Alex Xu (Hello71)
2017-09-20 14:31:59 UTC
---
CHANGELOG | 4 ++++
man/dnsmasq.8 | 3 ++-
src/rfc1035.c | 23 +++++++++++++++--------
3 files changed, 21 insertions(+), 9 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index 7e65912..185b78a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -24,6 +24,10 @@ version 2.78
Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
chasing this one down. CVE-2017-13704 applies.
+ Make --stop-dns-rebind also apply to RFC 6303 addresses.
+ This is not as good as with IPv4, but something is better
+ than nothing. Patch by Alex Xu.
+
version 2.77
Generate an error when configured with a CNAME loop,
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 1046a2e..9c85f2e 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -391,7 +391,8 @@ were previously disabled.
.B --stop-dns-rebind
Reject (and log) addresses from upstream nameservers which are in the
private IP ranges. This blocks an attack where a browser behind a
-firewall is used to probe machines on the local network.
+firewall is used to probe machines on the local network. The set of
+prefixes affected is currently identical to --bogus-priv.
.TP
.B --rebind-localhost-ok
Exempt 127.0.0.0/8 from rebinding checks. This address range is
diff --git a/src/rfc1035.c b/src/rfc1035.c
index af2fe46..58e1a06 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -784,14 +784,21 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
return 1;
#ifdef HAVE_IPV6
- if ((flags & F_IPV6) &&
- IN6_IS_ADDR_V4MAPPED(&addr.addr.addr6))
- {
- struct in_addr v4;
- v4.s_addr = ((const uint32_t *) (&addr.addr.addr6))[3];
- if (private_net(v4, !option_bool(OPT_LOCAL_REBIND)))
- return 1;
- }
+ if (flags & F_IPV6)
+ {
+ if (IN6_IS_ADDR_V4MAPPED(&addr.addr.addr6))
+ {
+ struct in_addr v4;
+ v4.s_addr = ((const uint32_t *) (&addr.addr.addr6))[3];
+ if (private_net(v4, !option_bool(OPT_LOCAL_REBIND)))
+ return 1;
+ }
+ else
+ {
+ if (private_net6(addr.addr.addr6, !option_bool(OPT_LOCAL_RBIND)))
+ return 1;
+ }
+ }
#endif
}
CHANGELOG | 4 ++++
man/dnsmasq.8 | 3 ++-
src/rfc1035.c | 23 +++++++++++++++--------
3 files changed, 21 insertions(+), 9 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index 7e65912..185b78a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -24,6 +24,10 @@ version 2.78
Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
chasing this one down. CVE-2017-13704 applies.
+ Make --stop-dns-rebind also apply to RFC 6303 addresses.
+ This is not as good as with IPv4, but something is better
+ than nothing. Patch by Alex Xu.
+
version 2.77
Generate an error when configured with a CNAME loop,
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 1046a2e..9c85f2e 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -391,7 +391,8 @@ were previously disabled.
.B --stop-dns-rebind
Reject (and log) addresses from upstream nameservers which are in the
private IP ranges. This blocks an attack where a browser behind a
-firewall is used to probe machines on the local network.
+firewall is used to probe machines on the local network. The set of
+prefixes affected is currently identical to --bogus-priv.
.TP
.B --rebind-localhost-ok
Exempt 127.0.0.0/8 from rebinding checks. This address range is
diff --git a/src/rfc1035.c b/src/rfc1035.c
index af2fe46..58e1a06 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -784,14 +784,21 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
return 1;
#ifdef HAVE_IPV6
- if ((flags & F_IPV6) &&
- IN6_IS_ADDR_V4MAPPED(&addr.addr.addr6))
- {
- struct in_addr v4;
- v4.s_addr = ((const uint32_t *) (&addr.addr.addr6))[3];
- if (private_net(v4, !option_bool(OPT_LOCAL_REBIND)))
- return 1;
- }
+ if (flags & F_IPV6)
+ {
+ if (IN6_IS_ADDR_V4MAPPED(&addr.addr.addr6))
+ {
+ struct in_addr v4;
+ v4.s_addr = ((const uint32_t *) (&addr.addr.addr6))[3];
+ if (private_net(v4, !option_bool(OPT_LOCAL_REBIND)))
+ return 1;
+ }
+ else
+ {
+ if (private_net6(addr.addr.addr6, !option_bool(OPT_LOCAL_RBIND)))
+ return 1;
+ }
+ }
#endif
}
--
2.14.1
.
2.14.1
.