status-im
/
miniupnp
mirror of https://github.com/status-im/miniupnp.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add check that miniupnpd is not going to listen on WAN interface with public IP address 

Option listen= is used for LAN interface/address and option ext_addr= is
used for public IP address. If users by mistake swap WAN and LAN interface
or public and private IP addresses then miniupnpd obviously would not work
and instead of hacking miniupnpd code users should rather check their
miniupnpd configuration or local firewall settings.

So add checks and hints which prevents security issues like swapping LAN
and WAN interfaces/addresses and therefore prevent exposing port forwarding
and firewall configuration on public Internet.
This commit is contained in:
Pali Rohár 2020-12-30 11:23:29 +01:00
parent 304ff79dc5
commit e6bf74a691
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
miniupnpd/miniupnpd.c
View File

@ -953,6 +953,13 @@ parselanaddr(struct lan_addr_s * lan_addr, const char * str)
if(!inet_aton(lan_addr->str, &lan_addr->addr))
goto parselan_error;
}
if(!addr_is_reserved(&lan_addr->addr)) {
fprintf(stderr, "Error: LAN address contains public ip address : %s\n", lan_addr->str);
fprintf(stderr, "Public ip address can be configured via ext_ip= option\n");
fprintf(stderr, "LAN address should contain private address, e.g. from 192.168. block\n");
fprintf(stderr, "Listening on public ip address is a security issue\n");
return -1;
}
if(*p == '/')
{
const char * q = ++p;