aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWilliam Pitcock <nenolod@dereferenced.org>2018-04-11 06:31:13 +0000
committerWilliam Pitcock <nenolod@dereferenced.org>2018-04-11 06:31:13 +0000
commit9bcc3109caf436c3dbcf5eadd61f8a68b6308961 (patch)
tree481db95c62f2802442798f632099808195aeac73
parent1e73decad744e8326461de8f4dfc7edd4e3b56a7 (diff)
downloadaports-9bcc3109caf436c3dbcf5eadd61f8a68b6308961.tar.bz2
aports-9bcc3109caf436c3dbcf5eadd61f8a68b6308961.tar.xz
main/musl: drop cloudflare mitigation patch, cloudflare finally fixed the bug upstream
-rw-r--r--main/musl/1000-cloudflare-stupidity.patch138
-rw-r--r--main/musl/APKBUILD4
2 files changed, 1 insertions, 141 deletions
diff --git a/main/musl/1000-cloudflare-stupidity.patch b/main/musl/1000-cloudflare-stupidity.patch
deleted file mode 100644
index 5cb9360c2d..0000000000
--- a/main/musl/1000-cloudflare-stupidity.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-From 544b7fd44079df6eb5ae4f416e73b8e51602c2bb Mon Sep 17 00:00:00 2001
-From: William Pitcock <nenolod@dereferenced.org>
-Date: Sat, 31 Mar 2018 09:16:16 +0000
-Subject: [PATCH] resolver: mitigate bad interactions concering inconsistent
- DNS search domains with ndots usage
-
-When using kubernetes, the search path is configured like so:
-
- - containername.prod.env.whatever
- - prod.env.whatever
- - env.whatever
- - clusterwide domain
-
-Kubernetes also typically configures the container's resolver with "options ndots:5", which
-causes it to look for public domains in the private DNS domains (presumably so their DNS
-records can be overridden somehow).
-
-In certain cases where the Kubernetes guest is configured with a clusterwide domain that is
-hosted by a certain large CDN provider (*ahem* Cloudflare), the resolver may process
-erroneous replies sent from that CDN provider that have an empty A/AAAA record set.
-
-Accordingly, if we detect a configuration that is exotic, as a mitigation, we force all DNS
-queries to behave as if they were AF_UNSPEC and return only the records that were actually
-requested (either A or AAAA).
----
- src/network/lookup_name.c | 35 ++++++++++++++++++++++++++++++-----
- 1 file changed, 30 insertions(+), 5 deletions(-)
-
-diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c
-index 209c20f0..b28b6208 100644
---- a/src/network/lookup_name.c
-+++ b/src/network/lookup_name.c
-@@ -95,7 +95,9 @@ static int name_from_hosts(struct address buf[static MAXADDRS], char canon[stati
- struct dpc_ctx {
- struct address *addrs;
- char *canon;
-+ int wanted;
- int cnt;
-+ int recordcnt[2];
- };
-
- int __dns_parse(const unsigned char *, int, int (*)(void *, int, const void *, int, const void *), void *);
-@@ -115,12 +117,16 @@ static int dns_parse_callback(void *c, int rr, const void *data, int len, const
- switch (rr) {
- case RR_A:
- if (len != 4) return -1;
-+ ctx->recordcnt[0]++;
-+ if (ctx->wanted && rr != ctx->wanted) return 0;
- ctx->addrs[ctx->cnt].family = AF_INET;
- ctx->addrs[ctx->cnt].scopeid = 0;
- memcpy(ctx->addrs[ctx->cnt++].addr, data, 4);
- break;
- case RR_AAAA:
- if (len != 16) return -1;
-+ ctx->recordcnt[1]++;
-+ if (ctx->wanted && rr != ctx->wanted) return 0;
- ctx->addrs[ctx->cnt].family = AF_INET6;
- ctx->addrs[ctx->cnt].scopeid = 0;
- memcpy(ctx->addrs[ctx->cnt++].addr, data, 16);
-@@ -134,7 +140,7 @@ static int dns_parse_callback(void *c, int rr, const void *data, int len, const
- return 0;
- }
-
--static int name_from_dns(struct address buf[static MAXADDRS], char canon[static 256], const char *name, int family, const struct resolvconf *conf)
-+static int name_from_dns(struct address buf[static MAXADDRS], char canon[static 256], const char *name, int family, const struct resolvconf *conf, int searchpath_len)
- {
- unsigned char qbuf[2][280], abuf[2][512];
- const unsigned char *qp[2] = { qbuf[0], qbuf[1] };
-@@ -148,7 +154,12 @@ static int name_from_dns(struct address buf[static MAXADDRS], char canon[static
- };
-
- for (i=0; i<2; i++) {
-- if (family != afrr[i].af) {
-+ if (family && family != afrr[i].af) ctx.wanted = afrr[i].rr;
-+
-+ /* If we are using search paths longer than 1 domain, or we have changed the
-+ * ndots setting to be greater than 1, then we need to always treat the query
-+ * as if it were AF_UNSPEC to ensure results are consistent. */
