From 76f13ab5e5592c27a5aca5d1a525156c2b035aae Mon Sep 17 00:00:00 2001 From: Pierre Krieger Date: Mon, 2 Jul 2018 10:51:10 +0200 Subject: [PATCH] Instantly deny IPs of the form 0.0.0.0:0 (#275) * Instantly deny IPs of the form 0.0.0.0:0 * Also put the change in websockets --- tcp-transport/src/lib.rs | 18 ++++++++++-------- websocket/src/browser.rs | 12 ++++++++++++ websocket/src/desktop.rs | 2 +- 3 files changed, 23 insertions(+), 9 deletions(-) diff --git a/tcp-transport/src/lib.rs b/tcp-transport/src/lib.rs index 5d5ad196..7d90cdc8 100644 --- a/tcp-transport/src/lib.rs +++ b/tcp-transport/src/lib.rs @@ -93,8 +93,6 @@ impl Transport for TcpConfig { type MultiaddrFuture = FutureResult; type Dial = Box>; - /// Listen on the given multi-addr. - /// Returns the address back if it isn't supported. fn listen_on(self, addr: Multiaddr) -> Result<(Self::Listener, Multiaddr), (Self, Multiaddr)> { if let Ok(socket_addr) = multiaddr_to_socketaddr(&addr) { let listener = TcpListener::bind(&socket_addr, &self.event_loop); @@ -131,14 +129,18 @@ impl Transport for TcpConfig { } } - /// Dial to the given multi-addr. - /// Returns either a future which may resolve to a connection, - /// or gives back the multiaddress. fn dial(self, addr: Multiaddr) -> Result { if let Ok(socket_addr) = multiaddr_to_socketaddr(&addr) { - debug!("Dialing {}", addr); - let fut = TcpStream::connect(&socket_addr, &self.event_loop).map(|t| (t, future::ok(addr))); - Ok(Box::new(fut) as Box<_>) + // As an optimization, we check that the address is not of the form `0.0.0.0`. + // If so, we instantly refuse dialing instead of going through the kernel. + if socket_addr.port() != 0 && !socket_addr.ip().is_unspecified() { + debug!("Dialing {}", addr); + let fut = TcpStream::connect(&socket_addr, &self.event_loop).map(|t| (t, future::ok(addr))); + Ok(Box::new(fut) as Box<_>) + } else { + debug!("Instantly refusing dialing {}, as it is invalid", addr); + Err((self, addr)) + } } else { Err((self, addr)) } diff --git a/websocket/src/browser.rs b/websocket/src/browser.rs index cc1426ec..a00e8dca 100644 --- a/websocket/src/browser.rs +++ b/websocket/src/browser.rs @@ -333,15 +333,27 @@ fn multiaddr_to_target(addr: &Multiaddr) -> Result { match (&protocols[0], &protocols[1], &protocols[2]) { (&AddrComponent::IP4(ref ip), &AddrComponent::TCP(port), &AddrComponent::WS) => { + if ip.is_unspecified() || port == 0 { + return Err(()); + } Ok(format!("ws://{}:{}/", ip, port)) } (&AddrComponent::IP6(ref ip), &AddrComponent::TCP(port), &AddrComponent::WS) => { + if ip.is_unspecified() || port == 0 { + return Err(()); + } Ok(format!("ws://[{}]:{}/", ip, port)) } (&AddrComponent::IP4(ref ip), &AddrComponent::TCP(port), &AddrComponent::WSS) => { + if ip.is_unspecified() || port == 0 { + return Err(()); + } Ok(format!("wss://{}:{}/", ip, port)) } (&AddrComponent::IP6(ref ip), &AddrComponent::TCP(port), &AddrComponent::WSS) => { + if ip.is_unspecified() || port == 0 { + return Err(()); + } Ok(format!("wss://[{}]:{}/", ip, port)) } (&AddrComponent::DNS4(ref ns), &AddrComponent::TCP(port), &AddrComponent::WS) => { diff --git a/websocket/src/desktop.rs b/websocket/src/desktop.rs index 9a72ea8d..f4dce45e 100644 --- a/websocket/src/desktop.rs +++ b/websocket/src/desktop.rs @@ -301,7 +301,7 @@ mod tests { let (listener, addr) = ws_config .clone() - .listen_on("/ip4/0.0.0.0/tcp/0/ws".parse().unwrap()) + .listen_on("/ip4/127.0.0.1/tcp/0/ws".parse().unwrap()) .unwrap(); assert!(addr.to_string().ends_with("/ws")); assert!(!addr.to_string().ends_with("/0/ws"));