Merge #12626: Limit the number of IPs addrman learns from each DNS seeder

laanwj · laanwj · commit efa18a230d48 · 2018-03-07T17:43:35.000+01:00
46e7f80 Limit the number of IPs we use from each DNS seeder (e0) Pull request description: A risk exists where a malicious DNS seeder eclipses a node by returning an enormous number of IP addresses. In this commit we mitigate this risk by limiting the number of IP addresses addrman learns to 256 per DNS seeder. As discussed with @theuni Tree-SHA512: 949e870765b1470200f2c650341d9e3308a973a7d1a6e557b944b0a2b8ccda49226fc8c4ff7d2a05e5854c4014ec0b67e37a3f2287556fe7dfa2048ede1f2e6f
diff --git a/src/net.cpp b/src/net.cpp
@@ -1631,7 +1631,8 @@ void CConnman::ThreadDNSAddressSeed()
             if (!resolveSource.SetInternal(host)) {
                 continue;
             }
-            if (LookupHost(host.c_str(), vIPs, 0, true))
+            unsigned int nMaxIPs = 256; // Limits number of IPs learned from a DNS seed
+            if (LookupHost(host.c_str(), vIPs, nMaxIPs, true))
             {
                 for (const CNetAddr& ip : vIPs)
                 {

Original file line number	Diff line number	Diff line change
`@@ -1631,7 +1631,8 @@ void CConnman::ThreadDNSAddressSeed()`
`1631`	`1631`	`if (!resolveSource.SetInternal(host)) {`
`1632`	`1632`	`continue;`
`1633`	`1633`	`}`
`1634`		`- if (LookupHost(host.c_str(), vIPs, 0, true))`
	`1634`	`+ unsigned int nMaxIPs = 256; // Limits number of IPs learned from a DNS seed`
	`1635`	`+ if (LookupHost(host.c_str(), vIPs, nMaxIPs, true))`
`1635`	`1636`	`{`
`1636`	`1637`	`for (const CNetAddr& ip : vIPs)`
`1637`	`1638`	`{`