[ipfire-2.x.git] / src / patches / dnsmasq / 001-include_0_0_0_0_8_in_DNS_rebind_checks.patch

From d2aa7dfbb6d1088dcbea9fecc61b9293b320eb95 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 3 Aug 2015 21:52:12 +0100
Subject: [PATCH] Include 0.0.0.0/8 in DNS rebind checks.

---
 CHANGELOG     |    7 +++++++
 src/rfc1035.c |    3 ++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 901da47..3f4026d 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,10 @@
+version 2.76
+            Include 0.0.0.0/8 in DNS rebind checks. This range 
+	    translates to hosts on  the local network, or, at 
+	    least, 0.0.0.0 accesses the local host, so could
+	    be targets for DNS rebinding. See RFC 5735 section 3 
+	    for details. Thanks to Stephen RÃ¶ttger for the bug report.
+	    
 version 2.75
             Fix reversion on 2.74 which caused 100% CPU use when a 
 	    dhcp-script is configured. Thanks to Adrian Davey for
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 56647b0..29e9e65 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -728,7 +728,8 @@ int private_net(struct in_addr addr, int ban_localhost)
   in_addr_t ip_addr = ntohl(addr.s_addr);
 
   return
-    (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost)  /* 127.0.0.0/8    (loopback) */ || 
+    (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost)  /* 127.0.0.0/8    (loopback) */ ||
+    ((ip_addr & 0xFF000000) == 0x00000000)  /* RFC 5735 section 3. "here" network */ ||
     ((ip_addr & 0xFFFF0000) == 0xC0A80000)  /* 192.168.0.0/16 (private)  */ ||
     ((ip_addr & 0xFF000000) == 0x0A000000)  /* 10.0.0.0/8     (private)  */ ||
     ((ip_addr & 0xFFF00000) == 0xAC100000)  /* 172.16.0.0/12  (private)  */ ||
-- 
1.7.10.4
Commit	Line	Data
f831e573 MF	1	From d2aa7dfbb6d1088dcbea9fecc61b9293b320eb95 Mon Sep 17 00:00:00 2001
	2	From: Simon Kelley <simon@thekelleys.org.uk>
	3	Date: Mon, 3 Aug 2015 21:52:12 +0100
	4	Subject: [PATCH] Include 0.0.0.0/8 in DNS rebind checks.
	5
	6	---
	7	CHANGELOG \| 7 +++++++
	8	src/rfc1035.c \| 3 ++-
	9	2 files changed, 9 insertions(+), 1 deletion(-)
	10
	11	diff --git a/CHANGELOG b/CHANGELOG
	12	index 901da47..3f4026d 100644
	13	--- a/CHANGELOG
	14	+++ b/CHANGELOG
	15	@@ -1,3 +1,10 @@
	16	+version 2.76
	17	+ Include 0.0.0.0/8 in DNS rebind checks. This range
	18	+ translates to hosts on the local network, or, at
	19	+ least, 0.0.0.0 accesses the local host, so could
	20	+ be targets for DNS rebinding. See RFC 5735 section 3
	21	+ for details. Thanks to Stephen RÃ¶ttger for the bug report.
	22	+
	23	version 2.75
	24	Fix reversion on 2.74 which caused 100% CPU use when a
	25	dhcp-script is configured. Thanks to Adrian Davey for
	26	diff --git a/src/rfc1035.c b/src/rfc1035.c
	27	index 56647b0..29e9e65 100644
	28	--- a/src/rfc1035.c
	29	+++ b/src/rfc1035.c
	30	@@ -728,7 +728,8 @@ int private_net(struct in_addr addr, int ban_localhost)
	31	in_addr_t ip_addr = ntohl(addr.s_addr);
	32
	33	return
	34	- (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ \|\|
	35	+ (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ \|\|
	36	+ ((ip_addr & 0xFF000000) == 0x00000000) /* RFC 5735 section 3. "here" network */ \|\|
	37	((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ \|\|
	38	((ip_addr & 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ \|\|
	39	((ip_addr & 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ \|\|
	40	--
	41	1.7.10.4