From: Simon Kelley Date: Mon, 3 Aug 2015 20:52:12 +0000 (+0100) Subject: Include 0.0.0.0/8 in DNS rebind checks. X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d2aa7dfbb6d1088dcbea9fecc61b9293b320eb95;p=people%2Fms%2Fdnsmasq.git Include 0.0.0.0/8 in DNS rebind checks. --- diff --git a/CHANGELOG b/CHANGELOG index 901da47..3f4026d 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,10 @@ +version 2.76 + Include 0.0.0.0/8 in DNS rebind checks. This range + translates to hosts on the local network, or, at + least, 0.0.0.0 accesses the local host, so could + be targets for DNS rebinding. See RFC 5735 section 3 + for details. Thanks to Stephen Röttger for the bug report. + version 2.75 Fix reversion on 2.74 which caused 100% CPU use when a dhcp-script is configured. Thanks to Adrian Davey for diff --git a/src/rfc1035.c b/src/rfc1035.c index 56647b0..29e9e65 100644 --- a/src/rfc1035.c +++ b/src/rfc1035.c @@ -728,7 +728,8 @@ int private_net(struct in_addr addr, int ban_localhost) in_addr_t ip_addr = ntohl(addr.s_addr); return - (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ || + (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ || + ((ip_addr & 0xFF000000) == 0x00000000) /* RFC 5735 section 3. "here" network */ || ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ || ((ip_addr & 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ || ((ip_addr & 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ ||