Remove arbitrary workspace size limit.

I have no memory for why this was ever there. It breaks DNSSEC
validation of large RRsets.

I can't see any DoS potential that is exposed by removing it.

CHANGELOG

@@ -75,7 +75,14 @@ version 2.91
 	Fix erroneous "DNSSEC validated" state with non-DNSSEC
 	upstream servers.  Thanks to Dominik Derigs for the bug report.
 
+	Handle queries with EDNS client subnet fields better. If dnsmasq
+	is configured to add an EDNS client subnet to a query, it is careful
+	to suppress use of the cache, since a cached answer may not be valid
+	for a query with a different client subnet. Extend this behaviour
+	to queries which arrive a dnsmasq already carrying an EDNS client
+	subnet.
 
+	
 version 2.90
 	Fix reversion in --rev-server introduced in 2.88 which
 	caused breakage if the prefix length is not exactly divisible

Makefile

@@ -102,9 +102,7 @@ clean : mostly_clean
 	rm -f core */core
 	rm -f *~ contrib/*/*~ */*~
 
-install : all install-common
-
-install-common :
+install : all
 	$(INSTALL) -d $(DESTDIR)$(BINDIR)
 	$(INSTALL) -d $(DESTDIR)$(MANDIR)/man8
 	$(INSTALL) -m 644 $(MAN)/dnsmasq.8 $(DESTDIR)$(MANDIR)/man8 
@@ -121,7 +119,11 @@ all-i18n : $(BUILDDIR)
 		cd $(top) && cd $(BUILDDIR) && $(MAKE) top="$(top)" -f $(top)/Makefile $${f%.po}.mo; \
 	done
 
-install-i18n : all-i18n install-common
+install-i18n : all-i18n
+	$(INSTALL) -d $(DESTDIR)$(BINDIR)
+	$(INSTALL) -d $(DESTDIR)$(MANDIR)/man8
+	$(INSTALL) -m 644 $(MAN)/dnsmasq.8 $(DESTDIR)$(MANDIR)/man8 
+	$(INSTALL) -m 755 $(BUILDDIR)/dnsmasq $(DESTDIR)$(BINDIR)
 	cd $(BUILDDIR); $(top)/bld/install-mo $(DESTDIR)$(LOCALEDIR) $(INSTALL)
 	cd $(MAN); ../bld/install-man $(DESTDIR)$(MANDIR) $(INSTALL)
 

man/dnsmasq.8

@@ -1429,7 +1429,7 @@ forces "simple and safe" behaviour to avoid problems in such a case.
 .B --dhcp-relay=<local address>[,<server address>[#<server port>]][,<interface]
 Configure dnsmasq to do DHCP relay. The local address is an address
 allocated to an interface on the host running dnsmasq. All DHCP
-requests arriving on that interface will we relayed to a remote DHCP
+requests arriving on that interface will be relayed to a remote DHCP
 server at the server address. It is possible to relay from a single local
 address to multiple remote servers by using multiple \fB--dhcp-relay\fP
 configs with the same local address and different server

po/de.po

@@ -2,7 +2,7 @@
 #
 # This revised version is (C) Copyright by
 # Matthias Andree <matthias.andree@gmx.de>, 2010 - 2021.
-# Conrad Kostecki <conrad@kostecki.com>, 2014 - 2022.
+# Conrad Kostecki <conrad@kostecki.com>, 2014 - 2024.
 # It is subject to the GNU General Public License v2,
 # or at your option, any later version.
 #
@@ -10,10 +10,10 @@
 # Simon Kelley <simon@thekelleys.org.uk>, 2005.
 msgid ""
 msgstr ""
-"Project-Id-Version: dnsmasq 2.88\n"
+"Project-Id-Version: dnsmasq 2.91\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2021-03-20 00:00+0000\n"
-"PO-Revision-Date: 2022-11-17 20:08+0100\n"
+"PO-Revision-Date: 2024-12-23 22:36+0100\n"
 "Last-Translator: Conrad Kostecki <conrad@kostecki.com>\n"
 "Language-Team: German <de@li.org>\n"
 "Language: de\n"
@@ -21,7 +21,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Poedit 3.2\n"
+"X-Generator: Poedit 3.5\n"
 
 #: cache.c:652
 msgid "Internal error in cache."
@@ -43,9 +43,9 @@ msgid "bad name at %s line %d"
 msgstr "Fehlerhafter Name in %s Zeile %d"
 
 #: cache.c:1265
-#, fuzzy, c-format
+#, c-format
 msgid "read %s - %d names"
-msgstr "%s gelesen - %d Adressen"
+msgstr "%s gelesen - %d Namen"
 
 #: cache.c:1381
 msgid "cleared cache"
@@ -84,7 +84,7 @@ msgstr "weitergeleitete Anfragen %u, lokal beantwortete Anfragen %u"
 #: cache.c:1766
 #, c-format
 msgid "queries answered from stale cache %u"
-msgstr ""
+msgstr "Anfragen beantwortet vom veralteten Cache %u"
 
 #: cache.c:1768
 #, c-format
@@ -92,9 +92,9 @@ msgid "queries for authoritative zones %u"
 msgstr "Anfragen nach autoritativen Zonen %u"
 
 #: cache.c:1796
-#, fuzzy, c-format
+#, c-format
 msgid "server %s#%d: queries sent %u, retried %u, failed %u, nxdomain replies %u, avg. latency %ums"
-msgstr "Server %s#%d: Anfragen gesendet %u, erneut versucht oder fehlgeschlagen %u"
+msgstr "Server %s#%d: Anfragen gesendet %u, erneut versucht %u, fehlgeschlagen %u, nxdomain-Antworten %u, durchschnittliche Latenz %ums"
 
 #: util.c:51
 #, c-format
@@ -120,14 +120,14 @@ msgid "failed to allocate %d bytes"
 msgstr "Konnte %d Bytes nicht belegen"
 
 #: util.c:344
-#, fuzzy, c-format
+#, c-format
 msgid "failed to reallocate %d bytes"
-msgstr "Konnte %d Bytes nicht belegen"
+msgstr "Konnte %d Bytes nicht allozieren"
 
 #: util.c:465
-#, fuzzy, c-format
+#, c-format
 msgid "cannot read monotonic clock: %s"
-msgstr "kann Netlink-Socket nicht erzeugen: %s"
+msgstr "monotone Uhr kann nicht gelesen werden: %s"
 
 # @Simon: not perfect but I cannot get nearer right now.
 #: util.c:579
@@ -188,11 +188,11 @@ msgstr "Unberechtigte DNS-Anfragen von Windows-Rechnern nicht weiterleiten."
 
 #: option.c:404
 msgid "Don't include IPv4 addresses in DNS answers."
-msgstr ""
+msgstr "Keine IPv4-Adressen in DNS-Antworten inkludieren."
 
 #: option.c:405
 msgid "Don't include IPv6 addresses in DNS answers."
-msgstr ""
+msgstr "Keine IPv6-Adressen in DNS-Antworten inkludieren."
 
 #: option.c:406
 msgid "Enable DHCP in the range given with lease duration."
@@ -313,7 +313,7 @@ msgstr "Fehlerhafte Suchergebnisse NICHT zwischenspeichern."
 
 #: option.c:434
 msgid "Use expired cache data for faster reply."
-msgstr ""
+msgstr "Verwende abgelaufene Cachedaten für schnellere Antwort."
 
