main/musl: drop cloudflare mitigation patch, cloudflare finally fixed the bug upstream

2 files changed, 1 insertions, 141 deletions

diff --git a/main/musl/1000-cloudflare-stupidity.patch b/main/musl/1000-cloudflare-stupidity.patch
deleted file mode 100644
index 5cb9360c2d..0000000000
--- a/main/musl/1000-cloudflare-stupidity.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-From 544b7fd44079df6eb5ae4f416e73b8e51602c2bb Mon Sep 17 00:00:00 2001
-From: William Pitcock <nenolod@dereferenced.org>
-Date: Sat, 31 Mar 2018 09:16:16 +0000
-Subject: [PATCH] resolver: mitigate bad interactions concering inconsistent
- DNS search domains with ndots usage
-
-When using kubernetes, the search path is configured like so:
-
-  - containername.prod.env.whatever
-  - prod.env.whatever
-  - env.whatever
-  - clusterwide domain
-
-Kubernetes also typically configures the container's resolver with "options ndots:5", which
-causes it to look for public domains in the private DNS domains (presumably so their DNS
-records can be overridden somehow).
-
-In certain cases where the Kubernetes guest is configured with a clusterwide domain that is
-hosted by a certain large CDN provider (*ahem* Cloudflare), the resolver may process
-erroneous replies sent from that CDN provider that have an empty A/AAAA record set.
-
-Accordingly, if we detect a configuration that is exotic, as a mitigation, we force all DNS
-queries to behave as if they were AF_UNSPEC and return only the records that were actually
-requested (either A or AAAA).
----
- src/network/lookup_name.c | 35 ++++++++++++++++++++++++++++++-----
- 1 file changed, 30 insertions(+), 5 deletions(-)
-
-diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c
-index 209c20f0..b28b6208 100644
---- a/src/network/lookup_name.c
-+++ b/src/network/lookup_name.c
-@@ -95,7 +95,9 @@ static int name_from_hosts(struct address buf[static MAXADDRS], char canon[stati
- struct dpc_ctx {
- 	struct address *addrs;
- 	char *canon;
-+	int wanted;
- 	int cnt;
-+	int recordcnt[2];
- };
- 
- int __dns_parse(const unsigned char *, int, int (*)(void *, int, const void *, int, const void *), void *);
-@@ -115,12 +117,16 @@ static int dns_parse_callback(void *c, int rr, const void *data, int len, const
- 	switch (rr) {
- 	case RR_A:
- 		if (len != 4) return -1;
-+		ctx->recordcnt[0]++;
-+		if (ctx->wanted && rr != ctx->wanted) return 0;
- 		ctx->addrs[ctx->cnt].family = AF_INET;
- 		ctx->addrs[ctx->cnt].scopeid = 0;
- 		memcpy(ctx->addrs[ctx->cnt++].addr, data, 4);
- 		break;
- 	case RR_AAAA:
- 		if (len != 16) return -1;
-+		ctx->recordcnt[1]++;
-+		if (ctx->wanted && rr != ctx->wanted) return 0;
- 		ctx->addrs[ctx->cnt].family = AF_INET6;
- 		ctx->addrs[ctx->cnt].scopeid = 0;
- 		memcpy(ctx->addrs[ctx->cnt++].addr, data, 16);
-@@ -134,7 +140,7 @@ static int dns_parse_callback(void *c, int rr, const void *data, int len, const
- 	return 0;
- }
- 
--static int name_from_dns(struct address buf[static MAXADDRS], char canon[static 256], const char *name, int family, const struct resolvconf *conf)
-+static int name_from_dns(struct address buf[static MAXADDRS], char canon[static 256], const char *name, int family, const struct resolvconf *conf, int searchpath_len)
- {
- 	unsigned char qbuf[2][280], abuf[2][512];
- 	const unsigned char *qp[2] = { qbuf[0], qbuf[1] };
-@@ -148,7 +154,12 @@ static int name_from_dns(struct address buf[static MAXADDRS], char canon[static
- 	};
- 
- 	for (i=0; i<2; i++) {
--		if (family != afrr[i].af) {
-+		if (family && family != afrr[i].af) ctx.wanted = afrr[i].rr;
-+
-+		/* If we are using search paths longer than 1 domain, or we have changed the
-+		 * ndots setting to be greater than 1, then we need to always treat the query
-+		 * as if it were AF_UNSPEC to ensure results are consistent. */
-+		if (family != afrr[i].af || searchpath_len > 1 || conf->ndots > 1) {
- 			qlens[nq] = __res_mkquery(0, name, 1, afrr[i].rr,
- 				0, 0, 0, qbuf[nq], sizeof *qbuf);
- 			if (qlens[nq] == -1)
-@@ -165,7 +176,14 @@ static int name_from_dns(struct address buf[static MAXADDRS], char canon[static
- 
- 	if (ctx.cnt) return ctx.cnt;
- 	if (alens[0] < 4 || (abuf[0][3] & 15) == 2) return EAI_AGAIN;
--	if ((abuf[0][3] & 15) == 0) return EAI_NONAME;
-+	if ((abuf[0][3] & 15) == 0) {
-+		/* A certain large CDN provider's DNS service erroneously responds to queries with
-+		 * a NOERROR(0) response code, while also returning an empty record set. Accordingly,
-+		 * check for this and handle it as we would an NXDOMAIN(3) if the record set is empty
-+		 * for both A and AAAA records. */
-+		if (nq == 2 && (ctx.recordcnt[0] + ctx.recordcnt[1]) == 0) return 0;
-+		else return EAI_NONAME;
-+	}
- 	if ((abuf[0][3] & 15) == 3) return 0;
- 	return EAI_FAIL;
- }
-@@ -175,6 +193,7 @@ static int name_from_dns_search(struct address buf[static MAXADDRS], char canon[
- 	char search[256];
- 	struct resolvconf conf;
- 	size_t l, dots;
-+	int searchpath_len = 0;
- 	char *p, *z;
- 
- 	if (__get_resolv_conf(&conf, search, sizeof search) < 0) return -1;
-@@ -184,6 +203,12 @@ static int name_from_dns_search(struct address buf[static MAXADDRS], char canon[
- 	for (dots=l=0; name[l]; l++) if (name[l]=='.') dots++;
- 	if (dots >= conf.ndots || name[l-1]=='.') *search = 0;
- 
-+	/* Count the number of domains in the search path. */
-+	if (*search) {
-+		size_t n;
-+		for (searchpath_len = n = 0; search[n]; n++) if (isspace(search[n])) searchpath_len++;
-+	}
-+
- 	/* This can never happen; the caller already checked length. */
- 	if (l >= 256) return EAI_NONAME;
- 
-@@ -201,13 +226,13 @@ static int name_from_dns_search(struct address buf[static MAXADDRS], char canon[
- 		if (z-p < 256 - l - 1) {
- 			memcpy(canon+l+1, p, z-p);
- 			canon[z-p+1+l] = 0;
--			int cnt = name_from_dns(buf, canon, canon, family, &conf);
-+			int cnt = name_from_dns(buf, canon, canon, family, &conf, searchpath_len);
- 			if (cnt) return cnt;
- 		}
- 	}
- 
- 	canon[l] = 0;
--	return name_from_dns(buf, canon, name, family, &conf);
-+	return name_from_dns(buf, canon, name, family, &conf, searchpath_len);
- }
- 
- static const struct policy {
--- 
-2.16.3
-
diff --git a/main/musl/APKBUILD b/main/musl/APKBUILD
index 0ff8fc1a47..c9eb6854e5 100644
--- a/main/musl/APKBUILD
+++ b/main/musl/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Timo Teräs <timo.teras@iki.fi>
 pkgname=musl
 pkgver=1.1.19
-pkgrel=6
+pkgrel=7
 pkgdesc="the musl c library (libc) implementation"
 url="http://www.musl-libc.org/"
 arch="all"
@@ -23,7 +23,6 @@ source="http://www.musl-libc.org/releases/musl-$pkgver.tar.gz
 	0004-implement-wcsftime-padding-specifier-extensions.patch
 	0005-fix-wrong-result-in-casin-and-many-related-complex-f.patch
 
