diff options
author | Yang Tse <yangsita@gmail.com> | 2008-08-25 03:34:50 +0000 |
---|---|---|
committer | Yang Tse <yangsita@gmail.com> | 2008-08-25 03:34:50 +0000 |
commit | 09d10cb5c590586ddddefc9822246070977d4a88 (patch) | |
tree | 9985ef6ea5923a0f2b0b40709e26dd38894e8112 /CHANGES | |
parent | a5b66d32930617d55854f56c8765723907e6726b (diff) | |
download | c-ares-09d10cb5c590586ddddefc9822246070977d4a88.tar.gz c-ares-09d10cb5c590586ddddefc9822246070977d4a88.tar.bz2 c-ares-09d10cb5c590586ddddefc9822246070977d4a88.zip |
Brad House's validation that DNS response address matches the request address
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 12 |
1 files changed, 12 insertions, 0 deletions
@@ -1,5 +1,17 @@ Changelog for the c-ares project +* Aug 25 2008 (Yang Tse) +- Improvement by Brad House: + + This patch addresses an issue in which a response could be sent back to the + source port of a client from a different address than the request was made to. + This is one form of a DNS cache poisoning attack. + + The patch simply uses recvfrom() rather than recv() and validates that the + address returned from recvfrom() matches the address of the server we have + connected to. Only necessary on UDP sockets as they are connection-less, TCP + is unaffected. + * Aug 4 2008 (Daniel Stenberg) - Fix by Tofu Linden: |