From 373e6cdadbdc4a2b5081f02b0e4ad5dcea9eb6df Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 5 Jun 2025 18:51:34 +0200 Subject: [PATCH] resolved: ignore mDNS replies from legacy mDNS ports mDNS replies always have to come from the mDNS port (unlike mDNS queries, which are also allowed from non-mDNS ports). Hence refuse this. Fixes: #33806 --- src/resolve/resolved-mdns.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/resolve/resolved-mdns.c b/src/resolve/resolved-mdns.c index e6bd844aadc..a1c53ad71b1 100644 --- a/src/resolve/resolved-mdns.c +++ b/src/resolve/resolved-mdns.c @@ -411,8 +411,10 @@ static int on_mdns_packet(sd_event_source *s, int fd, uint32_t revents, void *us /* Refuse traffic from the local host, to avoid query loops. However, allow legacy mDNS * unicast queries through anyway (we never send those ourselves, hence no risk). * i.e. check for the source port nr. */ - if (p->sender_port == MDNS_PORT && manager_packet_from_local_address(m, p)) + if (p->sender_port == MDNS_PORT && manager_packet_from_local_address(m, p)) { + log_debug("Got mDNS UDP packet from local host, ignoring."); return 0; + } scope = manager_find_scope(m, p); if (!scope) { @@ -423,6 +425,15 @@ static int on_mdns_packet(sd_event_source *s, int fd, uint32_t revents, void *us if (dns_packet_validate_reply(p) > 0) { DnsResourceRecord *rr; + /* RFC 6762 section 6: + * The source UDP port in all Multicast DNS responses MUST be 5353 (the well-known port + * assigned to mDNS). Multicast DNS implementations MUST silently ignore any Multicast DNS + * responses they receive where the source UDP port is not 5353. */ + if (p->sender_port != MDNS_PORT) { + log_debug("Got mDNS reply from non-mDNS port %u (not %i), ignoring.", p->sender_port, MDNS_PORT); + return 0; + } + log_debug("Got mDNS reply packet"); /* -- 2.47.3