Include 0.0.0.0/8 in DNS rebind checks.

d2aa7dfb · Simon Kelley · 63ec5d12 · d2aa7dfb · d2aa7dfb
Commit d2aa7dfb authored Aug 03, 2015 by Simon Kelley
Show whitespace changes
Inline Side-by-side

Showing with 9 additions and 1 deletion

CHANGELOG CHANGELOG +7 -0

src/rfc1035.c src/rfc1035.c +2 -1

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
+version 2.76
+            Include 0.0.0.0/8 in DNS rebind checks. This range 
+	    translates to hosts on  the local network, or, at 
+	    least, 0.0.0.0 accesses the local host, so could
+	    be targets for DNS rebinding. See RFC 5735 section 3 
+	    for details. Thanks to Stephen Röttger for the bug report.
 version 2.75
            Fix reversion on 2.74 which caused 100% CPU use when a 
 	    dhcp-script is configured. Thanks to Adrian Davey for

--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -729,6 +729,7 @@ int private_net(struct in_addr addr, int ban_localhost)
  return
    (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost)  /* 127.0.0.0/8    (loopback) */ ||
+    ((ip_addr & 0xFF000000) == 0x00000000)  /* RFC 5735 section 3. "here" network */ ||
    ((ip_addr & 0xFFFF0000) == 0xC0A80000)  /* 192.168.0.0/16 (private)  */ ||
    ((ip_addr & 0xFF000000) == 0x0A000000)  /* 10.0.0.0/8     (private)  */ ||
    ((ip_addr & 0xFFF00000) == 0xAC100000)  /* 172.16.0.0/12  (private)  */ ||