From f1408593513c995b6f12c4a358c9f0770e46bbdd Mon Sep 17 00:00:00 2001
From: Justin Maggard <jmaggard@arlo.com>
Date: Mon, 29 Aug 2022 22:36:08 -0700
Subject: [PATCH] upnphttp: Improve DNS rebinding attack protection

Detect invalid IP addresses in the Host field and reject as needed.
---
 upnphttp.c | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/upnphttp.c b/upnphttp.c
index 4bc0c54..05b2020 100644
--- a/upnphttp.c
+++ b/upnphttp.c
@@ -915,15 +915,29 @@ ProcessHttpQuery_upnphttp(struct upnphttp * h)
 
 	DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf);
 	if(h->req_Host && h->req_HostLen > 0) {
-		const char *ptr = h->req_Host;
+		const char *port = memchr(h->req_Host, ':', h->req_HostLen);
+		size_t ip_sz = port ? (port - h->req_Host) : h->req_HostLen;
+		struct in_addr addr;
+		char ip_buf[16];
 		DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host);
-		for(i = 0; i < h->req_HostLen; i++) {
-			if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) {
-				DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
-				Send404(h);/* 403 */
+		if (port) {
+			const char *ptr = port + 1;
+			for (i = ip_sz + 2; i < h->req_HostLen; i++) {
+				if (*ptr > '9' || *ptr < '0')
+					break;
+				ptr++;
+			}
+			if (i != h->req_HostLen || atoi(port + 1) > 65535) {
+				DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)\n", h->req_HostLen, h->req_Host);
+				Send400(h);
 				return;
 			}
-			ptr++;
+		}
+		strncpyt(ip_buf, h->req_Host, MIN(ip_sz + 1, sizeof(ip_buf)));
+		if (ip_sz >= sizeof(ip_buf) || inet_pton(AF_INET, ip_buf, &addr) <= 0 || !addr.s_addr) {
+			DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)\n", h->req_HostLen, h->req_Host);
+			Send400(h);
+			return;
 		}
 	}
 	if(strcmp("POST", HttpCommand) == 0)