Do not allow to add loopback/multicast/broadcast ips to split tunnel …

…list
amnezia-vpn · Jun 28, 2024 · 873fb1f · 873fb1f
1 parent ef712b7
commit 873fb1f
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 4 deletions.
diff --git a/client/settings.cpp b/client/settings.cpp
@@ -9,6 +9,17 @@
 #include "containers/containers_defs.h"
 #include "logger.h"
 
+namespace {
+
+bool isAddressReserved(const QString &ipStr)
+{
+  QHostAddress ip(ipStr);
+
+  return ip.isLoopback() || ip.isMulticast() || ip.isBroadcast();
+}
+
+}
+
 const char Settings::cloudFlareNs1[] = "1.1.1.1";
 const char Settings::cloudFlareNs2[] = "1.0.0.1";
 
@@ -272,6 +283,11 @@ bool Settings::addVpnSite(RouteMode mode, const QString &site, const QString &ip
     if (sites.contains(site) && ip.isEmpty())
         return false;
 
+    if (isAddressReserved(site))
+    {
+        return false;
+    }
+
     sites.insert(site, ip);
     setVpnSites(mode, sites);
     return true;
@@ -284,6 +300,11 @@ void Settings::addVpnSites(RouteMode mode, const QMap<QString, QString> &sites)
         const QString &site = i.key();
         const QString &ip = i.value();
 
+        if (isAddressReserved(site))
+        {
+            continue;
+        }
+
         if (allSites.contains(site) && allSites.value(site) == ip)
             continue;
 

diff --git a/client/ui/controllers/sitesController.cpp b/client/ui/controllers/sitesController.cpp
@@ -35,7 +35,12 @@ void SitesController::addSite(QString hostname)
     }
 
     const auto &processSite = [this](const QString &hostname, const QString &ip) {
-        m_sitesModel->addSite(hostname, ip);
+        bool isAdded = m_sitesModel->addSite(hostname, ip);
+
+        if (!isAdded)
+        {
+          return false;
+        }
 
         if (!ip.isEmpty()) {
             QMetaObject::invokeMethod(m_vpnConnection.get(), "addRoutes", Qt::QueuedConnection,
@@ -45,6 +50,8 @@ void SitesController::addSite(QString hostname)
                                       Q_ARG(QStringList, QStringList() << hostname));
         }
         QMetaObject::invokeMethod(m_vpnConnection.get(), "flushDns", Qt::QueuedConnection);
+
+        return true;
     };
 
     const auto &resolveCallback = [this, processSite](const QHostInfo &hostInfo) {
@@ -57,14 +64,20 @@ void SitesController::addSite(QString hostname)
         }
     };
 
+    bool isSiteAdded = false;
     if (NetworkUtilities::ipAddressWithSubnetRegExp().exactMatch(hostname)) {
-        processSite(hostname, "");
+        isSiteAdded = processSite(hostname, "");
     } else {
-        processSite(hostname, "");
+        isSiteAdded = processSite(hostname, "");
         QHostInfo::lookupHost(hostname, this, resolveCallback);
     }
 
-    emit finished(tr("New site added: %1").arg(hostname));
+    if (isSiteAdded) {
+        emit finished(tr("New site added: %1").arg(hostname));
+    } else
+    {
+        emit finished(tr("Invalid or reserved ip: %1").arg(hostname));
+    }
 }
 
 void SitesController::removeSite(int index)