Make --rebind-localhost-ok apply to :: and 0.0.0.0

Also make the definition of local IPv6 addresses the same for --bogus-priv and rebind protection.
2025-12-19 18:28:25 +00:00 · 2021-07-04 21:09:10 +01:00
parent a92c6d77dc
commit 4558c26fcd
1 changed files with 18 additions and 28 deletions
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -364,7 +364,7 @@ int private_net(struct in_addr addr, int ban_localhost)
  return
    (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost)  /* 127.0.0.0/8    (loopback) */ ||
-    ((ip_addr & 0xFF000000) == 0x00000000)  /* RFC 5735 section 3. "here" network */ ||
+    (((ip_addr & 0xFF000000) == 0x00000000) && ban_localhost) /* RFC 5735 section 3. "here" network */ ||
    ((ip_addr & 0xFF000000) == 0x0A000000)  /* 10.0.0.0/8     (private)  */ ||
    ((ip_addr & 0xFFF00000) == 0xAC100000)  /* 172.16.0.0/12  (private)  */ ||
    ((ip_addr & 0xFFFF0000) == 0xC0A80000)  /* 192.168.0.0/16 (private)  */ ||
@@ -375,12 +375,21 @@ int private_net(struct in_addr addr, int ban_localhost)
    ((ip_addr & 0xFFFFFFFF) == 0xFFFFFFFF)  /* 255.255.255.255/32 (broadcast)*/ ;
 }
-static int private_net6(struct in6_addr *a)
+static int private_net6(struct in6_addr *a, int ban_localhost)
 {
  /* Block IPv4-mapped IPv6 addresses in private IPv4 address space */
  if (IN6_IS_ADDR_V4MAPPED(a))
    {
      struct in_addr v4;
      v4.s_addr = ((const uint32_t *) (a))[3];
      return private_net(v4, ban_localhost);
    }
  return
-    IN6_IS_ADDR_UNSPECIFIED(a) || /* RFC 6303 4.3 */
+    (IN6_IS_ADDR_UNSPECIFIED(a) && ban_localhost) || /* RFC 6303 4.3 */
-    IN6_IS_ADDR_LOOPBACK(a) ||    /* RFC 6303 4.3 */
+    (IN6_IS_ADDR_LOOPBACK(a) && ban_localhost) ||    /* RFC 6303 4.3 */
    IN6_IS_ADDR_LINKLOCAL(a) ||   /* RFC 6303 4.5 */
    IN6_IS_ADDR_SITELOCAL(a) ||
    ((unsigned char *)a)[0] == 0xfd ||   /* RFC 6303 4.4 */
    ((u32 *)a)[0] == htonl(0x20010db8); /* RFC 6303 4.6 */
 }
@@ -795,28 +804,9 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 				  private_net(addr.addr4, !option_bool(OPT_LOCAL_REBIND)))
 				return 1;
-			      /* Block IPv4-mapped IPv6 addresses in private IPv4 address space */
+			      if ((flags & F_IPV6) &&
-			      if (flags & F_IPV6)
+				  private_net6(&addr.addr6, !option_bool(OPT_LOCAL_REBIND)))
-				{
+				return 1;
 				  if (IN6_IS_ADDR_V4MAPPED(&addr.addr6))
 				    {
 				      struct in_addr v4;
 				      v4.s_addr = ((const uint32_t *) (&addr.addr6))[3];
 				      if (private_net(v4, !option_bool(OPT_LOCAL_REBIND)))
 					return 1;
 				    }
 				  /* Check for link-local (LL) and site-local (ULA) IPv6 addresses */
 				  if (IN6_IS_ADDR_LINKLOCAL(&addr.addr6) ||
 				      IN6_IS_ADDR_SITELOCAL(&addr.addr6))
 				    return 1;
 				  /* Check for the IPv6 loopback address (::1) when
 				     option rebind-localhost-ok is NOT set */
 				  if (!option_bool(OPT_LOCAL_REBIND) &&
 				      IN6_IS_ADDR_LOOPBACK(&addr.addr6))
 				    return 1;
 				}
 			    }
 #ifdef HAVE_IPSET
@@ -1620,7 +1610,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		    }
 		}
 	      else if (option_bool(OPT_BOGUSPRIV) &&
-		       ((is_arpa == F_IPV6 && private_net6(&addr.addr6)) || (is_arpa == F_IPV4 && private_net(addr.addr4, 1))) &&
+		       ((is_arpa == F_IPV6 && private_net6(&addr.addr6, 1)) || (is_arpa == F_IPV4 && private_net(addr.addr4, 1))) &&
 		       !lookup_domain(name, F_DOMAINSRV, NULL, NULL))
 		{
 		  /* if no configured server, not in cache, enabled and private IPV4 address, return NXDOMAIN */