1 | *** a/libs/libmythupnp/ssdp.cpp 2014-12-10 22:29:10.912018687 -0700 |
---|
2 | --- b/libs/libmythupnp/ssdp.cpp 2014-12-10 22:01:31.929533300 -0700 |
---|
3 | *************** |
---|
4 | *** 314,346 **** |
---|
5 | |
---|
6 | void SSDP::ProcessData( MSocketDevice *pSocket ) |
---|
7 | { |
---|
8 | - QHostAddress peerAddress = pSocket->peerAddress(); |
---|
9 | - quint16 peerPort = pSocket->peerPort (); |
---|
10 | - |
---|
11 | - // Mitigate against SSDP Reflection DDOS attacks |
---|
12 | - // Disallow device discovery from non-local addresses |
---|
13 | - // Security Advisory (Akamai): |
---|
14 | - // https://www.prolexic.com/kcresources/prolexic-threat-advisories/prolexic-threat-advisory-ssdp-reflection-ddos-attacks/ssdp-reflection-attacks-cybersecurity-locked.html |
---|
15 | - // https://www.prolexic.com/knowledge-center-ddos-threat-advisory-ssdp-reflection-ddos-attacks.html |
---|
16 | - // |
---|
17 | - // TODO: We may want to restrict this to the same subnet as the server |
---|
18 | - // for added security |
---|
19 | - if (((peerAddress.protocol() == QAbstractSocket::IPv4Protocol) && |
---|
20 | - (!peerAddress.isInSubnet(QHostAddress("172.16.0.0"), 12) && |
---|
21 | - !peerAddress.isInSubnet(QHostAddress("192.168.0.0"), 16) && |
---|
22 | - !peerAddress.isInSubnet(QHostAddress("10.0.0.0"), 8))) || |
---|
23 | - ((peerAddress.protocol() == QAbstractSocket::IPv6Protocol) && |
---|
24 | - !peerAddress.isInSubnet(pSocket->address(), 64))) // default subnet size is assumed to be /64 |
---|
25 | - { |
---|
26 | - LOG(VB_GENERAL, LOG_CRIT, QString("SSDP Request from WAN IP " |
---|
27 | - "address (%1). Possible SSDP " |
---|
28 | - "Reflection attempt. Ignoring as " |
---|
29 | - "security risk.") |
---|
30 | - .arg(peerAddress.toString())); |
---|
31 | - pSocket->readAll(); // Discard the data in the socket buffer |
---|
32 | - return; |
---|
33 | - } |
---|
34 | - |
---|
35 | QByteArray buffer; |
---|
36 | long nBytes = 0; |
---|
37 | int retries = 0; |
---|
38 | --- 314,319 ---- |
---|
39 | *************** |
---|
40 | *** 392,397 **** |
---|
41 | --- 365,399 ---- |
---|
42 | if (buffer.isEmpty()) |
---|
43 | continue; |
---|
44 | |
---|
45 | + QHostAddress peerAddress = pSocket->peerAddress(); |
---|
46 | + quint16 peerPort = pSocket->peerPort (); |
---|
47 | + |
---|
48 | + // Mitigate against SSDP Reflection DDOS attacks |
---|
49 | + // Disallow device discovery from non-local addresses |
---|
50 | + // Security Advisory (Akamai): |
---|
51 | + // https://www.prolexic.com/kcresources/prolexic-threat-advisories/prolexic-threat-advisory-ssdp-reflection-ddos-attacks/ssdp-reflection-attacks-cybersecurity-locked.html |
---|
52 | + // https://www.prolexic.com/knowledge-center-ddos-threat-advisory-ssdp-reflection-ddos-attacks.html |
---|
53 | + // |
---|
54 | + // TODO: We may want to restrict this to the same subnet as the server |
---|
55 | + // for added security |
---|
56 | + if (!peerAddress.isNull() && (peerAddress != QHostAddress::Null) && |
---|
57 | + ((peerAddress.protocol() == QAbstractSocket::IPv4Protocol) && |
---|
58 | + (!peerAddress.isInSubnet(QHostAddress("172.16.0.0"), 12) && |
---|
59 | + !peerAddress.isInSubnet(QHostAddress("192.168.0.0"), 16) && |
---|
60 | + !peerAddress.isInSubnet(QHostAddress("10.0.0.0"), 8))) || |
---|
61 | + ((peerAddress.protocol() == QAbstractSocket::IPv6Protocol) && |
---|
62 | + !peerAddress.isInSubnet(pSocket->address(), 64))) // default subnet size is assumed to be /64 |
---|
63 | + { |
---|
64 | + LOG(VB_GENERAL, LOG_CRIT, QString("SSDP Request from WAN IP " |
---|
65 | + "address (%1). Possible SSDP " |
---|
66 | + "Reflection attempt. Ignoring as " |
---|
67 | + "security risk.") |
---|
68 | + .arg(peerAddress.toString())); |
---|
69 | + continue; |
---|
70 | + //pSocket->readAll(); // Discard the data in the socket buffer |
---|
71 | + //return; |
---|
72 | + } |
---|
73 | + |
---|
74 | // ------------------------------------------------------------------ |
---|
75 | QString str = QString(buffer.constData()); |
---|
76 | QStringList lines = str.split("\r\n", QString::SkipEmptyParts); |
---|