Check destination of DNS UDP query replies.
At any time, dnsmasq will have a set of sockets open, bound to
random ports, on which it sends queries to upstream nameservers.
This patch fixes the existing problem that a reply for ANY in-flight
query would be accepted via ANY open port, which increases the
chances of an attacker flooding answers "in the blind" in an
attempt to poison the DNS cache. CERT VU#434904 refers.
Backported for CVE-2020-25684
Change-Id: I11790b18ad6e179a6f3f47fee310cd00ab3c7cdd
projects / platform / upstream / dnsmasq.git / commit