dnsmasq: fix CVE-2023-28450 default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232

Set the default maximum DNS UDP packet size to 1232. http://www.dnsflagday.net/2020/ refers. Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-01-04 16:10:10 +00:00 · 2023-03-27 09:24:19 +05:30 · 2023-03-27 09:24:19 +05:30 · 98e6e31688
commit 98e6e31688
parent 4f78732be2
2 changed files with 64 additions and 0 deletions
--- a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch
@ -0,0 +1,63 @@
+From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Tue, 7 Mar 2023 22:07:46 +0000
+Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232.
+
+Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5]
+CVE: CVE-2023-28450
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ CHANGELOG     | 8 ++++++++
+ man/dnsmasq.8 | 3 ++-
+ src/config.h  | 2 +-
+ 3 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index d1d7e41..7a560d3 100644
+--- a/CHANGELOG
+++ b/CHANGELOG
+@@ -91,6 +91,14 @@ version 2.81
+ 	Fix write-after-free error in DHCPv6 server code.
+ 	CVE-2022-0934 refers.
+ 	
+	Set the default maximum DNS UDP packet sice to 1232. This
+	has been the recommended value since 2020 because it's the
+	largest value that avoid fragmentation, and fragmentation
+	is just not reliable on the modern internet, especially
+	for IPv6. It's still possible to override this with
+	--edns-packet-max for special circumstances.
+
+	
+ version 2.80
+ 	Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
+ 	for the initial patch and motivation.
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index f2803f9..3cca4bc 100644
+--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
+@@ -168,7 +168,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
+ .TP
+ .B \-P, --edns-packet-max=<size>
+ Specify the largest EDNS.0 UDP packet which is supported by the DNS
+-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
+forwarder. Defaults to 1232, which is the recommended size following the
+DNS flag day in 2020. Only increase if you know what you are doing.
+ .TP
+ .B \-Q, --query-port=<query_port>
+ Send outbound DNS queries from, and listen for their replies on, the
+diff --git a/src/config.h b/src/config.h
+index 54f6f48..29ac3e7 100644
+--- a/src/config.h
+++ b/src/config.h
+@@ -19,7 +19,7 @@
+ #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
+ #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
+ #define TCP_BACKLOG 32  /* kernel backlog limit for TCP connections */
+-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from  /dnsflagday.net/2020 */
+ #define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */
+ #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
+ #define DNSSEC_WORK 50 /* Max number of queries to validate one question */
+-- 
+2.18.2
+
--- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
@ -12,4 +12,5 @@ SRC_URI += "\
    file://CVE-2020-25686-2.patch \
    file://CVE-2021-3448.patch \
    file://CVE-2022-0934.patch \
+    file://CVE-2023-28450.patch \
 "