-+ if (family != afrr[i].af || searchpath_len > 1 || conf->ndots > 1) {
- qlens[nq] = __res_mkquery(0, name, 1, afrr[i].rr,
- 0, 0, 0, qbuf[nq], sizeof *qbuf);
- if (qlens[nq] == -1)
-@@ -165,7 +176,14 @@ static int name_from_dns(struct address buf[static MAXADDRS], char canon[static
-
- if (ctx.cnt) return ctx.cnt;
- if (alens[0] < 4 || (abuf[0][3] & 15) == 2) return EAI_AGAIN;
-- if ((abuf[0][3] & 15) == 0) return EAI_NONAME;
-+ if ((abuf[0][3] & 15) == 0) {
-+ /* A certain large CDN provider's DNS service erroneously responds to queries with
-+ * a NOERROR(0) response code, while also returning an empty record set. Accordingly,
-+ * check for this and handle it as we would an NXDOMAIN(3) if the record set is empty
-+ * for both A and AAAA records. */
-+ if (nq == 2 && (ctx.recordcnt[0] + ctx.recordcnt[1]) == 0) return 0;
-+ else return EAI_NONAME;
-+ }
- if ((abuf[0][3] & 15) == 3) return 0;
- return EAI_FAIL;
- }
-@@ -175,6 +193,7 @@ static int name_from_dns_search(struct address buf[static MAXADDRS], char canon[
- char search[256];
- struct resolvconf conf;
- size_t l, dots;
-+ int searchpath_len = 0;
- char *p, *z;
-
- if (__get_resolv_conf(&conf, search, sizeof search) < 0) return -1;
-@@ -184,6 +203,12 @@ static int name_from_dns_search(struct address buf[static MAXADDRS], char canon[
- for (dots=l=0; name[l]; l++) if (name[l]=='.') dots++;
- if (dots >= conf.ndots || name[l-1]=='.') *search = 0;
-
-+ /* Count the number of domains in the search path. */
-+ if (*search) {
-+ size_t n;
-+ for (searchpath_len = n = 0; search[n]; n++) if (isspace(search[n])) searchpath_len++;
-+ }
-+
- /* This can never happen; the caller already checked length. */
- if (l >= 256) return EAI_NONAME;
-
-@@ -201,13 +226,13 @@ static int name_from_dns_search(struct address buf[static MAXADDRS], char canon[
- if (z-p < 256 - l - 1) {
- memcpy(canon+l+1, p, z-p);
- canon[z-p+1+l] = 0;
-- int cnt = name_from_dns(buf, canon, canon, family, &conf);
-+ int cnt = name_from_dns(buf, canon, canon, family, &conf, searchpath_len);
- if (cnt) return cnt;
- }
- }
-
- canon[l] = 0;
-- return name_from_dns(buf, canon, name, family, &conf);
-+ return name_from_dns(buf, canon, name, family, &conf, searchpath_len);
- }
-
- static const struct policy {
---
-2.16.3
-
diff --git a/main/musl/APKBUILD b/main/musl/APKBUILD
index 0ff8fc1a47..c9eb6854e5 100644
--- a/main/musl/APKBUILD
+++ b/main/musl/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Timo Teräs <timo.teras@iki.fi>
pkgname=musl
pkgver=1.1.19
-pkgrel=6
+pkgrel=7
pkgdesc="the musl c library (libc) implementation"
url="http://www.musl-libc.org/"
arch="all"
@@ -23,7 +23,6 @@ source="http://www.musl-libc.org/releases/musl-$pkgver.tar.gz
0004-implement-wcsftime-padding-specifier-extensions.patch
0005-fix-wrong-result-in-casin-and-many-related-complex-f.patch
- 1000-cloudflare-stupidity.patch
2000-pthread-internals-increase-DEFAULT_GUARD_SIZE-to-2-p.patch
handle-aux-at_base.patch
@@ -155,7 +154,6 @@ sha512sums="abee52d53af4b3c14c9088866c911a24d2b6ef67dc494f38a7a09dfe77250026f775
b0bcfc837f888f2b1c2d65c06dcc0a2fa12da78986ba9c7c86a64123ce44c21a63c13c1cc2e93fdf564a3ca4472c29f0acabaff367914c52bf101d6d8a56ee2e 0003-fix-fmaf-wrong-result.patch
1fedaf691ac394dec3158cff7839e36383d4107b59f003b75c8fb85a5fceb2143e2bb4aae58c08d68ccdf02d5ebf8c9e5031fa6063aa5c3112b4f8c66adab3dd 0004-implement-wcsftime-padding-specifier-extensions.patch
6d7bbb493ccb7006270ace71266c0daf2c87842480f01cafb25609c9a3c77ae35934ee2a2bf00d78be8cce391204dcb9aba33e4d96dbf2a258595cf7a3939130 0005-fix-wrong-result-in-casin-and-many-related-complex-f.patch
-26465058345bcb0d8f5ebd4645b43b2cb3dec26ac55f8cb97a13961f28046fe04bd68e48ba585cc3c036ba75e3cabadf096595e71d1c8c9ec0fb69ebc8340cf5 1000-cloudflare-stupidity.patch
2c8e1dde1834238097b2ee8a7bfb53471a0d9cff4a5e38b55f048b567deff1cdd47c170d0578a67b1a039f95a6c5fbb8cff369c75b6a3e4d7ed171e8e86ebb8c 2000-pthread-internals-increase-DEFAULT_GUARD_SIZE-to-2-p.patch
6a7ff16d95b5d1be77e0a0fbb245491817db192176496a57b22ab037637d97a185ea0b0d19da687da66c2a2f5578e4343d230f399d49fe377d8f008410974238 handle-aux-at_base.patch
8d3a2d5315fc56fee7da9abb8b89bb38c6046c33d154c10d168fb35bfde6b0cf9f13042a3bceee34daf091bc409d699223735dcf19f382eeee1f6be34154f26f ldconfig