 #: option.c:435
 #, c-format
@@ -347,7 +347,7 @@ msgstr "Ausgehenden Port für DNS-Anfragen an vorgelagerte Server erzwingen."
 
 #: option.c:442
 msgid "Set maximum number of random originating ports for a query."
-msgstr ""
+msgstr "Setze die maximale Anzahl zufälliger Ursprungsports für eine Abfrage."
 
 #: option.c:443
 msgid "Do NOT read resolv.conf."
@@ -404,7 +404,7 @@ msgstr "Spezifiziere untere Gültigkeitsdauergrenze für Zwischenspeicher."
 
 #: option.c:456
 msgid "Retry DNS queries after this many milliseconds."
-msgstr ""
+msgstr "DNS-Abfragen nach so vielen Millisekunden wiederholen."
 
 #: option.c:457
 #, c-format
@@ -520,7 +520,7 @@ msgstr "Konfiguration aus allen Dateien in diesem Verzeichnis lesen."
 
 #: option.c:484
 msgid "Execute file and read configuration from stdin."
-msgstr ""
+msgstr "Führe Datei aus und lese die Konfiguration aus stdin."
 
 #: option.c:485
 msgid "Log to this syslog facility or file. (defaults to DAEMON)"
@@ -680,7 +680,7 @@ msgstr "Anfragende MAC-Adresse in die weiterleitende DNS-Anfrage einfügen."
 
 #: option.c:523
 msgid "Strip MAC information from queries."
-msgstr ""
+msgstr "Entferne die MAC-Information von Abfragen."
 
 #: option.c:524
 msgid "Add specified IP subnet to forwarded DNS queries."
@@ -688,7 +688,7 @@ msgstr "Füge spezifiziertes IP-Subnetz an weitergeleiteten DNS-Anfragen hinzu."
 
 #: option.c:525
 msgid "Strip ECS information from queries."
-msgstr ""
+msgstr "Entferne die ECS-Information von Abfragen."
 
 #: option.c:526
 msgid "Add client identification to forwarded DNS queries."
@@ -773,9 +773,8 @@ msgid "Specify ipsets to which matching domains should be added"
 msgstr "Spezifiziere IPSets, zu denen passende Domains hinzugefügt werden sollen"
 
 #: option.c:546
-#, fuzzy
 msgid "Specify nftables sets to which matching domains should be added"
-msgstr "Spezifiziere IPSets, zu denen passende Domains hinzugefügt werden sollen"
+msgstr "Geben Sie nftables sets an, zu denen passende Domänen hinzugefügt werden sollen"
 
 #: option.c:547
 msgid "Enable filtering of DNS queries with connection-track marks."
@@ -880,7 +879,7 @@ msgstr "Protokolliere kein Routine-TFTP."
 
 #: option.c:572
 msgid "Suppress round-robin ordering of DNS records."
-msgstr ""
+msgstr "Unterdrückt die Round-Robin-Sortierung von DNS-Einträgen."
 
 #: option.c:802
 #, c-format
@@ -915,11 +914,11 @@ msgstr "Schnittstellenbindung nicht unterstützt"
 
 #: option.c:955
 msgid "Cannot resolve server name"
-msgstr ""
+msgstr "Servername kann nicht aufgelöst werden"
 
 #: option.c:991
 msgid "cannot use IPv4 server address with IPv6 source address"
-msgstr ""
+msgstr "IPv4-Serveradresse kann nicht mit IPv6-Quelladresse verwendet werden"
 
 #: option.c:997 option.c:1043
 msgid "interface can only be specified once"
@@ -931,21 +930,19 @@ msgstr "Fehlerhafter Schnittestellenname"
 
 #: option.c:1037
 msgid "cannot use IPv6 server address with IPv4 source address"
-msgstr ""
+msgstr "IPv6-Serveradresse kann nicht mit IPv4-Quelladresse verwendet werden"
 
 #: option.c:1124
-#, fuzzy
 msgid "bad IPv4 prefix length"
-msgstr "fehlerhafte Präfixlänge"
+msgstr "ungültige IPv4-Präfixlänge"
 
 #: option.c:1155 option.c:1165 option.c:1240 option.c:1250 option.c:5360
 msgid "error"
 msgstr "Fehler"
 
 #: option.c:1207
-#, fuzzy
 msgid "bad IPv6 prefix length"
-msgstr "fehlerhafte Präfixlänge"
+msgstr "ungültige IPv6-Präfixlänge"
 
 #: option.c:1467
 msgid "inappropriate vendor:"
@@ -1034,7 +1031,6 @@ msgid "recompile with HAVE_LUASCRIPT defined to enable Lua scripts"
 msgstr "Neuübersetzung mit HAVE_LUASCRIPT nötig, um benutzerdefinierte Lua-Skripte auszuführen"
 
 #: option.c:2447
-#, fuzzy
 msgid "invalid auth-zone"
 msgstr "unzulässiger Alias-Bereich"
 
@@ -1059,9 +1055,8 @@ msgid "recompile with HAVE_IPSET defined to enable ipset directives"
 msgstr "Neuübersetzung mit HAVE_IPSET nötig, um IPSet-Direktiven zu aktivieren"
 
 #: option.c:3117
-#, fuzzy
 msgid "recompile with HAVE_NFTSET defined to enable nftset directives"
-msgstr "Neuübersetzung mit HAVE_IPSET nötig, um IPSet-Direktiven zu aktivieren"
+msgstr "Neukompilieren mit definiertem HAVE_NFTSET, um NFTSET-Direktiven zu aktivieren"
 
 #: option.c:3192 option.c:3210
 msgid "recompile with HAVE_CONNTRACK defined to enable connmark-allowlist directives"
@@ -1259,7 +1254,7 @@ msgstr "unzulässige Option"
 #: option.c:5363
 #, c-format
 msgid " in output from %s"
-msgstr ""
+msgstr " in der Ausgabe von %s"
 
 #: option.c:5365
 #, c-format
@@ -1272,9 +1267,9 @@ msgid "read %s"
 msgstr "%s gelesen"
 
 #: option.c:5446
-#, fuzzy, c-format
+#, c-format
 msgid "cannot execute %s: %s"
-msgstr "kann %s nicht erstellen: %s"
+msgstr "kann %s nicht ausführen: %s"
 
 #: option.c:5454 option.c:5615 tftp.c:790
 #, c-format
@@ -1282,14 +1277,14 @@ msgid "cannot read %s: %s"
 msgstr "kann %s nicht lesen: %s"
 
 #: option.c:5473
-#, fuzzy, c-format
+#, c-format
 msgid "error executing %s: %s"
-msgstr "konnte %s nicht ausführen: %s"
+msgstr "Fehler bei der Ausführung von %s: %s"
 
 #: option.c:5476
 #, c-format
 msgid "%s returns non-zero error code"
-msgstr ""
+msgstr "%s gibt einen Fehlercode ungleich Null zurück"
 
 #: option.c:5775
 msgid "junk found in command line"
@@ -1399,14 +1394,14 @@ msgid "reducing DNS packet size for nameserver %s to %d"
 msgstr "Reduziere die DNS-Paketgröße für Nameserver %s auf %d"
 
 #: forward.c:1565
-#, fuzzy, c-format
+#, c-format
 msgid "ignoring query from non-local network %s (logged only once)"
-msgstr "Ignoriere Anfrage von auswärtigem Netzwerk"
+msgstr "Ignoriere Abfrage von nicht-lokalen Netzwerk %s (Nur einmal protokolliert)"
 