-	1000-cloudflare-stupidity.patch
 	2000-pthread-internals-increase-DEFAULT_GUARD_SIZE-to-2-p.patch
 	handle-aux-at_base.patch
 
@@ -155,7 +154,6 @@ sha512sums="abee52d53af4b3c14c9088866c911a24d2b6ef67dc494f38a7a09dfe77250026f775
 b0bcfc837f888f2b1c2d65c06dcc0a2fa12da78986ba9c7c86a64123ce44c21a63c13c1cc2e93fdf564a3ca4472c29f0acabaff367914c52bf101d6d8a56ee2e  0003-fix-fmaf-wrong-result.patch
 1fedaf691ac394dec3158cff7839e36383d4107b59f003b75c8fb85a5fceb2143e2bb4aae58c08d68ccdf02d5ebf8c9e5031fa6063aa5c3112b4f8c66adab3dd  0004-implement-wcsftime-padding-specifier-extensions.patch
 6d7bbb493ccb7006270ace71266c0daf2c87842480f01cafb25609c9a3c77ae35934ee2a2bf00d78be8cce391204dcb9aba33e4d96dbf2a258595cf7a3939130  0005-fix-wrong-result-in-casin-and-many-related-complex-f.patch
-26465058345bcb0d8f5ebd4645b43b2cb3dec26ac55f8cb97a13961f28046fe04bd68e48ba585cc3c036ba75e3cabadf096595e71d1c8c9ec0fb69ebc8340cf5  1000-cloudflare-stupidity.patch
 2c8e1dde1834238097b2ee8a7bfb53471a0d9cff4a5e38b55f048b567deff1cdd47c170d0578a67b1a039f95a6c5fbb8cff369c75b6a3e4d7ed171e8e86ebb8c  2000-pthread-internals-increase-DEFAULT_GUARD_SIZE-to-2-p.patch
 6a7ff16d95b5d1be77e0a0fbb245491817db192176496a57b22ab037637d97a185ea0b0d19da687da66c2a2f5578e4343d230f399d49fe377d8f008410974238  handle-aux-at_base.patch
 8d3a2d5315fc56fee7da9abb8b89bb38c6046c33d154c10d168fb35bfde6b0cf9f13042a3bceee34daf091bc409d699223735dcf19f382eeee1f6be34154f26f  ldconfig