From 423a18cecc4af7d89f649e9f8c5cb63a419892fb Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Mon, 25 Aug 2008 03:34:50 +0000 Subject: Brad House's validation that DNS response address matches the request address --- ares/CHANGES | 12 ++++++++++++ ares/RELEASE-NOTES | 1 + ares/ares_process.c | 16 +++++++++++++++- 3 files changed, 28 insertions(+), 1 deletion(-) (limited to 'ares') diff --git a/ares/CHANGES b/ares/CHANGES index dff8e8d67..16e55bebe 100644 --- a/ares/CHANGES +++ b/ares/CHANGES @@ -1,5 +1,17 @@ Changelog for the c-ares project +* Aug 25 2008 (Yang Tse) +- Improvement by Brad House: + + This patch addresses an issue in which a response could be sent back to the + source port of a client from a different address than the request was made to. + This is one form of a DNS cache poisoning attack. + + The patch simply uses recvfrom() rather than recv() and validates that the + address returned from recvfrom() matches the address of the server we have + connected to. Only necessary on UDP sockets as they are connection-less, TCP + is unaffected. + * Aug 4 2008 (Daniel Stenberg) - Fix by Tofu Linden: diff --git a/ares/RELEASE-NOTES b/ares/RELEASE-NOTES index eb9110dcf..388816052 100644 --- a/ares/RELEASE-NOTES +++ b/ares/RELEASE-NOTES @@ -9,6 +9,7 @@ This is what's new and changed in the c-ares 1.5.3 release: o library will now be built with _REENTRANT symbol defined if needed o Improved configure detection of number of arguments for getservbyport_r o Improved query-ID randomness + o Validate that DNS response address matches the request address Thanks go to these friendly people for their efforts and contributions: diff --git a/ares/ares_process.c b/ares/ares_process.c index becbfced1..0a99a1bb4 100644 --- a/ares/ares_process.c +++ b/ares/ares_process.c @@ -429,6 +429,8 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, int i; ssize_t count; unsigned char buf[PACKETSZ + 1]; + struct sockaddr_in from; + socklen_t fromlen; if(!read_fds && (read_fd == ARES_SOCKET_BAD)) /* no possible action */ @@ -462,11 +464,23 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, /* To reduce event loop overhead, read and process as many * packets as we can. */ do { - count = sread(server->udp_socket, buf, sizeof(buf)); + /* Must memset 'from' to 0 as recvfrom() on some systems may + * not use 'from' at all if it doesn't support receiving the + * source address of the response */ + memset(&from, 0, sizeof(from)); + fromlen = sizeof(from); + count = (ssize_t)recvfrom(server->udp_socket, (void *)buf, sizeof(buf), + 0, (struct sockaddr *)&from, &fromlen); if (count == -1 && try_again(SOCKERRNO)) continue; else if (count <= 0) handle_error(channel, i, now); + else if (fromlen && from.sin_addr.s_addr != 0 && + from.sin_addr.s_addr != server->addr.s_addr) + /* Address response came from did not match the address + * we sent the request to. Someone may be attempting + * to perform a cache poisoning attack */ + break; else process_answer(channel, buf, (int)count, i, 0, now); } while (count > 0); -- cgit v1.2.3