From b58aa4f06463947e0f899609ab03264e333c67a1 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 21 Apr 2021 12:39:17 +0200
Subject: [PATCH] Accept responses also from non-last bound interface

Partial backport of upstream commit
74d4fcd756a85bc1823232ea74334f7ccfb9d5d2, smaller part of CVE-2021-3448
fix.
---
 src/forward.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/src/forward.c b/src/forward.c
index a0b1f1d..ec2de6f 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -2228,6 +2228,8 @@ struct frec *get_new_frec(time_t now, int *wait, int force)
 static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash)
 {
   struct frec *f;
+  struct server *s;
+  int type;
 
   for(f = daemon->frec_list; f; f = f->next)
     if (f->sentto && f->new_id == id && 
@@ -2240,9 +2242,21 @@ static struct frec *lookup_frec(unsigned short id, int fd, int family, void *has
 	if (family == AF_INET6 && f->rfd6 && f->rfd6->fd == fd)
 	  return f;
 
-	/* sent to upstream from bound socket. */
-	if (f->sentto->sfd && f->sentto->sfd->fd == fd)
-	  return f;
+	/* Sent to upstream from socket associated with a server.
+	   Note we have to iterate over all the possible servers, since they may
+	   have different bound sockets. */
+	type = f->sentto->flags & SERV_TYPE;
+	s = f->sentto;
+	do {
+	  if ((type == (s->flags & SERV_TYPE)) &&
+	      (type != SERV_HAS_DOMAIN ||
+	       (s->domain && hostname_isequal(f->sentto->domain, s->domain))) &&
+	      !(s->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)) &&
+	      s->sfd && s->sfd->fd == fd)
+	    return f;
+
+	  s = s->next ? s->next : daemon->servers;
+	} while (s != f->sentto);
       }
       
   return NULL;
-- 
2.26.3