Skip to content
Permalink
Browse files

Drop legacy unicast queries from address not on local link

When handling legacy unicast queries, ensure that the source IP is
inside a subnet on the local link, otherwise drop the packet.

Fixes #145
Fixes #203
CVE-2017-6519
CVE-2018-100084
  • Loading branch information...
lathiat committed Dec 22, 2018
1 parent a81407c commit e111def44a7df4624a4aa3f85fe98054bffb6b4f
Showing with 8 additions and 0 deletions.
  1. +8 −0 avahi-core/server.c
@@ -930,6 +930,7 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres

if (avahi_dns_packet_is_query(p)) {
int legacy_unicast = 0;
char t[AVAHI_ADDRESS_STR_MAX];

/* For queries EDNS0 might allow ARCOUNT != 0. We ignore the
* AR section completely here, so far. Until the day we add
@@ -947,6 +948,13 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
legacy_unicast = 1;
}

if (!is_mdns_mcast_address(dst_address) &&
!avahi_interface_address_on_link(i, src_address)) {

avahi_log_debug("Received non-local unicast query from host %s on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), i->hardware->name, i->protocol);
return;
}

if (legacy_unicast)
reflect_legacy_unicast_query_packet(s, p, i, src_address, port);

2 comments on commit e111def

@carnil

This comment has been minimized.

Copy link

carnil replied Dec 22, 2018

Note the right second CVE would be CVE-2018-1000845 (there was the CVE id truncated in the above commit message)

@lathiat

This comment has been minimized.

Copy link
Owner Author

lathiat replied Dec 22, 2018

Yep realised almost right after but can’t edit commit messages sadly :(

Please sign in to comment.
You can’t perform that action at this time.