--- CHANGELOG | 4 ++++ man/dnsmasq.8 | 3 ++- src/rfc1035.c | 23 +++++++++++++++-------- 3 files changed, 21 insertions(+), 9 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG index 7e65912..185b78a 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -24,6 +24,10 @@ version 2.78 Juan Manuel Fernandez and Kevin Darbyshire-Bryant for chasing this one down. CVE-2017-13704 applies. + Make --stop-dns-rebind also apply to RFC 6303 addresses. + This is not as good as with IPv4, but something is better + than nothing. Patch by Alex Xu. + version 2.77 Generate an error when configured with a CNAME loop, diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index 1046a2e..9c85f2e 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -391,7 +391,8 @@ were previously disabled. .B --stop-dns-rebind Reject (and log) addresses from upstream nameservers which are in the private IP ranges. This blocks an attack where a browser behind a -firewall is used to probe machines on the local network. +firewall is used to probe machines on the local network. The set of +prefixes affected is currently identical to --bogus-priv. .TP .B --rebind-localhost-ok Exempt 127.0.0.0/8 from rebinding checks. This address range is diff --git a/src/rfc1035.c b/src/rfc1035.c index af2fe46..58e1a06 100644 --- a/src/rfc1035.c +++ b/src/rfc1035.c @@ -784,14 +784,21 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t return 1; #ifdef HAVE_IPV6 - if ((flags & F_IPV6) && - IN6_IS_ADDR_V4MAPPED(&addr.addr.addr6)) - { - struct in_addr v4; - v4.s_addr = ((const uint32_t *) (&addr.addr.addr6))[3]; - if (private_net(v4, !option_bool(OPT_LOCAL_REBIND))) - return 1; - } + if (flags & F_IPV6) + { + if (IN6_IS_ADDR_V4MAPPED(&addr.addr.addr6)) + { + struct in_addr v4; + v4.s_addr = ((const uint32_t *) (&addr.addr.addr6))[3]; + if (private_net(v4, !option_bool(OPT_LOCAL_REBIND))) + return 1; + } + else + { + if (private_net6(addr.addr.addr6, !option_bool(OPT_LOCAL_RBIND))) + return 1; + } + } #endif } -- 2.14.1 . _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss