[Dnsmasq-discuss] [PATCH] Make --stop-dns-rebind apply to non-IPv4-mapped IPv6.

Wed, 20 Sep 2017 08:11:35 -0700 

---
 CHANGELOG     |  4 ++++
 man/dnsmasq.8 |  3 ++-
 src/rfc1035.c | 23 +++++++++++++++--------
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 7e65912..185b78a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -24,6 +24,10 @@ version 2.78
        Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
        chasing this one down.  CVE-2017-13704 applies.
 
+        Make --stop-dns-rebind also apply to RFC 6303 addresses.
+        This is not as good as with IPv4, but something is better
+        than nothing. Patch by Alex Xu.
+
        
 version 2.77
        Generate an error when configured with a CNAME loop,
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 1046a2e..9c85f2e 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -391,7 +391,8 @@ were previously disabled.
 .B --stop-dns-rebind
 Reject (and log) addresses from upstream nameservers which are in the
 private IP ranges. This blocks an attack where a browser behind a
-firewall is used to probe machines on the local network.
+firewall is used to probe machines on the local network. The set of
+prefixes affected is currently identical to --bogus-priv.
 .TP
 .B --rebind-localhost-ok
 Exempt 127.0.0.0/8 from rebinding checks. This address range is
diff --git a/src/rfc1035.c b/src/rfc1035.c
index af2fe46..58e1a06 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -784,14 +784,21 @@ int extract_addresses(struct dns_header *header, size_t 
qlen, char *name, time_t
                            return 1;
                          
 #ifdef HAVE_IPV6
-                         if ((flags & F_IPV6) &&
-                             IN6_IS_ADDR_V4MAPPED(&addr.addr.addr6))
-                           {
-                             struct in_addr v4;
-                             v4.s_addr = ((const uint32_t *) 
(&addr.addr.addr6))[3];
-                             if (private_net(v4, 
!option_bool(OPT_LOCAL_REBIND)))
-                               return 1;
-                           }
+                          if (flags & F_IPV6)
+                            {
+                              if (IN6_IS_ADDR_V4MAPPED(&addr.addr.addr6))
+                                {
+                                  struct in_addr v4;
+                                  v4.s_addr = ((const uint32_t *) 
(&addr.addr.addr6))[3];
+                                  if (private_net(v4, 
!option_bool(OPT_LOCAL_REBIND)))
+                                      return 1;
+                                }
+                              else
+                                {
+                                  if (private_net6(addr.addr.addr6, 
!option_bool(OPT_LOCAL_RBIND)))
+                                      return 1;
+                                }
+                            }
 #endif
                        }
                      
-- 
2.14.1


.

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to