Update embedded dnsmasq to v2.93rc1

CMakeLists.txt

@@ -16,6 +16,6 @@ set(CMAKE_C_STANDARD 17)
 
 project(PIHOLE_FTL C)
 
-set(DNSMASQ_VERSION pi-hole-v2.92.2)
+set(DNSMASQ_VERSION pi-hole-v2.93rc1)
 
 add_subdirectory(src)

build.sh

@@ -95,6 +95,16 @@ if [[ -n "${debug}" ]]; then
     restart=1
 fi
 
+# If we are building in debug mode, ensure CMake is configured for a Debug build
+# This appends the cache entry so callers can still pass other -D options.
+if [[ -n "${debug}" ]]; then
+    if [[ -n "${cmake_args}" ]]; then
+        cmake_args="${cmake_args} -DCMAKE_BUILD_TYPE=Debug"
+    else
+        cmake_args="-DCMAKE_BUILD_TYPE=Debug"
+    fi
+fi
+
 # If we are in dev mode, we want to build, install, restart, and tail the logs
 # by default
 if [[ -n "${dev}" ]]; then

src/CMakeLists.txt

@@ -327,6 +327,33 @@ find_library(LIBNETTLE NAMES libnettle${LIBRARY_SUFFIX} nettle HINTS /usr/local/
 find_library(LIBIDN2 NAMES libidn2${LIBRARY_SUFFIX} idn2)
 find_library(LIBUNISTRING NAMES libunistring${LIBRARY_SUFFIX} unistring)
 
+# Echo library search results to the console
+if(LIBHOGWEED)
+    message(STATUS "Found libhogweed: ${LIBHOGWEED}")
+else()
+    message(WARNING "libhogweed not found, DNSSEC support will be disabled")
+endif()
+if(LIBGMP)
+    message(STATUS "Found libgmp: ${LIBGMP}")
+else()
+    message(WARNING "libgmp not found, DNSSEC support will be disabled")
+endif()
+if(LIBNETTLE)
+    message(STATUS "Found libnettle: ${LIBNETTLE}")
+else()
+    message(WARNING "libnettle not found, DNSSEC support will be disabled")
+endif()
+if(LIBIDN2)
+    message(STATUS "Found libidn2: ${LIBIDN2}")
+else()
+    message(WARNING "libidn2 not found, IDN support will be disabled")
+endif()
+if(LIBUNISTRING)
+    message(STATUS "Found libunistring: ${LIBUNISTRING}")
+else()
+    message(WARNING "libunistring not found, IDN support will be disabled")
+endif()
+
 target_link_libraries(pihole-FTL rt Threads::Threads ${LIBHOGWEED} ${LIBGMP} ${LIBNETTLE} ${LIBIDN2} ${LIBUNISTRING})
 
 if(LUA_DL STREQUAL "true")

src/FTL.h

@@ -12,6 +12,29 @@
 
 #define __USE_XOPEN
 #define _GNU_SOURCE
+#ifdef __GNUC__
+/*
+ * Protect system headers from project-local macro redefinitions.
+ *
+ * `dnsmasq/dnsmasq.h` (and other third-party headers) define very common
+ * identifiers like `free`/`strdup` as macros that expand to internal
+ * wrappers (e.g. `free_real(__func__, __LINE__, (x))`). If such macros are
+ * active while system headers are included, they can be expanded inside
+ * libc prototypes and inline functions and produce invalid code, causing
+ * spurious compiler errors.
+ *
+ * To avoid this we push any existing macro definition on a stack, undefine
+ * the name while including system headers, and restore the original macro
+ * afterwards with `#pragma pop_macro`.
+ *
+ * Note: `#pragma push_macro`/`pop_macro` is a GCC/Clang extension, so we
+ * guard its use with `#ifdef __GNUC__` for portability.
+ */
+#pragma push_macro("free")
+#pragma push_macro("strdup")
+#undef free
+#undef strdup
+#endif
 #include <stdio.h>
 // variable argument lists
 #include <stdarg.h>
@@ -176,7 +199,12 @@
 // and report accordingly in the log. This will make debugging FTL crash
 // caused by insufficient memory or by code bugs (not properly dealing
 // with NULL pointers) much easier.
+#ifdef __GNUC__
+#pragma pop_macro("strdup")
+#pragma pop_macro("free")
+#endif
 #undef strdup // strdup() is a macro in itself, it needs special handling
+#undef free
 #define free(ptr) { FTLfree(ptr, __FILE__,  __FUNCTION__,  __LINE__); ptr = NULL; }
 #define strdup(str_in) FTLstrdup(str_in, __FILE__,  __FUNCTION__,  __LINE__)
 #define calloc(numer_of_elements, element_size) FTLcalloc(numer_of_elements, element_size, __FILE__,  __FUNCTION__,  __LINE__)

