dnslists: hardwired return value check. Bug 2631

[exim.git] / src / src / dnsbl.c

diff --git a/src/src/dnsbl.c b/src/src/dnsbl.c
index d3afd5cf8a0fc199c1c2087ef66afc5134cdd7bb..5c6a76d944f51f80fca9497b6cdcc15be7a1b894 100644 (file)
--- a/src/src/dnsbl.c
+++ b/src/src/dnsbl.c
@@ -247,7 +247,15 @@ if (cb->rc == DNS_SUCCEED)
         ignore IPv6 addresses. The default mask is 0, which always matches.
         We change this only for IPv4 addresses in the list. */
 
-        if (host_aton(da->address, address) == 1) mask = address[0];
+        if (host_aton(da->address, address) == 1)
+         if ((address[0] & 0xff000000) != 0x7f000000)    /* 127.0.0.0/8 */
+           log_write(0, LOG_MAIN,
+             "DNS list lookup for %s at %s returned %s;"
+             " not in 127.0/8 and discarded",
+             keydomain, domain, da->address);
+
+         else
+           mask = address[0];
 
         /* Scan the returned addresses, skipping any that are IPv6 */
 
@@ -301,6 +309,29 @@ if (cb->rc == DNS_SUCCEED)
       }
     }
 
+  /* No address list check; discard any illegal returns and give up if
+  none remain. */
+
+  else
+    {
+    BOOL ok = FALSE;
+    for (da = cb->rhs; da; da = da->next)
+      {
+      int address[4];
+
+      if (  host_aton(da->address, address) == 1               /* ipv4 */
+        && (address[0] & 0xff000000) == 0x7f000000     /* 127.0.0.0/8 */
+        )
+       ok = TRUE;
+      else
+       log_write(0, LOG_MAIN,
+           "DNS list lookup for %s at %s returned %s;"
+           " not in 127.0/8 and discarded",
+           keydomain, domain, da->address);
+      }
+    if (!ok) return FAIL;
+    }
+
   /* Either there was no IP list, or the record matched, implying that the
   domain is on the list. We now want to find a corresponding TXT record. If an
   alternate domain is specified for the TXT record, call this function