 #: forward.c:2139
-#, fuzzy, c-format
+#, c-format
 msgid "ignoring query from non-local network %s"
-msgstr "Ignoriere Anfrage von auswärtigem Netzwerk"
+msgstr "Ignoriere Abfrage von nicht-lokalen Netzwerk %s"
 
 #: forward.c:2501
 #, c-format
@@ -1488,7 +1483,7 @@ msgstr "ignoriere Namensserver %s - kann Socket nicht erzeugen/binden: %s"
 
 #: network.c:1643
 msgid "more servers are defined but not logged"
-msgstr ""
+msgstr "mehr Server sind definiert aber nicht protokolliert"
 
 #: network.c:1654
 msgid "(no DNSSEC)"
@@ -1605,7 +1600,7 @@ msgstr "max_port darf nicht kleiner als min_port sein"
 
 #: dnsmasq.c:271
 msgid "port_limit must not be larger than available port range"
-msgstr ""
+msgstr "port_limit darf nicht größer als der verfügbare Portbereich sein"
 
 #: dnsmasq.c:278
 msgid "--auth-server required when an auth zone is defined."
@@ -1810,9 +1805,9 @@ msgid "restricting maximum simultaneous TFTP transfers to %d"
 msgstr "Begrenze gleichzeitige TFTP-Übertragungen auf maximal %d"
 
 #: dnsmasq.c:1095
-#, fuzzy, c-format
+#, c-format
 msgid "error binding DHCP socket to device %s"
-msgstr "Fehler beim Senden des DHCP-Pakets an %s: %s"
+msgstr "Fehler beim Binden des DHCP-Sockets an Gerät %s"
 
 #: dnsmasq.c:1229
 msgid "connected to system DBus"
@@ -1981,19 +1976,19 @@ msgid "read %s - %d addresses"
 msgstr "%s gelesen - %d Adressen"
 
 #: dhcp.c:1136
-#, fuzzy, c-format
+#, c-format
 msgid "Cannot broadcast DHCP relay via interface %s"
-msgstr "Kann nicht zum DHCPv6 Server multicasten ohne korrekte Schnittstelle"
+msgstr "DHCP-Relay kann nicht über die Schnittstelle %s gesendet werden"
 
 #: dhcp.c:1160
 #, c-format
 msgid "broadcast via %s"
-msgstr ""
+msgstr "broadcast via %s"
 
 #: dhcp.c:1163 rfc3315.c:2219
-#, fuzzy, c-format
+#, c-format
 msgid "DHCP relay at %s -> %s"
-msgstr "DHCP Relais %s -> %s"
+msgstr "DHCP-Relay bei %s -> %s"
 
 #: lease.c:64
 #, c-format
@@ -2405,14 +2400,14 @@ msgid "release received"
 msgstr "Freigabe empfangen"
 
 #: rfc3315.c:2200
-#, fuzzy, c-format
+#, c-format
 msgid "Cannot multicast DHCP relay via interface %s"
-msgstr "Kann nicht zum DHCPv6 Server multicasten ohne korrekte Schnittstelle"
+msgstr "Multicast-DHCP-Relay über Schnittstelle %s nicht möglich"
 
 #: rfc3315.c:2216
 #, c-format
 msgid "multicast via %s"
-msgstr ""
+msgstr "multicast via %s"
 
 #: dhcp-common.c:187
 #, c-format
@@ -2484,9 +2479,9 @@ msgid "router advertisement on %s%s"
 msgstr "Router-Advertisment auf %s%s"
 
 #: dhcp-common.c:1043
-#, fuzzy, c-format
+#, c-format
 msgid "DHCP relay from %s via %s"
-msgstr "DHCP Weiterleitung von %s nach %s"
+msgstr "DHCP-Relay von %s über %s"
 
 #: dhcp-common.c:1045
 #, c-format
@@ -2621,9 +2616,9 @@ msgid "Insecure DS reply received for %s, check domain configuration and upstrea
 msgstr "Unsichere DS-Antwort für %s, bitte Domainkonfiguration und Upstream DNS-Server für DNSSEC-Unterstützung überprüfen"
 
 #: blockdata.c:55
-#, fuzzy, c-format
+#, c-format
 msgid "pool memory in use %zu, max %zu, allocated %zu"
-msgstr "Speicherpool in Benutzung %u, Max %u, zugewiesen %u"
+msgstr "Speicherpool in Benutzung %zu, Max %zu, zugewiesen %zu"
 
 #: tables.c:61
 #, c-format
@@ -2695,24 +2690,23 @@ msgid "bad dynamic directory %s: %s"
 msgstr "fehlerhaftes dynamisches Verzeichnis %s: %s"
 
 #: inotify.c:186
-#, fuzzy
 msgid "not a directory"
-msgstr "Kann auf Verzeichnis %s nicht zugreifen: %s"
+msgstr "ist kein Verzeichnis"
 
 #: inotify.c:299
 #, c-format
 msgid "inotify: %s removed"
-msgstr ""
+msgstr "inotify: %s entfernt"
 
 #: inotify.c:301
-#, fuzzy, c-format
+#, c-format
 msgid "inotify: %s new or modified"
-msgstr "inotify, neue oder geänderte Datei %s"
+msgstr "inotify: %s neu oder modifiziert"
 
 #: inotify.c:309
 #, c-format
 msgid "inotify: flushed %u names read from %s"
-msgstr ""
+msgstr "inotify: %u Namen gelöscht, aus %s gelesen"
 
 #: dump.c:68
 #, c-format
@@ -2729,14 +2723,14 @@ msgid "failed to write packet dump"
 msgstr "schreiben des Paketmitschnitts fehlgeschlagen"
 
 #: dump.c:289
-#, fuzzy, c-format
+#, c-format
 msgid "%u dumping packet %u mask 0x%04x"
-msgstr "Lade UDP Paket %u Maske 0x%04x ab"
+msgstr "%u dumpe Paket %u Maske 0x%04x"
 
 #: dump.c:291
-#, fuzzy, c-format
+#, c-format
 msgid "dumping packet %u mask 0x%04x"
-msgstr "Lade UDP Paket %u Maske 0x%04x ab"
+msgstr "Dumpe Packet %u Make 0x%04x"
 
 #: ubus.c:79
 #, c-format
@@ -2770,9 +2764,8 @@ msgid "Failed to create SHA-256 hash object"
 msgstr "Kann SHA-256-Hash-Objekt nicht erstellen"
 
 #: nftset.c:35
-#, fuzzy
 msgid "failed to create nftset context"
-msgstr "konnte IPset-Kontroll-Socket nicht erzeugen: %s"
+msgstr "Fehler beim Erstellen des NFTSET-Kontexts"
 
 #~ msgid "bad IPv4 prefix"
 #~ msgstr "fehlerhaftes IPv4-Präfix"

src/arp.c

@@ -35,7 +35,7 @@ struct arp_record {
 static struct arp_record *arps = NULL, *old = NULL, *freelist = NULL;
 static time_t last = 0;
 