src/api/2fa.c

@@ -33,8 +33,11 @@ static uint32_t hotp(const uint8_t *key, size_t key_len, const uint64_t counter,
 	// Compute HMAC-SHA1
 	hmac_sha1_update(&ctx, sizeof(counter_be), (uint8_t*)&counter_be);
 	uint8_t out[SHA1_DIGEST_SIZE];
+#if NETTLE_VERSION_MAJOR >= 4
+	hmac_sha1_digest(&ctx, out);
+#else
 	hmac_sha1_digest(&ctx, SHA1_DIGEST_SIZE, out);
-
+#endif
 	// Truncate HMAC-SHA1 for ease of use
 	// RFC 6238 (section 5.3): offset = last nibble of hash
 	const uint8_t offset = out[SHA1_DIGEST_SIZE-1] & 0x0F;

src/config/password.c

@@ -76,7 +76,11 @@ static char * __attribute__((malloc)) double_sha256_password(const char *passwor
 	              strlen(password),
 	              (uint8_t*)password);
 
+#if NETTLE_VERSION_MAJOR >= 4
+	sha256_digest(&ctx, raw_response);
+#else
 	sha256_digest(&ctx, SHA256_DIGEST_SIZE, raw_response);
+#endif
 	sha256_raw_to_hex(raw_response, response);
 
 	// Hash password a second time
@@ -85,7 +89,11 @@ static char * __attribute__((malloc)) double_sha256_password(const char *passwor
 	              strlen(response),
 	              (uint8_t*)response);
 
+#if NETTLE_VERSION_MAJOR >= 4
+	sha256_digest(&ctx, raw_response);
+#else
 	sha256_digest(&ctx, SHA256_DIGEST_SIZE, raw_response);
+#endif
 	sha256_raw_to_hex(raw_response, response);
 
 	return strdup(response);

src/dnsmasq/arp.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2026 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/dnsmasq/auth.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2026 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -591,7 +591,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
   if (auth && zone)
     {
       char *authname;
-      int newoffset, offset = 0;
+      int newoffset = ansp - (unsigned char *)header, offset = 0;
 
       if (!subnet)
 	authname = zone->domain;
@@ -631,8 +631,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	}
 
       /* handle NS and SOA in auth section or for explicit queries */
-       newoffset = ansp - (unsigned char *)header;
-       if (((anscount == 0 && !ns) || soa) &&
+      if (((anscount == 0 && !ns) || soa) &&
 	  add_resource_record(header, limit, &trunc, 0, &ansp, 
 			      daemon->auth_ttl, NULL, T_SOA, C_IN, "ddlllll",
 			      authname, daemon->authserver,  daemon->hostmaster,
@@ -650,11 +649,10 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
       if (anscount != 0 || ns)
 	{
 	  struct name_list *secondary;
-
+	 	  
 	  /* Only include the machine running dnsmasq if it's acting as an auth server */
 	  if (daemon->authinterface)
 	    {
-	      newoffset = ansp - (unsigned char *)header;
 	      if (add_resource_record(header, limit, &trunc, -offset, &ansp, 
 				      daemon->auth_ttl, NULL, T_NS, C_IN, "d", offset == 0 ? authname : NULL, daemon->authserver))
 		{
@@ -669,9 +667,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 
 	  if (!subnet)
 	    for (secondary = daemon->secondary_forward_server; secondary; secondary = secondary->next)
-	      if (add_resource_record(header, limit, &trunc, offset, &ansp, 
-				      daemon->auth_ttl, NULL, T_NS, C_IN, "d", secondary->name))
+	      if (add_resource_record(header, limit, &trunc, -offset, &ansp, 
+				      daemon->auth_ttl, NULL, T_NS, C_IN, "d", offset == 0 ? authname : NULL, secondary->name))
 		{
+		  if (offset == 0) 
+		    offset = newoffset;
 		  if (ns) 
 		    anscount++;
 		  else

src/dnsmasq/blockdata.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2026 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -193,20 +193,22 @@ void *blockdata_retrieve(struct blockdata *block, size_t len, void *data)
 {
   size_t blen;
   struct  blockdata *b;
-  uint8_t *new, *d;
+  uint8_t *d;
 
