Include 0.0.0.0/8 in DNS rebind checks.

diff --git a/CHANGELOG b/CHANGELOG
index 901da4713ec93cc44a3cb214a64fad4153f0a73d..3f4026d180c18b30bee89153535865a473c66be3 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,10 @@
+version 2.76
+            Include 0.0.0.0/8 in DNS rebind checks. This range 
+           translates to hosts on  the local network, or, at 
+           least, 0.0.0.0 accesses the local host, so could
+           be targets for DNS rebinding. See RFC 5735 section 3 
+           for details. Thanks to Stephen Röttger for the bug report.
+           
 version 2.75
             Fix reversion on 2.74 which caused 100% CPU use when a 
            dhcp-script is configured. Thanks to Adrian Davey for

diff --git a/src/rfc1035.c b/src/rfc1035.c
index 56647b02ab4d7bcb3ac531ecd1db8bcf09be1747..29e9e65061f8b48b215b707fd3f61f32fefc7672 100644 (file)
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -728,7 +728,8 @@ int private_net(struct in_addr addr, int ban_localhost)
   in_addr_t ip_addr = ntohl(addr.s_addr);
 
   return
-    (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost)  /* 127.0.0.0/8    (loopback) */ || 
+    (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost)  /* 127.0.0.0/8    (loopback) */ ||
+    ((ip_addr & 0xFF000000) == 0x00000000)  /* RFC 5735 section 3. "here" network */ ||
     ((ip_addr & 0xFFFF0000) == 0xC0A80000)  /* 192.168.0.0/16 (private)  */ ||
     ((ip_addr & 0xFF000000) == 0x0A000000)  /* 10.0.0.0/8     (private)  */ ||
     ((ip_addr & 0xFFF00000) == 0xAC100000)  /* 172.16.0.0/12  (private)  */ ||