src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch

   1 From d2aa7dfbb6d1088dcbea9fecc61b9293b320eb95 Mon Sep 17 00:00:00 2001
   2 From: Simon Kelley <simon@thekelleys.org.uk>
   3 Date: Mon, 3 Aug 2015 21:52:12 +0100
   4 Subject: [PATCH] Include 0.0.0.0/8 in DNS rebind checks.
   5
   6 ---
   7  CHANGELOG     |    7 +++++++
   8  src/rfc1035.c |    3 ++-
   9  2 files changed, 9 insertions(+), 1 deletion(-)
  10
  11 diff --git a/CHANGELOG b/CHANGELOG
  12 index 901da47..3f4026d 100644
  13 --- a/CHANGELOG
  14 +++ b/CHANGELOG
  15 @@ -1,3 +1,10 @@
  16 +version 2.76
  17 +            Include 0.0.0.0/8 in DNS rebind checks. This range
  18 +           translates to hosts on  the local network, or, at
  19 +           least, 0.0.0.0 accesses the local host, so could
  20 +           be targets for DNS rebinding. See RFC 5735 section 3
  21 +           for details. Thanks to Stephen RÃ¶ttger for the bug report.
  22 +
  23  version 2.75
  24              Fix reversion on 2.74 which caused 100% CPU use when a
  25             dhcp-script is configured. Thanks to Adrian Davey for
  26 diff --git a/src/rfc1035.c b/src/rfc1035.c
  27 index 56647b0..29e9e65 100644
  28 --- a/src/rfc1035.c
  29 +++ b/src/rfc1035.c
  30 @@ -728,7 +728,8 @@ int private_net(struct in_addr addr, int ban_localhost)
  31    in_addr_t ip_addr = ntohl(addr.s_addr);
  32
  33    return
  34 -    (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost)  /* 127.0.0.0/8    (loopback) */ ||
  35 +    (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost)  /* 127.0.0.0/8    (loopback) */ ||
  36 +    ((ip_addr & 0xFF000000) == 0x00000000)  /* RFC 5735 section 3. "here" network */ ||
  37      ((ip_addr & 0xFFFF0000) == 0xC0A80000)  /* 192.168.0.0/16 (private)  */ ||
  38      ((ip_addr & 0xFF000000) == 0x0A000000)  /* 10.0.0.0/8     (private)  */ ||
  39      ((ip_addr & 0xFFF00000) == 0xAC100000)  /* 172.16.0.0/12  (private)  */ ||
  40 --
  41 1.7.10.4