net/restund/patches/202-turn-block-whole-loopback-range-also-block-broadcast.patch

   1 From 955064fc220b5739010a2e207a8561ea44f974d3 Mon Sep 17 00:00:00 2001
   2 From: Dusan Stevanovic <dule@wire.com>
   3 Date: Thu, 11 Mar 2021 13:15:27 +0100
   4 Subject: [PATCH] turn: block whole loopback range, also block broadcast
   5
   6 ---
   7  modules/turn/turn.c | 20 ++++++++++++++++++--
   8  1 file changed, 18 insertions(+), 2 deletions(-)
   9
  10 --- a/modules/turn/turn.c
  11 +++ b/modules/turn/turn.c
  12 @@ -144,6 +144,22 @@ static bool request_handler(struct restu
  13         return true;
  14  }
  15
  16 +static inline bool is_loopback(const struct sa *sa)
  17 +{
  18 +       return (ntohl(sa->u.in.sin_addr.s_addr) & 0xffffff00) == 0x7f000000;
  19 +}
  20 +
  21 +static inline bool is_broadcast(const struct sa *sa)
  22 +{
  23 +       return ntohl(sa->u.in.sin_addr.s_addr) == 0xffffffff;
  24 +}
  25 +
  26 +static inline bool is_blocked(const struct sa *sa)
  27 +{
  28 +       return is_loopback(sa) || is_broadcast(sa)
  29 +               || sa_is_any(sa) || sa_is_linklocal(sa);
  30 +
  31 +}
  32
  33  static bool indication_handler(struct restund_msgctx *ctx, int proto,
  34                                void *sock, const struct sa *src,
  35 @@ -181,7 +197,7 @@ static bool indication_handler(struct re
  36                 return true;
  37         }
  38
  39 -       if (sa_is_loopback(psa) || sa_is_any(psa) || sa_is_linklocal(psa))
  40 +       if (is_blocked(psa))
  41                 err = EPERM;
  42         else
  43                 err = udp_send(al->rel_us, psa, &data->v.data);
  44 @@ -234,7 +250,7 @@ static bool raw_handler(int proto, const
  45
  46         mb->end = mb->pos + len;
  47
  48 -       if (sa_is_loopback(psa) || sa_is_any(psa) || sa_is_linklocal(psa))
  49 +       if (is_blocked(psa))
  50                 err = EPERM;
  51         else
  52                 err = udp_send(al->rel_us, psa, mb);