-static int filter_mac(int family, char *addrp, char *mac, size_t maclen, void *parmv)
+static int filter_mac(int family, void *addrp, char *mac, size_t maclen, void *parmv)
 {
   struct arp_record *arp;
 

src/blockdata.c

@@ -193,7 +193,7 @@ void *blockdata_retrieve(struct blockdata *block, size_t len, void *data)
 {
   size_t blen;
   struct  blockdata *b;
-  void *new, *d;
+  uint8_t *new, *d;
   
   static unsigned int buff_len = 0;
   static unsigned char *buff = NULL;

src/cache.c

@@ -101,6 +101,7 @@ static const struct {
   { 63,  "ZONEMD" }, /* Message Digest Over Zone Data [RFC8976] ZONEMD/zonemd-completed-template 2018-12-12*/
   { 64,  "SVCB" }, /* Service Binding [draft-ietf-dnsop-svcb-https-00] SVCB/svcb-completed-template 2020-06-30*/
   { 65,  "HTTPS" }, /* HTTPS Binding [draft-ietf-dnsop-svcb-https-00] HTTPS/https-completed-template 2020-06-30*/
+  { 66,  "DSYNC" }, /* Endpoint discovery for delegation synchronization [draft-ietf-dnsop-generalized-notify-03] DSYNC/dsync-completed-template 2024-12-10 */
   { 99,  "SPF" }, /* [RFC7208] */
   { 100, "UINFO" }, /* [IANA-Reserved] */
   { 101, "UID" }, /* [IANA-Reserved] */
@@ -112,6 +113,7 @@ static const struct {
   { 107, "LP" }, /* [RFC6742] ILNP/lp-completed-template */
   { 108, "EUI48" }, /* an EUI-48 address [RFC7043] EUI48/eui48-completed-template 2013-03-27*/
   { 109, "EUI64" }, /* an EUI-64 address [RFC7043] EUI64/eui64-completed-template 2013-03-27*/
+  { 128, "NXNAME" }, /* NXDOMAIN indicator for Compact Denial of Existence https://www.iana.org/go/draft-ietf-dnsop-compact-denial-of-existence-04 */
   { 249, "TKEY" }, /* Transaction Key [RFC2930] */
   { 250, "TSIG" }, /* Transaction Signature [RFC8945] */
   { 251, "IXFR" }, /* incremental transfer [RFC1995] */
@@ -125,6 +127,9 @@ static const struct {
   { 259, "DOA" }, /* Digital Object Architecture [draft-durand-doa-over-dns] DOA/doa-completed-template 2017-08-30*/
   { 260, "AMTRELAY" }, /* Automatic Multicast Tunneling Relay [RFC8777] AMTRELAY/amtrelay-completed-template 2019-02-06*/
   { 261, "RESINFO" }, /* Resolver Information as Key/Value Pairs https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/06/ */
+  { 262, "WALLET" }, /* Public wallet address https://www.iana.org/assignments/dns-parameters/WALLET/wallet-completed-template */
+  { 263, "CLA" }, /*  BP Convergence Layer Adapter https://www.iana.org/go/draft-johnson-dns-ipn-cla-07 */
+  { 264, "IPN" }, /* BP Node Number https://www.iana.org/go/draft-johnson-dns-ipn-cla-07 */
   { 32768,  "TA" }, /* DNSSEC Trust Authorities [Sam_Weiler][http://cameo.library.cmu.edu/][ Deploying DNSSEC Without a Signed Root. Technical Report 1999-19, Information Networking Institute, Carnegie Mellon University, April 2004.] 2005-12-13*/
   { 32769,  "DLV" }, /* DNSSEC Lookaside Validation (OBSOLETE) [RFC8749][RFC4431] */
 };

src/dnsmasq.c

@@ -61,6 +61,7 @@ int main (int argc, char **argv)
   int need_cap_net_admin = 0;
   int need_cap_net_raw = 0;
   int need_cap_net_bind_service = 0;
+  int have_cap_chown = 0;
   char *bound_device = NULL;
   int did_bind = 0;
   struct server *serv;
@@ -556,6 +557,8 @@ int main (int argc, char **argv)
   data = safe_malloc(sizeof(*data) * capsize);
   capget(hdr, data); /* Get current values, for verification */
 
+  have_cap_chown = data->permitted & (1 << CAP_CHOWN);
+
   if (need_cap_net_admin && !(data->permitted & (1 << CAP_NET_ADMIN)))
     fail = "NET_ADMIN";
   else if (need_cap_net_raw && !(data->permitted & (1 << CAP_NET_RAW)))
@@ -869,7 +872,14 @@ int main (int argc, char **argv)
   my_syslog(LOG_INFO, _("compile time options: %s"), compile_opts);
 
   if (chown_warn != 0)
-    my_syslog(LOG_WARNING, "chown of PID file %s failed: %s", daemon->runfile, strerror(chown_warn));
+    {
+#if defined(HAVE_LINUX_NETWORK)
+      if (chown_warn == EPERM && !have_cap_chown)
+        my_syslog(LOG_INFO, "chown of PID file %s failed: please add capability CAP_CHOWN", daemon->runfile);
+      else
+#endif
+      my_syslog(LOG_WARNING, "chown of PID file %s failed: %s", daemon->runfile, strerror(chown_warn));
+    }
   
 #ifdef HAVE_DBUS
   if (option_bool(OPT_DBUS))
@@ -2091,11 +2101,11 @@ int swap_to_tcp(struct frec *forward, time_t now, int status, struct dns_header
 	if (daemon->tcp_pids[i] == 0 && daemon->tcp_pipes[i] == -1)
 	  break;
       
-      /* No slots */
-      if (i < 0)
+      /* No slots or no pipe */
+      if (i < 0 || pipe(pipefd) != 0)
 	return STAT_ABANDONED;
-      
-      if (pipe(pipefd) == 0 && (p = fork()) != 0)
+				
+      if ((p = fork()) != 0)
 	{
 	  close(pipefd[1]); /* parent needs read pipe end. */
 	  if (p == -1)

src/dnsmasq.h

@@ -339,7 +339,7 @@ union all_addr {
   struct datablock {
     unsigned short rrtype;
     unsigned char datalen; /* also length of SOA in negative records. */
-    char data[];
+    char data[1];
   } rrdata;
 };
 
@@ -772,9 +772,8 @@ struct dyndir {
 #define FREC_DS_QUERY          16
 #define FREC_AD_QUESTION       32
 #define FREC_DO_QUESTION       64
-#define FREC_ADDED_PHEADER    128
-#define FREC_HAS_PHEADER      256
-#define FREC_GONE_TO_TCP      512
+#define FREC_HAS_PHEADER      128
+#define FREC_GONE_TO_TCP      256
 
 struct frec {
   struct frec_src {
@@ -1402,7 +1401,7 @@ void report_addresses(struct dns_header *header, size_t len, u32 mark);
 #endif
 size_t answer_request(struct dns_header *header, char *limit, size_t qlen,  
 		      struct in_addr local_addr, struct in_addr local_netmask, 
-		      time_t now, int ad_reqd, int do_bit, int *stale, int *filtered);
+		      time_t now, int ad_reqd, int do_bit, int no_cache, int *stale, int *filtered);
 int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *name, 
 			     time_t now);
 int check_for_ignored_address(struct dns_header *header, size_t qlen);
@@ -1667,7 +1666,7 @@ void route_sock(void);
 
