Brad House's validation that DNS response address matches the request address

3 files changed, 28 insertions, 1 deletions

diff --git a/ares/CHANGES b/ares/CHANGES
index dff8e8d67..16e55bebe 100644
--- a/ares/CHANGES
+++ b/ares/CHANGES
@@ -1,5 +1,17 @@
   Changelog for the c-ares project
 
+* Aug 25 2008 (Yang Tse)
+- Improvement by Brad House:
+
+  This patch addresses an issue in which a response could be sent back to the
+  source port of a client from a different address than the request was made to.
+  This is one form of a DNS cache poisoning attack.
+
+  The patch simply uses recvfrom() rather than recv() and validates that the
+  address returned from recvfrom() matches the address of the server we have
+  connected to. Only necessary on UDP sockets as they are connection-less, TCP
+  is unaffected.
+
 * Aug 4 2008 (Daniel Stenberg)
 - Fix by Tofu Linden:
 
diff --git a/ares/RELEASE-NOTES b/ares/RELEASE-NOTES
index eb9110dcf..388816052 100644
--- a/ares/RELEASE-NOTES
+++ b/ares/RELEASE-NOTES
@@ -9,6 +9,7 @@ This is what's new and changed in the c-ares 1.5.3 release:
  o library will now be built with _REENTRANT symbol defined if needed
  o Improved configure detection of number of arguments for getservbyport_r
  o Improved query-ID randomness
+ o Validate that DNS response address matches the request address
 
 Thanks go to these friendly people for their efforts and contributions:
 
diff --git a/ares/ares_process.c b/ares/ares_process.c
index becbfced1..0a99a1bb4 100644
--- a/ares/ares_process.c
+++ b/ares/ares_process.c
@@ -429,6 +429,8 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
   int i;
   ssize_t count;
   unsigned char buf[PACKETSZ + 1];
+  struct sockaddr_in from;
+  socklen_t fromlen;
 
   if(!read_fds && (read_fd == ARES_SOCKET_BAD))
     /* no possible action */
@@ -462,11 +464,23 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
       /* To reduce event loop overhead, read and process as many
        * packets as we can. */
       do {
-        count = sread(server->udp_socket, buf, sizeof(buf));
+        /* Must memset 'from' to 0 as recvfrom() on some systems may
+         * not use 'from' at all if it doesn't support receiving the
+         * source address of the response */
+        memset(&from, 0, sizeof(from));
+        fromlen = sizeof(from);
+        count = (ssize_t)recvfrom(server->udp_socket, (void *)buf, sizeof(buf),
+                                  0, (struct sockaddr *)&from, &fromlen);
         if (count == -1 && try_again(SOCKERRNO))
           continue;
         else if (count <= 0)
           handle_error(channel, i, now);
+        else if (fromlen && from.sin_addr.s_addr != 0 &&
+                 from.sin_addr.s_addr != server->addr.s_addr)
+          /* Address response came from did not match the address
+           * we sent the request to.  Someone may be attempting
+           * to perform a cache poisoning attack */
+          break;
         else
           process_answer(channel, buf, (int)count, i, 0, now);
        } while (count > 0);