Merge branch 'master' into edns-string

2026-02-09 22:03:15 -05:00 · 2020-11-23 16:35:58 +01:00 · 2020-11-23 16:35:58 +01:00 · 201b949689
commit 201b949689
parent 2d184f7505 b891fe113c
2 changed files with 36 additions and 7 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,8 @@
+12 November 2020: Wouter
+	- Fix to connect() to UDP destinations, default turned on,
+	  this lowers vulnerability to ICMP side channels.
+	- Retry for interfaces with unused ports if possible.
+
 10 November 2020: Wouter
 	- Fix #341: fixing a possible memory leak.
 	- Fix memory leak after fix for possible memory leak failure.
--- a/services/outside_network.c
+++ b/services/outside_network.c
@ -1115,13 +1115,26 @@ select_ifport(struct outside_network* outnet, struct pending* pend,
 		my_if = ub_random_max(outnet->rnd, num_if);
 		pif = &ifs[my_if];
 #ifndef DISABLE_EXPLICIT_PORT_RANDOMISATION
-		my_port = ub_random_max(outnet->rnd, pif->avail_total);
-		if(my_port < pif->inuse) {
-			/* port already open */
-			pend->pc = pif->out[my_port];
-			verbose(VERB_ALGO, "using UDP if=%d port=%d", 
-				my_if, pend->pc->number);
-			break;
+		if(1) {
+			/* if we connect() we cannot reuse fds for a port */
+			if(pif->inuse >= pif->avail_total) {
+				tries++;
+				if(tries < MAX_PORT_RETRY)
+					continue;
+				log_err("failed to find an open port, drop msg");
+				return 0;
+			}
+			my_port = pif->inuse + ub_random_max(outnet->rnd,
+				pif->avail_total - pif->inuse);
+		} else  {
+			my_port = ub_random_max(outnet->rnd, pif->avail_total);
+			if(my_port < pif->inuse) {
+				/* port already open */
+				pend->pc = pif->out[my_port];
+				verbose(VERB_ALGO, "using UDP if=%d port=%d",
+					my_if, pend->pc->number);
+				break;
+			}
 		}
 		/* try to open new port, if fails, loop to try again */
 		log_assert(pif->inuse < pif->maxout);
@ -1138,6 +1151,17 @@ select_ifport(struct outside_network* outnet, struct pending* pend,
 		if(fd != -1) {
 			verbose(VERB_ALGO, "opened UDP if=%d port=%d", 
 				my_if, portno);
+			if(1) {
+				/* connect() to the destination */
+				if(connect(fd, (struct sockaddr*)&pend->addr,
+					pend->addrlen) < 0) {
+					log_err_addr("udp connect failed",
+						strerror(errno), &pend->addr,
+						pend->addrlen);
+					sock_close(fd);
+					return 0;
+				}
+			}
 			/* grab fd */
 			pend->pc = outnet->unused_fds;
 			outnet->unused_fds = pend->pc->next;