 /* bpf.c or netlink.c */
 typedef union {
-	int (*af_unspec)(int family, char *addrp, char *mac, size_t maclen, void *parmv);
+	int (*af_unspec)(int family, void *addrp, char *mac, size_t maclen, void *parmv);
 	int (*af_inet)(struct in_addr local, int if_index, char *label, struct in_addr netmask, struct in_addr broadcast, void *vparam);
 	int (*af_inet6)(struct in6_addr *local, int prefix, int scope, int if_index, int flags, unsigned int preferred, unsigned int valid, void *vparam);
 	int (*af_local)(int index, unsigned int type, char *mac, size_t maclen, void *parm);

src/edns0.c

@@ -417,21 +417,34 @@ static size_t add_source_addr(struct dns_header *header, size_t plen, unsigned c
   else if (option_bool(OPT_STRIP_ECS))
     replace = 2;
   else
-    return plen;
-
+    {
+      unsigned char *pheader;
+      /* If we still think the data is cacheable, and we're not
+	 messing with EDNS client subnet ourselves, see if the client
+	 sent a client subnet. If so, mark the data as uncacheable */
+      if (*cacheable &&
+	  (pheader = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL)) &&
+	  !check_source(header, plen, pheader, NULL))
+	*cacheable = 0;
+      
+      return plen;
+    }
+  
   return add_pseudoheader(header, plen, (unsigned char *)limit, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *)&opt, len, 0, replace);
 }
 
 int check_source(struct dns_header *header, size_t plen, unsigned char *pseudoheader, union mysockaddr *peer)
 {
-  /* Section 9.2, Check that subnet option in reply matches. */
+  /* Section 9.2, Check that subnet option (if any) in reply matches.
+     if peer == NULL, this degrades to a check for the existence of and EDNS0 client-subnet option. */
   
   int len, calc_len;
   struct subnet_opt opt;
   unsigned char *p;
   int code, i, rdlen;
   
-  calc_len = calc_subnet_opt(&opt, peer, NULL);
+  if (peer)
+    calc_len = calc_subnet_opt(&opt, peer, NULL);
    
   if (!(p = skip_name(pseudoheader, header, plen, 10)))
     return 1;
@@ -443,21 +456,26 @@ int check_source(struct dns_header *header, size_t plen, unsigned char *pseudohe
     return 1; /* bad packet */
   
   /* check if option there */
-   for (i = 0; i + 4 < rdlen; i += len + 4)
+  for (i = 0; i + 4 < rdlen; i += len + 4)
      {
        GETSHORT(code, p);
        GETSHORT(len, p);
        if (code == EDNS0_OPTION_CLIENT_SUBNET)
 	 {
-	   /* make sure this doesn't mismatch. */
-	   opt.scope_netmask = p[3];
-	   if (len != calc_len || memcmp(p, &opt, len) != 0)
+	   if (peer)
+	     {
+	       /* make sure this doesn't mismatch. */
+	       opt.scope_netmask = p[3];
+	       if (len != calc_len || memcmp(p, &opt, len) != 0)
+		 return 0;
+	     }
+	   else if (((struct subnet_opt *)p)->source_netmask != 0)
 	     return 0;
 	 }
        p += len;
      }
-   
-   return 1;
+  
+  return 1;
 }
 
 /* See https://docs.umbrella.com/umbrella-api/docs/identifying-dns-traffic for
@@ -491,7 +509,7 @@ static size_t add_umbrella_opt(struct dns_header *header, size_t plen, unsigned
 {
   *cacheable = 0;
 
-  struct umbrella_opt opt = {{"ODNS"}, UMBRELLA_VERSION, 0, {}};
+  struct umbrella_opt opt = {{"ODNS"}, UMBRELLA_VERSION, 0, {0}};
   u8 *u = &opt.fields[0];
   int family = source->sa.sa_family;
   int size = family == AF_INET ? INADDRSZ : IN6ADDRSZ;
@@ -541,6 +559,6 @@ size_t add_edns0_config(struct dns_header *header, size_t plen, unsigned char *l
     plen = add_umbrella_opt(header, plen, limit, source, cacheable);
   
   plen = add_source_addr(header, plen, limit, source, cacheable);
-  	  
+
   return plen;
 }

src/forward.c

@@ -166,34 +166,19 @@ static int domain_no_rebind(char *domain)
 static int forward_query(int udpfd, union mysockaddr *udpaddr,
 			 union all_addr *dst_addr, unsigned int dst_iface,
 			 struct dns_header *header, size_t plen,  size_t replylimit, time_t now, 
-			 struct frec *forward, int ad_reqd, int do_bit, int fast_retry)
+			 struct frec *forward, unsigned int fwd_flags, int fast_retry)
 {
   unsigned int flags = 0;
-  unsigned int fwd_flags = 0;
   int is_dnssec = forward && (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY));
   struct server *master;
   unsigned int gotname;
   int old_src = 0, old_reply = 0;
   int first, last, start = 0;
-  int cacheable, forwarded = 0;
-  unsigned char *oph;
+  int forwarded = 0;
   int ede = EDE_UNSET;
-  (void)do_bit;
   unsigned short rrtype;
 
   gotname = extract_request(header, plen, daemon->namebuff, &rrtype);
-  oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL);
-
-  if (header->hb4 & HB4_CD)
-    fwd_flags |= FREC_CHECKING_DISABLED;
-  if (ad_reqd)
-    fwd_flags |= FREC_AD_QUESTION;
-  if (oph)
-    fwd_flags |= FREC_HAS_PHEADER;
-#ifdef HAVE_DNSSEC
-  if (do_bit)
-    fwd_flags |= FREC_DO_QUESTION;
-#endif
   
   /* Check for retry on existing query.
      FREC_DNSKEY and FREC_DS_QUERY are never set in flags, so the test below 
@@ -321,11 +306,6 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
 
       forward->flags = fwd_flags;
 
-      plen = add_edns0_config(header, plen, ((unsigned char *)header) + daemon->edns_pktsz, &forward->frec_src.source, now, &cacheable);
-      
-      if (!cacheable)
-	forward->flags |= FREC_NO_CACHE;
-      
 #ifdef HAVE_DNSSEC
       if (option_bool(OPT_DNSSEC_VALID) && (master->flags & SERV_DO_DNSSEC))
 	{
@@ -338,10 +318,6 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
 	}
 #endif
       
-      /* If there wasn't a PH before, and there is now, we added it. */
-      if (!oph && find_pseudoheader(header, plen, NULL, NULL, NULL, NULL))
-	forward->flags |= FREC_ADDED_PHEADER;
-	      
       /* Do these before saving query. */
       forward->frec_src.orig_id = ntohs(header->id);
       forward->new_id = get_id();
@@ -365,15 +341,9 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
       forward->forwardall = 0;
       if (domain_no_rebind(daemon->namebuff))
 	forward->flags |= FREC_NOREBIND;
-      if (header->hb4 & HB4_CD)
-	forward->flags |= FREC_CHECKING_DISABLED;
-      if (ad_reqd)
-	forward->flags |= FREC_AD_QUESTION;
 #ifdef HAVE_DNSSEC
       forward->work_counter = daemon->limit[LIMIT_WORK];
       forward->validate_counter = daemon->limit[LIMIT_CRYPTO]; 
-      if (do_bit)
-	forward->flags |= FREC_DO_QUESTION;
 #endif
       
       start = first;
@@ -546,14 +516,14 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
       if (!(plen = make_local_answer(flags, gotname, plen, header, daemon->namebuff, (char *)(header + replylimit), first, last, ede)))
 	return 0;
       
