From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Thu, 29 Feb 2024 10:47:37 +0000 (+0100)
Subject: daemon/io: ignore UDP requests from ports < 1024
X-Git-Tag: v6.0.7~7^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c0482d5a8a5f7596bf26dd9268cd55dd145c7ec4;p=thirdparty%2Fknot-resolver.git

daemon/io: ignore UDP requests from ports < 1024
---

diff --git a/NEWS b/NEWS
index c0fd0dcae..f44cb99a4 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,7 @@ Improvements
 ------------
 - manager: clear the cache via management HTTP API (#876,!1491)
 - docs: documentation is now separated into user and developer parts (!1514)
+- daemon: ignore UDP requests from ports < 1024 (!1507)
 
 Bugfixes
 --------
diff --git a/daemon/io.c b/daemon/io.c
index ac9a08e03..ea98a7f0e 100644
--- a/daemon/io.c
+++ b/daemon/io.c
@@ -80,6 +80,14 @@ void udp_recv(uv_udp_t *handle, ssize_t nread, const uv_buf_t *buf,
 		}
 	}
 
+	// We're aware of no use cases for low source ports,
+	// and they might be useful for attacks with spoofed source IPs.
+	if (!s->outgoing && kr_inaddr_port(comm_addr) < 1024) {
+		kr_log_debug(IO, "<= ignoring UDP from suspicious port: '%s'\n",
+				kr_straddr(comm_addr));
+		return;
+	}
+
 	int ret = wire_buf_consume(&s->layers->wire_buf, nread);
 	if (ret) {
 		wire_buf_reset(&s->layers->wire_buf);