3658. [port] linux: Address platform specific compilation issue

when libcap-devel is installed. [RT #34838]

(cherry picked from commit 7433a204d3)
(cherry picked from commit 9b7d05c900)

CHANGES

@@ -1,3 +1,18 @@
+	--- 9.8.6-P2 released ---
+
+3693.	[security]	memcpy was incorrectly called with overlapping
+			ranges resulting in malformed names being generated
+			on some platforms.  This could cause INSIST failures
+			when serving NSEC3 signed zones.  [RT #35120]
+
+3658.	[port]		linux: Address platform specific compilation issue
+			when libcap-devel is installed. [RT #34838]
+
+	--- 9.8.6-P1 released ---
+
+3656.	[bug]		Treat an all zero netmask as invalid when generating
+			the localnets acl. [RT #34687]
+
 	--- 9.8.6 released ---
 
 3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is 

bin/named/interfacemgr.c

@@ -525,15 +525,22 @@ setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) {
 		return (result);
 
 	if (result != ISC_R_SUCCESS) {
-		isc_log_write(IFMGR_COMMON_LOGARGS,
-			      ISC_LOG_WARNING,
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_WARNING,
 			      "omitting IPv4 interface %s from "
-			      "localnets ACL: %s",
-			      interface->name,
+			      "localnets ACL: %s", interface->name,
 			      isc_result_totext(result));
 		return (ISC_R_SUCCESS);
 	}
 
+	if (prefixlen == 0U) {
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_WARNING,
+			      "omitting %s interface %s from localnets ACL: "
+			      "zero prefix length detected",
+			      (netaddr->family == AF_INET) ? "IPv4" : "IPv6",
+			      interface->name);
+		return (ISC_R_SUCCESS);
+	}
+
 	result = dns_iptable_addprefix(mgr->aclenv.localnets->iptable,
 				       netaddr, prefixlen, ISC_TRUE);
 	if (result != ISC_R_SUCCESS)

bin/named/query.c

@@ -5178,8 +5178,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
 	dns_fixedname_t fixed;
 	dns_hash_t hash;
 	dns_name_t name;
-	int order;
-	unsigned int count;
+	unsigned int skip = 0, labels;
 	dns_rdata_nsec3_t nsec3;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_boolean_t optout;
@@ -5192,6 +5191,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
 
 	dns_name_init(&name, NULL);
 	dns_name_clone(qname, &name);
+	labels = dns_name_countlabels(&name);
 
 	/*
 	 * Map unknown algorithm to known value.
@@ -5223,13 +5223,14 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
 		dns_rdata_reset(&rdata);
 		optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
 		if (found != NULL && optout &&
-		    dns_name_fullcompare(&name, dns_db_origin(db), &order,
-					 &count) == dns_namereln_subdomain) {
+		    dns_name_issubdomain(&name, dns_db_origin(db)))
+		{
 			dns_rdataset_disassociate(rdataset);
 			if (dns_rdataset_isassociated(sigrdataset))
 				dns_rdataset_disassociate(sigrdataset);
-			count = dns_name_countlabels(&name) - 1;
-			dns_name_getlabelsequence(&name, 1, count, &name);
+			skip++;
+			dns_name_getlabelsequence(qname, skip, labels - skip,
+						  &name);
 			ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
 				      NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
 				      "looking for closest provable encloser");
@@ -5247,7 +5248,11 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
 		ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
 			      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
 			      "expected covering NSEC3, got an exact match");
-	if (found != NULL)
+	if (found == qname) {
+		if (skip != 0U)
+			dns_name_getlabelsequence(qname, skip, labels - skip,
+						  found);
+	} else if (found != NULL)
 		dns_name_copy(&name, found, NULL);
 	return;
 }

bin/named/unix/os.c

@@ -117,12 +117,12 @@ static int dfd[2] = { -1, -1 };
 static isc_boolean_t non_root = ISC_FALSE;
 static isc_boolean_t non_root_caps = ISC_FALSE;
 
-#ifdef HAVE_LINUX_TYPES_H
-#include <linux/types.h>
-#endif
 #ifdef HAVE_SYS_CAPABILITY_H
 #include <sys/capability.h>
 #else
+#ifdef HAVE_LINUX_TYPES_H
+#include <linux/types.h>
+#endif
 /*%
  * We define _LINUX_FS_H to prevent it from being included.  We don't need
  * anything from it, and the files it includes cause warnings with 2.2

configure

@@ -17493,17 +17493,28 @@ fi
 
 done
 
-		for ac_header in linux/capability.h sys/capability.h
+		for ac_header in sys/capability.h
 do :
-  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "#ifdef HAVE_LINUX_TYPES_H
+  ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default"
+if test "x$ac_cv_header_sys_capability_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_SYS_CAPABILITY_H 1
+_ACEOF
+
+fi
+
+done
+
+		for ac_header in linux/capability.h
+do :
+  ac_fn_c_check_header_compile "$LINENO" "linux/capability.h" "ac_cv_header_linux_capability_h" "#ifdef HAVE_LINUX_TYPES_H
 				  #include <linux/types.h>
 				  #endif
 
 "
-if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+if test "x$ac_cv_header_linux_capability_h" = xyes; then :
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define HAVE_LINUX_CAPABILITY_H 1
 _ACEOF
 
 fi

configure.in

@@ -2426,7 +2426,8 @@ AC_ARG_ENABLE(linux-caps,
 case "$enable_linux_caps" in
 	yes|'')
 		AC_CHECK_HEADERS(linux/types.h)
-		AC_CHECK_HEADERS([linux/capability.h sys/capability.h], [], [],
+		AC_CHECK_HEADERS([sys/capability.h])
+		AC_CHECK_HEADERS([linux/capability.h], [], [],
 				 [#ifdef HAVE_LINUX_TYPES_H
 				  #include <linux/types.h>
 				  #endif

version

@@ -8,5 +8,5 @@ DESCRIPTION=
 MAJORVER=9
 MINORVER=8
 PATCHVER=6
-RELEASETYPE=
-RELEASEVER=
+RELEASETYPE=-P
+RELEASEVER=2