[OpenWrt-Devel] [PATCH] dnsmasq: dns rebind protection improvements
Kevin Darbyshire-Bryant
kevin at darbyshire-bryant.me.uk
Wed Aug 5 05:18:08 EDT 2015
From upstream dnsmasq pre 2.76 release.
Include 0.0.0.0/8 in DNS rebind checks.
Signed-off-by: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
---
package/network/services/dnsmasq/Makefile | 2 +-
.../patches/300-dns-rebind-improvements.patch | 42 ++++++++++++++++++++++
2 files changed, 43 insertions(+), 1 deletion(-)
create mode 100644 package/network/services/dnsmasq/patches/300-dns-rebind-improvements.patch
diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
index 444459b..864914e 100644
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
PKG_VERSION:=2.75
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq
diff --git a/package/network/services/dnsmasq/patches/300-dns-rebind-improvements.patch b/package/network/services/dnsmasq/patches/300-dns-rebind-improvements.patch
new file mode 100644
index 0000000..ab84b58
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/300-dns-rebind-improvements.patch
@@ -0,0 +1,42 @@
+From d2aa7dfbb6d1088dcbea9fecc61b9293b320eb95 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon at thekelleys.org.uk>
+Date: Mon, 3 Aug 2015 21:52:12 +0100
+Subject: [PATCH] Include 0.0.0.0/8 in DNS rebind checks.
+
+---
+ CHANGELOG | 7 +++++++
+ src/rfc1035.c | 3 ++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 901da47..3f4026d 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -1,3 +1,10 @@
++version 2.76
++ Include 0.0.0.0/8 in DNS rebind checks. This range
++ translates to hosts on the local network, or, at
++ least, 0.0.0.0 accesses the local host, so could
++ be targets for DNS rebinding. See RFC 5735 section 3
++ for details. Thanks to Stephen Röttger for the bug report.
++
+ version 2.75
+ Fix reversion on 2.74 which caused 100% CPU use when a
+ dhcp-script is configured. Thanks to Adrian Davey for
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 56647b0..29e9e65 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -728,7 +728,8 @@ int private_net(struct in_addr addr, int ban_localhost)
+ in_addr_t ip_addr = ntohl(addr.s_addr);
+
+ return
+- (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ ||
++ (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ ||
++ ((ip_addr & 0xFF000000) == 0x00000000) /* RFC 5735 section 3. "here" network */ ||
+ ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ ||
+ ((ip_addr & 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ ||
+ ((ip_addr & 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ ||
+--
+1.7.10.4
+
--
1.9.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list