Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Check arrival interface of IPv6 requests, even in --bind-interfaces.

Browse Source
This commit is contained in:
Simon Kelley
2013-12-03 13:41:16 +00:00
parent 62ab3ccd3d
commit 2329bef5ba
4 changed files with 36 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG
View File

@@ -39,6 +39,12 @@ version 2.68
Fix memory leak on re-reading /etc/hosts and friends, Fix memory leak on re-reading /etc/hosts and friends,
introduced in 2.67. introduced in 2.67.
Check the arrival interface of incoming DNS and TFTP
requests via IPv6, even in --bind-interfaces mode. This
isn't possible for IPv4 and can generate scary warnings,
but as it's always possible for IPv6 (the API always
exists) then we should do it always.
version 2.67 version 2.67
Fix crash if upstream server returns SERVFAIL when Fix crash if upstream server returns SERVFAIL when

8
src/forward.c
View File

@@ -697,6 +697,12 @@ void receive_query(struct listener *listen, time_t now)
CMSG_SPACE(sizeof(struct sockaddr_dl))]; CMSG_SPACE(sizeof(struct sockaddr_dl))];
#endif #endif
} control_u; } control_u;
#ifdef HAVE_IPV6
/* Can always get recvd interface for IPv6 */
int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
#else
int check_dst = !option_bool(OPT_NOWILD);
#endif
/* packet buffer overwritten */ /* packet buffer overwritten */
daemon->srv_save = NULL; daemon->srv_save = NULL;
@@ -740,7 +746,7 @@ void receive_query(struct listener *listen, time_t now)
source_addr.in6.sin6_flowinfo = 0; source_addr.in6.sin6_flowinfo = 0;
#endif #endif
if (!option_bool(OPT_NOWILD)) if (check_dst)
{ {
struct ifreq ifr; struct ifreq ifr;

29
src/network.c
View File

@@ -711,9 +711,9 @@ static int make_sock(union mysockaddr *addr, int type, int dienow)
if (listen(fd, 5) == -1) if (listen(fd, 5) == -1)
goto err; goto err;
} }
else if (!option_bool(OPT_NOWILD)) else if (family == AF_INET)
{ {
if (family == AF_INET) if (!option_bool(OPT_NOWILD))
{ {
#if defined(HAVE_LINUX_NETWORK) #if defined(HAVE_LINUX_NETWORK)
if (setsockopt(fd, IPPROTO_IP, IP_PKTINFO, &opt, sizeof(opt)) == -1) if (setsockopt(fd, IPPROTO_IP, IP_PKTINFO, &opt, sizeof(opt)) == -1)
@@ -724,11 +724,11 @@ static int make_sock(union mysockaddr *addr, int type, int dienow)
goto err; goto err;
#endif #endif
} }
}
#ifdef HAVE_IPV6 #ifdef HAVE_IPV6
else if (!set_ipv6pktinfo(fd)) else if (!set_ipv6pktinfo(fd))
goto err; goto err;
#endif #endif
}
return fd; return fd;
} }
@@ -961,6 +961,9 @@ void create_bound_listeners(int dienow)
The fix is to use --bind-dynamic, which actually checks the arrival interface too. The fix is to use --bind-dynamic, which actually checks the arrival interface too.
Tough if your platform doesn't support this. Tough if your platform doesn't support this.
Note that checking the arrival interface is supported in the standard IPv6 API and
always done, so we don't warn about any IPv6 addresses here.
*/ */
void warn_bound_listeners(void) void warn_bound_listeners(void)
@@ -971,36 +974,18 @@ void warn_bound_listeners(void)
for (iface = daemon->interfaces; iface; iface = iface->next) for (iface = daemon->interfaces; iface; iface = iface->next)
if (!iface->dns_auth) if (!iface->dns_auth)
{ {
int warn = 0;
if (iface->addr.sa.sa_family == AF_INET) if (iface->addr.sa.sa_family == AF_INET)
{ {
if (!private_net(iface->addr.in.sin_addr, 1)) if (!private_net(iface->addr.in.sin_addr, 1))
{ {
inet_ntop(AF_INET, &iface->addr.in.sin_addr, daemon->addrbuff, ADDRSTRLEN); inet_ntop(AF_INET, &iface->addr.in.sin_addr, daemon->addrbuff, ADDRSTRLEN);
warn = 1;
}
}
#ifdef HAVE_IPV6
else
{
if (!IN6_IS_ADDR_LINKLOCAL(&iface->addr.in6.sin6_addr) &&
!IN6_IS_ADDR_SITELOCAL(&iface->addr.in6.sin6_addr) &&
!IN6_IS_ADDR_ULA(&iface->addr.in6.sin6_addr) &&
!IN6_IS_ADDR_LOOPBACK(&iface->addr.in6.sin6_addr))
{
inet_ntop(AF_INET6, &iface->addr.in6.sin6_addr, daemon->addrbuff, ADDRSTRLEN);
warn = 1;
}
}
#endif
if (warn)
{
iface->warned = advice = 1; iface->warned = advice = 1;
my_syslog(LOG_WARNING, my_syslog(LOG_WARNING,
_("LOUD WARNING: listening on %s may accept requests via interfaces other than %s"), _("LOUD WARNING: listening on %s may accept requests via interfaces other than %s"),
daemon->addrbuff, iface->name); daemon->addrbuff, iface->name);
} }
} }
}
if (advice) if (advice)
my_syslog(LOG_WARNING, _("LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)")); my_syslog(LOG_WARNING, _("LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)"));

10
src/tftp.c
View File

@@ -60,7 +60,12 @@ void tftp_request(struct listener *listen, time_t now)
char *prefix = daemon->tftp_prefix; char *prefix = daemon->tftp_prefix;
struct tftp_prefix *pref; struct tftp_prefix *pref;
struct all_addr addra; struct all_addr addra;
#ifdef HAVE_IPV6
/* Can always get recvd interface for IPv6 */
int check_dest = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
#else
int check_dest = !option_bool(OPT_NOWILD);
#endif
union { union {
struct cmsghdr align; /* this ensures alignment */ struct cmsghdr align; /* this ensures alignment */
#ifdef HAVE_IPV6 #ifdef HAVE_IPV6
@@ -92,7 +97,8 @@ void tftp_request(struct listener *listen, time_t now)
if ((len = recvmsg(listen->tftpfd, &msg, 0)) < 2) if ((len = recvmsg(listen->tftpfd, &msg, 0)) < 2)
return; return;
if (option_bool(OPT_NOWILD)) /* Can always get recvd interface for IPv6 */
if (!check_dest)
{ {
if (listen->iface) if (listen->iface)
{ {