From 244f37179cb20b1ebec420da5b315ecf8ac0db40 Mon Sep 17 00:00:00 2001
From: Adam Ierymenko <adam.ierymenko@gmail.com>
Date: Mon, 5 Dec 2016 16:09:42 -0800
Subject: Minor security: lock roots to only be reachable via World IPs.

---
 node/Topology.cpp | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'node/Topology.cpp')

diff --git a/node/Topology.cpp b/node/Topology.cpp
index 517934fb..bf51b585 100644
--- a/node/Topology.cpp
+++ b/node/Topology.cpp
@@ -264,6 +264,23 @@ void Topology::setUpstream(const Address &a,bool upstream)
 		RR->sw->requestWhois(a);
 }
 
+bool Topology::isProhibitedEndpoint(const Address &ztaddr,const InetAddress &ipaddr) const
+{
+	Mutex::Lock _l(_lock);
+
+	if (std::find(_rootAddresses.begin(),_rootAddresses.end(),ztaddr) != _rootAddresses.end()) {
+		for(std::vector<World::Root>::const_iterator r(_world.roots().begin());r!=_world.roots().end();++r) {
+			for(std::vector<InetAddress>::const_iterator e(r->stableEndpoints.begin());e!=r->stableEndpoints.end();++e) {
+				if (ipaddr.ipsEqual(*e))
+					return false;
+			}
+		}
+		return true;
+	}
+
+	return false;
+}
+
 bool Topology::worldUpdateIfValid(const World &newWorld)
 {
 	Mutex::Lock _l(_lock);
-- 
cgit v1.2.3