From e6bf74a691994face1d71c5c97056d95d47dca0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pali=20Roh=C3=A1r?= Date: Wed, 30 Dec 2020 11:23:29 +0100 Subject: [PATCH] Add check that miniupnpd is not going to listen on WAN interface with public IP address Option listen= is used for LAN interface/address and option ext_addr= is used for public IP address. If users by mistake swap WAN and LAN interface or public and private IP addresses then miniupnpd obviously would not work and instead of hacking miniupnpd code users should rather check their miniupnpd configuration or local firewall settings. So add checks and hints which prevents security issues like swapping LAN and WAN interfaces/addresses and therefore prevent exposing port forwarding and firewall configuration on public Internet. --- miniupnpd/miniupnpd.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/miniupnpd/miniupnpd.c b/miniupnpd/miniupnpd.c index 70925dc..31bd9e4 100644 --- a/miniupnpd/miniupnpd.c +++ b/miniupnpd/miniupnpd.c @@ -953,6 +953,13 @@ parselanaddr(struct lan_addr_s * lan_addr, const char * str) if(!inet_aton(lan_addr->str, &lan_addr->addr)) goto parselan_error; } + if(!addr_is_reserved(&lan_addr->addr)) { + fprintf(stderr, "Error: LAN address contains public ip address : %s\n", lan_addr->str); + fprintf(stderr, "Public ip address can be configured via ext_ip= option\n"); + fprintf(stderr, "LAN address should contain private address, e.g. from 192.168. block\n"); + fprintf(stderr, "Listening on public ip address is a security issue\n"); + return -1; + } if(*p == '/') { const char * q = ++p;