From de9740cda46c1fc6c917c5ec84f6b2373e7ef123 Mon Sep 17 00:00:00 2001 From: Richard Frith-Macdonald Date: Mon, 16 Sep 2019 18:29:18 +0100 Subject: [PATCH] Applied patches by Alan Jenkins --- ChangeLog | 12 ++++++++++++ Tools/gdomap.c | 21 ++++++++++++++++++--- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 09f21ad1a..cc5362e41 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2019-09-16 Alan Jenkins + + * Tools/gdompa.c: + A couple of is_local_net() tests were wrong: they used "&&" + with masks, but that is the logical shortcut operator. + The correct bitwise operator is "&". The result was that + is_local_net() was always returning true! + Only allow local processes to send GDO_SERVERS requests. + This request is only useful locally. Do not allow remote + requests for the server list. Our response can be large, + so it would make a great UDP amplification attack. + 2019-08-12 Richard Frith-Macdonald * Source/GSSocketStream.m: Fix for hang when writing large https diff --git a/Tools/gdomap.c b/Tools/gdomap.c index 0af5ec06e..6a390c596 100644 --- a/Tools/gdomap.c +++ b/Tools/gdomap.c @@ -419,7 +419,7 @@ is_local_net(struct in_addr a) for (i = 0; i < interfaces; i++) { - if ((mask[i].s_addr && addr[i].s_addr) == (mask[i].s_addr && a.s_addr)) + if ((mask[i].s_addr & addr[i].s_addr) == (mask[i].s_addr & a.s_addr)) { return 1; } @@ -3100,6 +3100,21 @@ handle_request(int desc) unsigned int i; unsigned int j; + /* + * See if this is a request from a local process. + * + * This request is only useful locally. Do not allow remote + * requests for the server list. Our response can be large, + * so it would make a great UDP amplification attack. + */ + if (is_local_host(ri->addr.sin_addr) == 0) + { + snprintf(ebuf, sizeof(ebuf), "Illegal attempt to list servers!"); + gdomap_log(LOG_ERR); + clear_chan(desc); + return; + } + free(wi->buf); wi->buf = (char*)calloc(sizeof(uint32_t) + (prb_used+1)*IASIZE, 1); @@ -3260,8 +3275,8 @@ handle_request(int desc) { continue; } - if ((mask[i].s_addr && addr[i].s_addr) == - (mask[i].s_addr && ri->addr.sin_addr.s_addr)) + if ((mask[i].s_addr & addr[i].s_addr) == + (mask[i].s_addr & ri->addr.sin_addr.s_addr)) { laddr = addr[i]; memcpy(wbuf, &laddr, IASIZE);