Brad House's validation that DNS response address matches the request address

author: Yang Tse <yangsita@gmail.com> 2008-08-25 03:34:50 +0000
committer: Yang Tse <yangsita@gmail.com> 2008-08-25 03:34:50 +0000
commit: 09d10cb5c590586ddddefc9822246070977d4a88 (patch)
tree: 9985ef6ea5923a0f2b0b40709e26dd38894e8112 /CHANGES
parent: a5b66d32930617d55854f56c8765723907e6726b (diff)
download: c-ares-09d10cb5c590586ddddefc9822246070977d4a88.tar.gz
c-ares-09d10cb5c590586ddddefc9822246070977d4a88.tar.bz2
c-ares-09d10cb5c590586ddddefc9822246070977d4a88.zip
1 files changed, 12 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index dff8e8d..16e55be 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,17 @@
   Changelog for the c-ares project
 
+* Aug 25 2008 (Yang Tse)
+- Improvement by Brad House:
+
+  This patch addresses an issue in which a response could be sent back to the
+  source port of a client from a different address than the request was made to.
+  This is one form of a DNS cache poisoning attack.
+
+  The patch simply uses recvfrom() rather than recv() and validates that the
+  address returned from recvfrom() matches the address of the server we have
+  connected to. Only necessary on UDP sockets as they are connection-less, TCP
+  is unaffected.
+
 * Aug 4 2008 (Daniel Stenberg)
 - Fix by Tofu Linden:
author	Yang Tse <yangsita@gmail.com>	2008-08-25 03:34:50 +0000
committer	Yang Tse <yangsita@gmail.com>	2008-08-25 03:34:50 +0000
commit	09d10cb5c590586ddddefc9822246070977d4a88 (patch)
tree	9985ef6ea5923a0f2b0b40709e26dd38894e8112 /CHANGES
parent	a5b66d32930617d55854f56c8765723907e6726b (diff)
download	c-ares-09d10cb5c590586ddddefc9822246070977d4a88.tar.gz c-ares-09d10cb5c590586ddddefc9822246070977d4a88.tar.bz2 c-ares-09d10cb5c590586ddddefc9822246070977d4a88.zip