X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fresolve%2Fresolved-dns-scope.c;h=b17de0c88fdd3f6febf869b1c05496d1b77af3ca;hb=0f05c387597a93fa74cdf7d351fd255aca56026d;hp=b226f5a457cf3eacb37cc2913b0a30b7e4813995;hpb=ea917db9e662ae6e6d0ae07e0118b323688c8616;p=elogind.git diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c index b226f5a45..b17de0c88 100644 --- a/src/resolve/resolved-dns-scope.c +++ b/src/resolve/resolved-dns-scope.c @@ -254,7 +254,7 @@ int dns_scope_tcp_socket(DnsScope *s, int family, const union in_addr_union *add } if (s->protocol == DNS_PROTOCOL_LLMNR) { - /* RFC 4795, section 2.5 suggests the TTL to be set to 1 */ + /* RFC 4795, section 2.5 requires the TTL to be set to 1 */ if (sa.sa.sa_family == AF_INET) { r = setsockopt(fd, IPPROTO_IP, IP_TTL, &one, sizeof(one)); @@ -452,6 +452,18 @@ void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) { if (p->protocol != DNS_PROTOCOL_LLMNR) return; + if (p->ipproto == IPPROTO_UDP) { + /* Don't accept UDP queries directed to anything but + * the LLMNR multicast addresses. See RFC 4795, + * section 2.5.*/ + + if (p->family == AF_INET && !in_addr_equal(AF_INET, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV4_ADDRESS)) + return; + + if (p->family == AF_INET6 && !in_addr_equal(AF_INET6, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV6_ADDRESS)) + return; + } + r = dns_packet_extract(p); if (r < 0) { log_debug("Failed to extract resources from incoming packet: %s", strerror(-r)); @@ -471,6 +483,8 @@ void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) { if (r == 0) return; + dns_answer_order_by_scope(answer, in_addr_is_link_local(p->family, &p->sender) > 0); + r = dns_scope_make_reply_packet(s, DNS_PACKET_ID(p), DNS_RCODE_SUCCESS, p->question, answer, &reply); if (r < 0) { log_debug("Failed to build reply packet: %s", strerror(-r));