From: tedu <tedu@openbsd.org>
Date: Wed, 31 May 2017 07:18:10 +0000 (+0000)
Subject: add a workaround for the rebound portjacking hijinks. ok millert
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=92d0086bfbf25ac678dd1bff6d058df050aa68ad;p=openbsd

add a workaround for the rebound portjacking hijinks. ok millert
---

diff --git a/usr.sbin/bind/bin/dig/dighost.c b/usr.sbin/bind/bin/dig/dighost.c
index dcdb1deb8b0..4c8ff67b2f0 100644
--- a/usr.sbin/bind/bin/dig/dighost.c
+++ b/usr.sbin/bind/bin/dig/dighost.c
@@ -34,6 +34,8 @@
 #include <string.h>
 #include <limits.h>
 
+#include <sys/sysctl.h>
+
 #ifdef HAVE_LOCALE_H
 #include <locale.h>
 #endif
@@ -2778,6 +2780,15 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	isc_region_t r;
 	isc_buffer_t *buf = NULL;
 #endif
+	static int checked_jackport;
+	static int jackport;
+
+	if (!checked_jackport) {
+		int dnsjacking[2] = { CTL_KERN, KERN_DNSJACKPORT };
+		size_t portlen = sizeof(jackport);
+		sysctl(dnsjacking, 2, &jackport, &portlen, NULL, 0);
+		checked_jackport = 1;
+	}
 
 	UNUSED(task);
 	INSIST(!free_now);
@@ -2854,6 +2865,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		* sent to 0.0.0.0, :: or to a multicast addresses.
 		* XXXMPA broadcast needs to be handled here as well.
 		*/
+		if (jackport == 0)
 		if ((!isc_sockaddr_eqaddr(&query->sockaddr, &any) &&
 		     !isc_sockaddr_ismulticast(&query->sockaddr)) ||
 		    isc_sockaddr_getport(&query->sockaddr) !=