The transaction ID wasn't verified on received DNS responses, plus the
ID needs to be difficult to predict in order to avoid MitM (man in the
middle) being able to easily forge responses.
Signed-off-by: Jules Maselbas <jmaselbas@xxxxxxxxx>
---
net/dns.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/dns.c b/net/dns.c
index 78588b96f..9ad316e33 100644
--- a/net/dns.c
+++ b/net/dns.c
@@ -58,6 +58,7 @@ struct header {
static struct net_connection *dns_con;
static uint64_t dns_timer_start;
+static uin32_t dns_req_id;
static int dns_state;
static IPaddr_t dns_ip;
@@ -70,9 +71,12 @@ static int dns_send(const char *name)
unsigned char *p, *s, *fullname, *dotptr;
const unsigned char *domain;
+ /* generate a random transaction id */
+ dns_req_id = dns_timer_start + random32();
+
/* Prepare DNS packet header */
header = (struct header *)packet;
- header->tid = 1;
+ header->tid = htons(dns_req_id);
header->flags = htons(0x100); /* standard query */
header->nqueries = htons(1); /* Just one query */
header->nanswers = 0;
@@ -127,6 +131,10 @@ static void dns_recv(struct header *header, unsigned len)
pr_debug("%s\n", __func__);
+ /* Only accept responses with the expected request id */
+ if (ntohs(header->id) != dns_req_id)
+ return;
+
/* We sent 1 query. We want to see more that 1 answer. */
if (ntohs(header->nqueries) != 1)
return;
--
2.17.1
_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox
