[Dnsmasq-discuss] [PATCH] Make --stop-dns-rebind apply to non-IPv4-mapped IPv6.

Alex Xu (Hello71) alex_y_xu at yahoo.ca
Wed Sep 20 15:31:59 BST 2017 

---
 CHANGELOG     |  4 ++++
 man/dnsmasq.8 |  3 ++-
 src/rfc1035.c | 23 +++++++++++++++--------
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 7e65912..185b78a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -24,6 +24,10 @@ version 2.78
 	Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
 	chasing this one down.  CVE-2017-13704 applies.
 
+        Make --stop-dns-rebind also apply to RFC 6303 addresses.
+        This is not as good as with IPv4, but something is better
+        than nothing. Patch by Alex Xu.
+
 	
 version 2.77
 	Generate an error when configured with a CNAME loop,
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 1046a2e..9c85f2e 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -391,7 +391,8 @@ were previously disabled.
 .B --stop-dns-rebind
 Reject (and log) addresses from upstream nameservers which are in the
 private IP ranges. This blocks an attack where a browser behind a
-firewall is used to probe machines on the local network.
+firewall is used to probe machines on the local network. The set of
+prefixes affected is currently identical to --bogus-priv.
 .TP
 .B --rebind-localhost-ok
 Exempt 127.0.0.0/8 from rebinding checks. This address range is
diff --git a/src/rfc1035.c b/src/rfc1035.c
index af2fe46..58e1a06 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -784,14 +784,21 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 			    return 1;
 			  
 #ifdef HAVE_IPV6
-			  if ((flags & F_IPV6) &&
-			      IN6_IS_ADDR_V4MAPPED(&addr.addr.addr6))
-			    {
-			      struct in_addr v4;
-			      v4.s_addr = ((const uint32_t *) (&addr.addr.addr6))[3];
-			      if (private_net(v4, !option_bool(OPT_LOCAL_REBIND)))
-				return 1;
-			    }
+                          if (flags & F_IPV6)
+                            {
+                              if (IN6_IS_ADDR_V4MAPPED(&addr.addr.addr6))
+                                {
+                                  struct in_addr v4;
+                                  v4.s_addr = ((const uint32_t *) (&addr.addr.addr6))[3];
+                                  if (private_net(v4, !option_bool(OPT_LOCAL_REBIND)))
+                                      return 1;
+                                }
+                              else
+                                {
+                                  if (private_net6(addr.addr.addr6, !option_bool(OPT_LOCAL_RBIND)))
+                                      return 1;
+                                }
+                            }
 #endif
 			}
 		      
-- 
2.14.1


.

More information about the Dnsmasq-discuss mailing list