-  static unsigned int buff_len = 0;
-  static unsigned char *buff = NULL;
-
   if (!data)
     {
+      static unsigned int buff_len = 0;
+      static unsigned char *buff = NULL;
+      uint8_t *new;
+
       if (len > buff_len)
 	{
-	  if (!(new = whine_malloc(len)))
+	  blen = len + 1024;
+	  if (!(new = whine_realloc(buff, blen)))
 	    return NULL;
-	  if (buff)
-	    free(buff);
+
 	  buff = new;
+	  buff_len = blen;
 	}
       data = buff;
     }

src/dnsmasq/bpf.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2026 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -47,33 +47,29 @@ static union all_addr del_addr;
 
 #if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
 
-int arp_enumerate(void *parm, callback_t callback)
+static int arp_enumerate_family(int family, void *parm, callback_t callback)
 {
   int mib[6];
   size_t needed;
   char *next;
   struct rt_msghdr *rtm;
-  struct sockaddr_inarp *sin2;
   struct sockaddr_dl *sdl;
-  struct iovec buff;
+  static struct iovec buff = { NULL, 0 };
   int rc;
 
-  buff.iov_base = NULL;
-  buff.iov_len = 0;
-
   mib[0] = CTL_NET;
   mib[1] = PF_ROUTE;
   mib[2] = 0;
-  mib[3] = AF_INET;
+  mib[3] = family;
   mib[4] = NET_RT_FLAGS;
 #ifdef RTF_LLINFO
   mib[5] = RTF_LLINFO;
 #else
   mib[5] = 0;
 #endif	
   if (sysctl(mib, 6, NULL, &needed, NULL, 0) == -1 || needed == 0)
-    return 0;
-
+    return 1;  /* not a failure: unsupported or empty table */
+  
   while (1) 
     {
       if (!expand_buf(&buff, needed))
@@ -83,20 +79,50 @@ int arp_enumerate(void *parm, callback_t callback)
 	break;
       needed += needed / 8;
     }
+
   if (rc == -1)
     return 0;
 
   for (next = buff.iov_base ; next < (char *)buff.iov_base + needed; next += rtm->rtm_msglen)
     {
       rtm = (struct rt_msghdr *)next;
-      sin2 = (struct sockaddr_inarp *)(rtm + 1);
-      sdl = (struct sockaddr_dl *)((char *)sin2 + SA_SIZE(sin2));
-      if (!callback.af_unspec(AF_INET, &sin2->sin_addr, LLADDR(sdl), sdl->sdl_alen, parm))
-	return 0;
+      if (family == AF_INET)
+	{
+	  struct sockaddr_inarp *sin2 = (struct sockaddr_inarp *)(rtm + 1);
+	  sdl = (struct sockaddr_dl *)((char *)sin2 + SA_SIZE(sin2));
+          if (!callback.af_unspec(AF_INET, &sin2->sin_addr,
+				  LLADDR(sdl), sdl->sdl_alen, parm))
+	    return 0;
+        }
+      else
+	{
+          struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)(rtm + 1);
+          sdl = (struct sockaddr_dl *)((char *)sin6 + SA_SIZE(sin6));
+          if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
+            {
+              /* PF_ROUTE sysctl returns raw kernel structures with the interface
+		 index embedded in bytes 2-3 of link-local addresses. Extract it
+                 into sin6_scope_id per the KAME API contract before clearing. */
+	      sin6->sin6_scope_id =
+		((uint32_t)(sin6->sin6_addr.s6_addr[2]) << 8) | sin6->sin6_addr.s6_addr[3];
+	      sin6->sin6_addr.s6_addr[2] = 0;
+              sin6->sin6_addr.s6_addr[3] = 0;
+	    }
+          if (!callback.af_unspec(AF_INET6, &sin6->sin6_addr,
+                                  LLADDR(sdl), sdl->sdl_alen, parm))
+            return 0;
+        }
     }
-
+  
   return 1;
 }
+
+static int arp_enumerate(void *parm, callback_t callback)
+{
+  if (!arp_enumerate_family(AF_INET, parm, callback))
+    return 0;
+  return arp_enumerate_family(AF_INET6, parm, callback);
+}
 #endif /* defined(HAVE_BSD_NETWORK) && !defined(__APPLE__) */