Minor security: lock roots to only be reachable via World IPs.

2016-12-05 16:09:42 -08:00
parent 4b3a47849d
commit 244f37179c
3 changed files with 36 additions and 0 deletions
--- a/node/Topology.cpp
+++ b/node/Topology.cpp
@@ -264,6 +264,23 @@ void Topology::setUpstream(const Address &a,bool upstream)
 		RR->sw->requestWhois(a);
 }

+bool Topology::isProhibitedEndpoint(const Address &ztaddr,const InetAddress &ipaddr) const
+{
+	Mutex::Lock _l(_lock);
+
+	if (std::find(_rootAddresses.begin(),_rootAddresses.end(),ztaddr) != _rootAddresses.end()) {
+		for(std::vector<World::Root>::const_iterator r(_world.roots().begin());r!=_world.roots().end();++r) {
+			for(std::vector<InetAddress>::const_iterator e(r->stableEndpoints.begin());e!=r->stableEndpoints.end();++e) {
+				if (ipaddr.ipsEqual(*e))
+					return false;
+			}
+		}
+		return true;
+	}
+
+	return false;
+}
+
 bool Topology::worldUpdateIfValid(const World &newWorld)
 {
 	Mutex::Lock _l(_lock);