Sep 2023 23:31:08 +0100
+Subject: [PATCH] Fix memory leak when using --dhcp-optsfile with DHCPv6
+ options.
+
+Conflict:NA
+Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=d16b995756dc079b1fdc2e63665793979f766a26
+---
+ src/option.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/option.c b/src/option.c
+index 8322725..286f06b 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -5734,11 +5734,11 @@ static void clear_dynamic_conf(void)
+     }
+ }
+ 
+-static void clear_dynamic_opt(void)
++static void clear_dhcp_opt(struct dhcp_opt **dhcp_opts)
+ {
+   struct dhcp_opt *opts, *cp, **up;
+ 
+-  for (up = &daemon->dhcp_opts, opts = daemon->dhcp_opts; opts; opts = cp)
++  for (up = dhcp_opts, opts = *dhcp_opts; opts; opts = cp)
+     {
+       cp = opts->next;
+       
+@@ -5752,6 +5752,14 @@ static void clear_dynamic_opt(void)
+     }
+ }
+ 
++static void clear_dynamic_opt(void)
++{
++  clear_dhcp_opt(&daemon->dhcp_opts);
++#ifdef HAVE_DHCP6
++  clear_dhcp_opt(&daemon->dhcp_opts6);
++#endif
++}
++
+ void reread_dhcp(void)
+ {
+    struct hostsfile *hf;
+-- 
+2.23.0
+

backport-Fix-parsing-of-IPv6-addresses-with-peer-from-netlink.patch

@@ -0,0 +1,71 @@
+From 770bce967cfc9967273d0acfb3ea018fb7b17522 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Fri, 27 May 2022 21:16:18 +0100
+Subject: [PATCH] Fix parsing of IPv6 addresses with peer from netlink.
+
+In the most common case, an IPv6 address doesn't have a peer and the
+IFA_ADDRESS netlink attribute contains the address itself.
+
+But if the address has a peer (typically for point to point links),
+then IFA_ADDRESS contains the peer address and IFA_LOCAL contains the
+address [1].
+
+[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv6/addrconf.c?h=v5.17#n5030
+
+Fix the parsing of IPv6 addresses with peers, as currently dnsmasq
+unsuccessfully tries to bind on the peer address.
+
+A simple reproducer is:
+
+  dnsmasq --conf-file=/dev/null -i dummy1 -d --bind-dynamic &
+  sleep 2
+  ip link add dummy1 type dummy
+  ip link set dummy1 up
+  ip addr add dev dummy1 fd01::1/64 peer fd01::2/64
+  ip addr add dev dummy1 fd01::42/64
+  sleep 2
+  ss -lnp | grep dnsmasq | grep fd01
+
+Before the patch:
+  dnsmasq: failed to create listening socket for fd01::2: Cannot assign requested address
+  dnsmasq: failed to create listening socket for fd01::2: Cannot assign requested address
+  udp   UNCONN 0   [fd01::42]:53   [::]:*    users:(("dnsmasq",pid=23947,fd=14))
+  tcp   LISTEN 0   [fd01::42]:53   [::]:*    users:(("dnsmasq",pid=23947,fd=15
+
+After:
+  udp   UNCONN 0   [fd01::42]:53   [::]:*    users:(("dnsmasq",pid=23973,fd=16))
+  udp   UNCONN 0    [fd01::1]:53   [::]:*    users:(("dnsmasq",pid=23973,fd=14))
+  tcp   LISTEN 0   [fd01::42]:53   [::]:*    users:(("dnsmasq",pid=23973,fd=17))
+  tcp   LISTEN 0    [fd01::1]:53   [::]:*    users:(("dnsmasq",pid=23973,fd=15))
+
+Conflict:NA
+Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=770bce967cfc9967273d0acfb3ea018fb7b17522
+---
+ src/netlink.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/netlink.c b/src/netlink.c
+index da82943..c156cde 100644
+--- a/src/netlink.c
++++ b/src/netlink.c
+@@ -258,7 +258,16 @@ int iface_enumerate(int family, void *parm, int (*callback)())
+ 		    
+ 		    while (RTA_OK(rta, len1))
+ 		      {
+-			if (rta->rta_type == IFA_ADDRESS)
++			/*
++			 * Important comment: (from if_addr.h)
++			 * IFA_ADDRESS is prefix address, rather than local interface address.
++			 * It makes no difference for normally configured broadcast interfaces,
++			 * but for point-to-point IFA_ADDRESS is DESTINATION address,
++			 * local address is supplied in IFA_LOCAL attribute.
++			 */
++			if (rta->rta_type == IFA_LOCAL)
++			  addrp = ((struct in6_addr *)(rta+1));
++			else if (rta->rta_type == IFA_ADDRESS && !addrp)
+ 			  addrp = ((struct in6_addr *)(rta+1)); 
+ 			else if (rta->rta_type == IFA_CACHEINFO)
+ 			  {
+-- 
+2.23.0
+