-      if (oph)
+      if (forward->flags & FREC_HAS_PHEADER)
 	{
 	  u16 swap = htons((u16)ede);
 
 	  if (ede != EDE_UNSET)
-	    plen = add_pseudoheader(header, plen, (unsigned char *)(header + replylimit), EDNS0_OPTION_EDE, (unsigned char *)&swap, 2, do_bit, 0);
+	    plen = add_pseudoheader(header, plen, (unsigned char *)(header + replylimit), EDNS0_OPTION_EDE, (unsigned char *)&swap, 2, 0, 0);
 	  else
-	    plen = add_pseudoheader(header, plen, (unsigned char *)(header + replylimit), 0, NULL, 0, do_bit, 0);
+	    plen = add_pseudoheader(header, plen, (unsigned char *)(header + replylimit), 0, NULL, 0, 0, 0);
 	}
       
 #if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS)
@@ -611,8 +581,7 @@ int fast_retry(time_t now)
 		daemon->log_display_id = f->frec_src.log_id;
 		daemon->log_source_addr = NULL;
 		
-		forward_query(-1, NULL, NULL, 0, header, f->stash_len, 0, now, f,
-			      f->flags & FREC_AD_QUESTION, f->flags & FREC_DO_QUESTION, 1);
+		forward_query(-1, NULL, NULL, 0, header, f->stash_len, 0, now, f, 0, 1);
 		
 		to_run = f->forward_delay = 2 * f->forward_delay;
 	      }
@@ -1192,8 +1161,7 @@ void reply_query(int fd, time_t now)
       /* Get the saved query back. */
       blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
       
-      forward_query(-1, NULL, NULL, 0, header, forward->stash_len, 0, now, forward,
-		    forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION, 0);
+      forward_query(-1, NULL, NULL, 0, header, forward->stash_len, 0, now, forward, 0, 0);
       return;
     }
 
@@ -1315,7 +1283,7 @@ void return_reply(time_t now, struct frec *forward, struct dns_header *header, s
     header->hb4 |= HB4_CD;
   else
     header->hb4 &= ~HB4_CD;
-  
+
   /* Never cache answers which are contingent on the source or MAC address EDSN0 option,
      since the cache is ignorant of such things. */
   if (forward->flags & FREC_NO_CACHE)
@@ -1323,7 +1291,7 @@ void return_reply(time_t now, struct frec *forward, struct dns_header *header, s
   
   if ((nn = process_reply(header, now, forward->sentto, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer, 
 			  forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION, 
-			  forward->flags & FREC_ADDED_PHEADER, &forward->frec_src.source,
+			  !(forward->flags & FREC_HAS_PHEADER), &forward->frec_src.source,
 			  ((unsigned char *)header) + daemon->edns_pktsz, ede)))
     {
       struct frec_src *src;
@@ -1391,7 +1359,7 @@ void return_reply(time_t now, struct frec *forward, struct dns_header *header, s
 			  &src->source, &src->dest, src->iface);
 		
 #ifdef HAVE_DUMPFILE
-		dump_packet_udp(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &src->source, src->fd);
+		dump_packet_udp(DUMP_REPLY, daemon->packet, (size_t)new, NULL, &src->source, src->fd);
 #endif
 	      }
 	}
@@ -1454,9 +1422,10 @@ void receive_query(struct listener *listen, time_t now)
   struct in_addr netmask, dst_addr_4;
   size_t m;
   ssize_t n;
-  int if_index = 0, auth_dns = 0, do_bit = 0, have_pseudoheader = 0;
+  int if_index = 0, auth_dns = 0, do_bit = 0;
+  unsigned int fwd_flags = 0;
   int stale = 0, filtered = 0, ede = EDE_UNSET, do_forward = 0;
-  int metric, ad_reqd, fd; 
+  int metric, fd; 
   struct blockdata *saved_question = NULL;
 #ifdef HAVE_CONNTRACK
   unsigned int mark = 0;
@@ -1734,7 +1703,8 @@ void receive_query(struct listener *listen, time_t now)
     { 
       unsigned short flags;
       
-      have_pseudoheader = 1;
+      fwd_flags |= FREC_HAS_PHEADER;
+      
       GETSHORT(udp_size, pheader);
       pheader += 2; /* ext_rcode */
       GETSHORT(flags, pheader);
@@ -1752,10 +1722,15 @@ void receive_query(struct listener *listen, time_t now)
 	udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */
     }
 
-  ad_reqd = do_bit;
   /* RFC 6840 5.7 */
-  if (header->hb4 & HB4_AD)
-    ad_reqd = 1;
+  if (do_bit || (header->hb4 & HB4_AD))
+    fwd_flags |= FREC_AD_QUESTION;
+
+  if (do_bit)
+    fwd_flags |= FREC_DO_QUESTION;
+
+  if (header->hb4 & HB4_CD)
+    fwd_flags |= FREC_CHECKING_DISABLED;
 
   fd = listen->fd;
   
@@ -1790,10 +1765,16 @@ void receive_query(struct listener *listen, time_t now)
 #endif
   else
     {
+      int cacheable;
+
+      n = add_edns0_config(header, n, ((unsigned char *)header) + daemon->edns_pktsz, &source_addr, now, &cacheable);
       saved_question = blockdata_alloc((char *) header, (size_t)n);
-      
+
+      if (!cacheable)
+	fwd_flags |= FREC_NO_CACHE;
+
       m = answer_request(header, ((char *) header) + udp_size, (size_t)n, 
-			 dst_addr_4, netmask, now, ad_reqd, do_bit, &stale, &filtered);
+			 dst_addr_4, netmask, now, fwd_flags & FREC_AD_QUESTION, do_bit, !cacheable, &stale, &filtered);
       
       metric = stale ? METRIC_DNS_STALE_ANSWERED : METRIC_DNS_LOCAL_ANSWERED;
       
@@ -1814,7 +1795,7 @@ void receive_query(struct listener *listen, time_t now)
   
   if (m != 0)
     {
-      if (have_pseudoheader)
+      if (fwd_flags & FREC_HAS_PHEADER)
 	{
 	  if (ede != EDE_UNSET)
 	    {
@@ -1863,9 +1844,9 @@ void receive_query(struct listener *listen, time_t now)
       blockdata_retrieve(saved_question, (size_t)n, (void *)header);
       blockdata_free(saved_question);
       saved_question = NULL;
-      
+
       if (forward_query(fd, &source_addr, &dst_addr, if_index, header, (size_t)n,
-			udp_size, now, NULL, ad_reqd, do_bit, 0))
+			udp_size, now, NULL, fwd_flags, 0))
 	daemon->metrics[METRIC_DNS_QUERIES_FORWARDED]++;
       else
 	daemon->metrics[METRIC_DNS_LOCAL_ANSWERED]++;
@@ -2212,7 +2193,7 @@ unsigned char *tcp_request(int confd, time_t now,
 #ifdef HAVE_AUTH
   int local_auth = 0;
 #endif
-  int checking_disabled, do_bit = 0, ad_reqd = 0, added_pheader = 0, have_pseudoheader = 0;
+  int checking_disabled, do_bit = 0, ad_reqd = 0, have_pseudoheader = 0;
   struct blockdata *saved_question = NULL;
   unsigned short qtype;
   unsigned int gotname = 0;
@@ -2284,7 +2265,7 @@ unsigned char *tcp_request(int confd, time_t now,
 
   while (1)
     {
-      int stale = 0, ede = EDE_UNSET;
+      int cacheable = 1, stale = 0, ede = EDE_UNSET;
       size_t m = 0;
       unsigned int flags = 0;
 #ifdef HAVE_AUTH
@@ -2329,6 +2310,7 @@ unsigned char *tcp_request(int confd, time_t now,
 	      if (saved_question)
 		blockdata_free(saved_question);
 	      
