diff options
author | Yang Tse <yangsita@gmail.com> | 2008-08-25 03:34:50 +0000 |
---|---|---|
committer | Yang Tse <yangsita@gmail.com> | 2008-08-25 03:34:50 +0000 |
commit | 423a18cecc4af7d89f649e9f8c5cb63a419892fb (patch) | |
tree | dc1b4424d007f3012f3ca75e2a042a73bdb35e21 /ares/CHANGES | |
parent | f164260eeeb246e32b30ab382cf7eb454e6f953a (diff) |
Brad House's validation that DNS response address matches the request address
Diffstat (limited to 'ares/CHANGES')
-rw-r--r-- | ares/CHANGES | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/ares/CHANGES b/ares/CHANGES index dff8e8d67..16e55bebe 100644 --- a/ares/CHANGES +++ b/ares/CHANGES @@ -1,5 +1,17 @@ Changelog for the c-ares project +* Aug 25 2008 (Yang Tse) +- Improvement by Brad House: + + This patch addresses an issue in which a response could be sent back to the + source port of a client from a different address than the request was made to. + This is one form of a DNS cache poisoning attack. + + The patch simply uses recvfrom() rather than recv() and validates that the + address returned from recvfrom() matches the address of the server we have + connected to. Only necessary on UDP sockets as they are connection-less, TCP + is unaffected. + * Aug 4 2008 (Daniel Stenberg) - Fix by Tofu Linden: |