backport-Reduce-code-duplication-reuse-existing-functions.patch

@@ -0,0 +1,91 @@
+From 10d8b5f001a34ff46b3a72575f3af64b065f8637 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Wed, 14 Apr 2021 21:08:31 +0100
+Subject: [PATCH] Reduce code duplication, reuse existing functions
+
+dhcp_config_free and dhcp_opt_free already implement the same algorithm.
+Reuse them. Adds forgotten hostname cleanup to config free.
+
+Conflict:NA
+Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=10d8b5f001a34ff46b3a72575f3af64b065f8637
+---
+ src/option.c | 42 ++++++------------------------------------
+ 1 file changed, 6 insertions(+), 36 deletions(-)
+
+diff --git a/src/option.c b/src/option.c
+index e8926a4..23cf058 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -1067,6 +1067,8 @@ static void dhcp_config_free(struct dhcp_config *config)
+       
+       if (config->flags & CONFIG_CLID)
+         free(config->clid);
++      if (config->flags & CONFIG_NAME)
++	free(config->hostname);
+ 
+ #ifdef HAVE_DHCP6
+       if (config->flags & CONFIG_ADDR6)
+@@ -5002,30 +5004,8 @@ static void clear_dynamic_conf(void)
+       
+       if (configs->flags & CONFIG_BANK)
+ 	{
+-	  struct hwaddr_config *mac, *tmp;
+-	  struct dhcp_netid_list *list, *tmplist;
+-	  
+-	  for (mac = configs->hwaddr; mac; mac = tmp)
+-	    {
+-	      tmp = mac->next;
+-	      free(mac);
+-	    }
+-	  
+-	  if (configs->flags & CONFIG_CLID)
+-	    free(configs->clid);
+-	  
+-	  for (list = configs->netid; list; list = tmplist)
+-	    {
+-	      free(list->list);
+-	      tmplist = list->next;
+-	      free(list);
+-	    }
+-	  
+-	  if (configs->flags & CONFIG_NAME)
+-	    free(configs->hostname);
+-	  
+-	  *up = configs->next;
+-	  free(configs);
++	  *up = cp;
++	  dhcp_config_free(configs);
+ 	}
+       else
+ 	up = &configs->next;
+@@ -5035,7 +5015,6 @@ static void clear_dynamic_conf(void)
+ static void clear_dynamic_opt(void)
+ {
+   struct dhcp_opt *opts, *cp, **up;
+-  struct dhcp_netid *id, *next;
+ 
+   for (up = &daemon->dhcp_opts, opts = daemon->dhcp_opts; opts; opts = cp)
+     {
+@@ -5043,17 +5022,8 @@ static void clear_dynamic_opt(void)
+       
+       if (opts->flags & DHOPT_BANK)
+ 	{
+-	  if ((opts->flags & DHOPT_VENDOR))
+-	    free(opts->u.vendor_class);
+-	  free(opts->val);
+-	  for (id = opts->netid; id; id = next)
+-	    {
+-	      next = id->next;
+-	      free(id->net);
+-	      free(id);
+-	    }
+-	  *up = opts->next;
+-	  free(opts);
++	  *up = cp;
++	  dhcp_opt_free(opts);
+ 	}
+       else
+ 	up = &opts->next;
+-- 
+2.23.0
+

dnsmasq.spec

@@ -1,6 +1,6 @@
 Name:           dnsmasq
 Version:        2.82
-Release:        12
+Release:        17
 Summary:        Dnsmasq provides network infrastructure for small networks
 License:        GPLv2 or GPLv3
 URL:            http://www.thekelleys.org.uk/dnsmasq/
@@ -35,6 +35,12 @@ Patch24:     backport-0010-CVE-2021-3448.patch
 Patch25:     backport-Fix-write-after-free-in-DHCPv6-code-CVE-2022-0934.patch
 Patch26:     backport-Listen-only-on-lo-device-fix-CVE-2020-14312.patch
 Patch27:     backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patch
+Patch28:     backport-Fix-parsing-of-IPv6-addresses-with-peer-from-netlink.patch
+Patch29:     backport-Reduce-code-duplication-reuse-existing-functions.patch
+Patch30:     backport-Fix-memory-leak-when-using-dhcp-optsfile-with-DHCPv6.patch
+Patch31:     backport-CVE-2023-49441-Fix-standalone-SHA256-implementation.patch
+Patch32:     backport-Fix-crash-when-reloading-DHCP-config-on-SIGHUP.patch
+Patch33:     backport-Fix-buffer-overflow-when-configured-lease-change-scr.patch
 
 BuildRequires:  dbus-devel pkgconfig libidn2-devel nettle-devel systemd
 Requires:       nettle >= 3.4 %{name}-help
@@ -127,6 +133,37 @@ install -Dpm644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysusersdir}/dnsmasq.conf
 %{_mandir}/man8/dnsmasq*
 
 %changelog
+* Thu Dec 12 2024 huyizhen <huyizhen2@huawei.com> - 2.82-17
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:backport upstream patches
+
+* Sat Oct 12 2024 huyizhen <huyizhen2@huawei.com> - 2.82-16
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:Fix crash when reloading DHCP config on SIGHUP
+
+* Mon Jul 8 2024 renmingshuai <renmingshuai@huawei.com> - 2.82-15
+- Type:CVE
+- Id:
+- SUG:NA
+- DESC:fix CVE-2023-49441
+
+* Wed Dec 6 2023 renmingshuai <renmingshuai@huawei.com> - 2.82-14
+- Type:bugfix
+- Id:
+- SUG:NA
+- DESC:Reduce code duplication, reuse existing functions
+       Fix memory leak when using --dhcp-optsfile with DHCPv6 options
+
+* Tue Dec 5 2023 renmingshuai <renmingshuai@huawei.com> - 2.82-13
+- Type:bugfix
+- Id:
+- SUG:NA
+- DESC:Fix parsing of IPv6 addresses with peer from netlink
+
 * Tue Mar 28 2023 renmingshuai <renmingshuai@huawei.com> - 2.82-12
 - Type:CVE
 - Id:CVE-2023-28450