+	      size = add_edns0_config(header, size, ((unsigned char *) header) + 65536, &peer_addr, now, &cacheable);
 	      saved_question = blockdata_alloc((char *)header, (size_t)size);
 	      saved_size = size;
 	      
@@ -2395,7 +2377,7 @@ unsigned char *tcp_request(int confd, time_t now,
 #endif
 	      else
 		m = answer_request(header, ((char *) header) + 65536, (size_t)size, 
-				   dst_addr_4, netmask, now, ad_reqd, do_bit, &stale, &filtered);
+				   dst_addr_4, netmask, now, ad_reqd, do_bit, !cacheable, &stale, &filtered);
 	    }
 	}
       
@@ -2406,7 +2388,7 @@ unsigned char *tcp_request(int confd, time_t now,
 	{
 	  struct server *master;
 	  int start;
-	  int cacheable, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
+	  int no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
 
 	  blockdata_retrieve(saved_question, (size_t)saved_size, header);
 	  size = saved_size;
@@ -2437,8 +2419,6 @@ unsigned char *tcp_request(int confd, time_t now,
 		  else
 		    start = master->last_server;
 		  
-		  size = add_edns0_config(header, size, ((unsigned char *) header) + 65536, &peer_addr, now, &cacheable);
-		  
 #ifdef HAVE_DNSSEC
 		  if (option_bool(OPT_DNSSEC_VALID) && (master->flags & SERV_DO_DNSSEC))
 		    {
@@ -2451,11 +2431,6 @@ unsigned char *tcp_request(int confd, time_t now,
 		    }
 #endif
 		  
-		  /* Check if we added a pheader on forwarding - may need to
-		     strip it from the reply. */
-		  if (!have_pseudoheader && find_pseudoheader(header, size, NULL, NULL, NULL, NULL))
-		    added_pheader = 1;
-		  
 		  /* Loop round available servers until we succeed in connecting to one. */
 		  if ((m = tcp_talk(first, last, start, packet, size, have_mark, mark, &serv)) == 0)
 		    ede = EDE_NETERR;
@@ -2530,7 +2505,7 @@ unsigned char *tcp_request(int confd, time_t now,
 		      
 		      m = process_reply(header, now, serv, (unsigned int)m, 
 					option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer,
-					ad_reqd, do_bit, added_pheader, &peer_addr, ((unsigned char *)header) + 65536, ede);
+					ad_reqd, do_bit, !have_pseudoheader, &peer_addr, ((unsigned char *)header) + 65536, ede);
 
 		      /* process_reply() adds pheader itself */
 		      have_pseudoheader = 0; 
@@ -3054,7 +3029,7 @@ static struct frec *lookup_frec(char *target, int class, int rrtype, int id, int
 }
 
 /* Send query packet again, if we can. */
-void resend_query()
+void resend_query(void)
 {
   if (daemon->srv_save)
     server_send(daemon->srv_save, daemon->fd_save,

src/ipset.c

@@ -75,11 +75,11 @@ static char *buffer;
 
 static inline void add_attr(struct nlmsghdr *nlh, uint16_t type, size_t len, const void *data)
 {
-  struct my_nlattr *attr = (void *)nlh + NL_ALIGN(nlh->nlmsg_len);
+  struct my_nlattr *attr = (struct my_nlattr *)((u8 *)nlh + NL_ALIGN(nlh->nlmsg_len));
   uint16_t payload_len = NL_ALIGN(sizeof(struct my_nlattr)) + len;
   attr->nla_type = type;
   attr->nla_len = payload_len;
-  memcpy((void *)attr + NL_ALIGN(sizeof(struct my_nlattr)), data, len);
+  memcpy((u8 *)attr + NL_ALIGN(sizeof(struct my_nlattr)), data, len);
   nlh->nlmsg_len += NL_ALIGN(payload_len);
 }
 
@@ -138,8 +138,8 @@ static int new_add_to_ipset(const char *setname, const union all_addr *ipaddr, i
   add_attr(nlh, 
 	   (af == AF_INET ? IPSET_ATTR_IPADDR_IPV4 : IPSET_ATTR_IPADDR_IPV6) | NLA_F_NET_BYTEORDER,
 	   addrsz, ipaddr);
-  nested[1]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[1];
-  nested[0]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[0];
+  nested[1]->nla_len = (u8 *)buffer + NL_ALIGN(nlh->nlmsg_len) - (u8 *)nested[1];
+  nested[0]->nla_len = (u8 *)buffer + NL_ALIGN(nlh->nlmsg_len) - (u8 *)nested[0];
 	
   while (retry_send(sendto(ipset_sock, buffer, nlh->nlmsg_len, 0,
 			   (struct sockaddr *)&snl, sizeof(snl))));

src/loop.c

@@ -19,7 +19,7 @@
 #ifdef HAVE_LOOP
 static ssize_t loop_make_probe(u32 uid);
 
-void loop_send_probes()
+void loop_send_probes(void)
 {
    struct server *serv;
    struct randfd_list *rfds = NULL;

src/network.c

@@ -647,7 +647,7 @@ static int iface_allowed_v4(struct in_addr local, int if_index, char *label,
 /*
  * Clean old interfaces no longer found.
  */
-static void clean_interfaces()
+static void clean_interfaces(void)
 {
   struct irec *iface;
   struct irec **up = &daemon->interfaces;

src/option.c

@@ -4161,7 +4161,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 		      }
 		    else if (strcmp(arg, "ignore") == 0)
 		      new->flags |= CONFIG_DISABLE;
-		    if (new->hostname)
+		    else if (new->hostname)
 		      {
 			dhcp_config_free(new);
 			ret_err(_("DHCP host has multiple names"));

src/outpacket.c

@@ -23,7 +23,7 @@ static size_t outpacket_counter;
 
 void end_opt6(int container)
 {
-   void *p = daemon->outpacket.iov_base + container + 2;
+   uint8_t *p = (uint8_t *)daemon->outpacket.iov_base + container + 2;
    u16 len = outpacket_counter - container - 4 ;
    
    PUTSHORT(len, p);
@@ -50,11 +50,11 @@ int save_counter(int newval)
 
 void *expand(size_t headroom)
 {
-  void *ret;
+  uint8_t *ret;
 
   if (expand_buf(&daemon->outpacket, outpacket_counter + headroom))
     {
-      ret = daemon->outpacket.iov_base + outpacket_counter;
+      ret = (uint8_t *)daemon->outpacket.iov_base + outpacket_counter;
       outpacket_counter += headroom;
       return ret;
     }
@@ -65,7 +65,7 @@ void *expand(size_t headroom)
 int new_opt6(int opt)
 {
   int ret = outpacket_counter;
-  void *p;
+  unsigned char *p;
 
   if ((p = expand(4)))
     {
@@ -88,7 +88,7 @@ void *put_opt6(void *data, size_t len)
   
 void put_opt6_long(unsigned int val)
 {
-  void *p;
+  unsigned char *p;
   
   if ((p = expand(4)))  
     PUTLONG(val, p);
@@ -96,7 +96,7 @@ void put_opt6_long(unsigned int val)
 
 void put_opt6_short(unsigned int val)
 {
-  void *p;
+  uint8_t *p;
 
   if ((p = expand(2)))
     PUTSHORT(val, p);   

src/rfc1035.c

@@ -1567,7 +1567,7 @@ static int cache_validated(const struct crec *crecp)
 /* return zero if we can't answer from cache, or packet size if we can */
 size_t answer_request(struct dns_header *header, char *limit, size_t qlen,  
 		      struct in_addr local_addr, struct in_addr local_netmask, 
-		      time_t now, int ad_reqd, int do_bit, int *stale, int *filtered) 
+		      time_t now, int ad_reqd, int do_bit, int no_cache, int *stale, int *filtered) 
 {
   char *name = daemon->namebuff;
   unsigned char *p, *ansp;
@@ -1582,6 +1582,10 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
   size_t len;
   int rd_bit = (header->hb3 & HB3_RD);
   int count = 255; /* catch loops */
+
+  /* Suppress cached answers of no_cache set. */
+  if (no_cache)
+    rd_bit = 0;
   
   if (stale)
     *stale = 0;

src/rfc3315.c

@@ -39,8 +39,8 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
 static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts);
 static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string);
 static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string);
-static void *opt6_find (void *opts, void *end, unsigned int search, unsigned int minsize);
-static void *opt6_next(void *opts, void *end);
+static void *opt6_find (uint8_t *opts, uint8_t *end, unsigned int search, unsigned int minsize);
+static void *opt6_next(uint8_t *opts, uint8_t *end);
 static unsigned int opt6_uint(unsigned char *opt, int offset, int size);
 static void get_context_tag(struct state *state, struct dhcp_context *context);
 static int check_ia(struct state *state, void *opt, void **endp, void **ia_option);
@@ -61,11 +61,11 @@ static void calculate_times(struct dhcp_context *context, unsigned int *min_time
 
 #define opt6_len(opt) ((int)(opt6_uint(opt, -2, 2)))
 #define opt6_type(opt) (opt6_uint(opt, -4, 2))
-#define opt6_ptr(opt, i) ((void *)&(((unsigned char *)(opt))[4+(i)]))
+#define opt6_ptr(opt, i) ((void *)&(((uint8_t *)(opt))[4+(i)]))
 
-#define opt6_user_vendor_ptr(opt, i) ((void *)&(((unsigned char *)(opt))[2+(i)]))
+#define opt6_user_vendor_ptr(opt, i) ((void *)&(((uint8_t *)(opt))[2+(i)]))
 #define opt6_user_vendor_len(opt) ((int)(opt6_uint(opt, -4, 2)))
-#define opt6_user_vendor_next(opt, end) (opt6_next(((void *) opt) - 2, end))
+#define opt6_user_vendor_next(opt, end) (opt6_next(((uint8_t *) opt) - 2, end))
  
 
 unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *iface_name,
@@ -107,11 +107,11 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if
 static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, 
 			     struct in6_addr *client_addr, int is_unicast, time_t now)
 {
-  void *end = inbuff + sz;
-  void *opts = inbuff + 34;
+  uint8_t *end = inbuff + sz;
+  uint8_t *opts = inbuff + 34;
   int msg_type = *inbuff;
   unsigned char *outmsgtypep;
-  void *opt;
+  uint8_t *opt;
   struct dhcp_vendor *vendor;
 
   /* if not an encapsulated relayed message, just do the stuff */
@@ -232,7 +232,7 @@ static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t
   
   for (opt = opts; opt; opt = opt6_next(opt, end))
     {
-      if (opt6_ptr(opt, 0) + opt6_len(opt) > end) 
+      if ((uint8_t *)opt6_ptr(opt, 0) + opt6_len(opt) > end)
         return 0;
      
       /* Don't copy MAC address into reply. */
@@ -1307,7 +1307,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
      reallocated. */
   ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype;
 
-  log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1));
+  log6_opts(0, state->xid, (uint8_t *)daemon->outpacket.iov_base + start_opts, (uint8_t *)daemon->outpacket.iov_base + save_counter(-1));
   
   return 1;
 
@@ -2093,7 +2093,7 @@ static void log6_packet(struct state *state, char *type, struct in6_addr *addr,
 	      string ? string : "");
 }
 
-static void *opt6_find (void *opts, void *end, unsigned int search, unsigned int minsize)
+static void *opt6_find (uint8_t *opts, uint8_t *end, unsigned int search, unsigned int minsize)
 {
   u16 opt, opt_len;
   void *start;
@@ -2120,7 +2120,7 @@ static void *opt6_find (void *opts, void *end, unsigned int search, unsigned int
     }
 }
 
-static void *opt6_next(void *opts, void *end)
+static void *opt6_next(uint8_t *opts, uint8_t *end)
 {
   u16 opt_len;
   

src/rrfilter.c

@@ -345,9 +345,6 @@ int expand_workspace(unsigned char ***wkspc, int *szp, int new)
   if (old >= new+1)
     return 1;
 
-  if (new >= 100)
-    return 0;
-
   new += 5;
 
   if (!(p = whine_realloc(*wkspc, new * sizeof(unsigned char *))))

src/util.c

@@ -41,7 +41,7 @@ static u32 in[12];
 static u32 out[8];
 static int outleft = 0;
 
-void rand_init()
+void rand_init(void)
 {
   int fd = open(RANDFILE, O_RDONLY);
   
@@ -767,10 +767,10 @@ int retry_send(ssize_t rc)
 
 /* rw = 0 -> write
    rw = 1 -> read
-   rw = 2 -> read once
-   rw = 3 -> write once
+   rw = 2 -> write once
+   rw = 3 -> read once
 
-   "once" fail if all the data doesn't arrive/go in a single read/write.
+   "once" fails on EAGAIN, as this a timeout.
    This indicates a timeout of a TCP socket.
 */
 int read_write(int fd, unsigned char *packet, int size, int rw)
@@ -779,29 +779,34 @@ int read_write(int fd, unsigned char *packet, int size, int rw)
   
   for (done = 0; done < size; done += n)
     {
-      do { 
-	if (rw & 1)
-	  n = read(fd, &packet[done], (size_t)(size - done));
-	else
-	  n = write(fd, &packet[done], (size_t)(size - done));
-	
-	if (n == 0)
-	  return 0;
-
-	if (n == -1 && errno == EINTR)
-	  continue;
-
-	/* "once" variant */
-	if ((rw & 2) && n != size)
-	  return 0;
-	
-      } while (n == -1 && (errno == EINTR || errno == ENOMEM || errno == ENOBUFS ||
-			   errno == EAGAIN || errno == EWOULDBLOCK));
+      if (rw & 1)
+	n = read(fd, &packet[done], (size_t)(size - done));
+      else
+	n = write(fd, &packet[done], (size_t)(size - done));
       
-      if (n == -1)
+      if (n == 0)
 	return 0;
+
+      if (n == -1)
+	{
+	  n = 0; /* don't mess with counter when we loop. */
+
+	  if (errno == EINTR || errno == ENOMEM || errno == ENOBUFS)
+	    continue;
+
+	  if (errno == EAGAIN || errno == EWOULDBLOCK)
+	    {
+	      /* "once" variant */
+	      if (rw & 2)
+		return 0;
+
+	      continue;
+	    }
+
+	  return 0;
+	}
     }
-     
+          
   return 1;
 }