From 1176cd58c90fc37bf98a6f774b26fc1adc8fd8e9 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 8 Dec 2021 23:51:38 +0000
Subject: [PATCH] Fix regression in --rebind-domain-ok in 2.86

The 2.86 domain-match rewrite changed matching from
whole-labels to substring matching, so example.com
would match example.com and www.example.com, as before,
but also goodexample.com, which is a regression. This
restores the original behaviour.

Also restore the behaviour of --rebind-domain-ok=//
to match domains with onlt a single label and no dots.

Thanks to Sung Pae for reporting these bugs and supplying
an initial patch.
---
 src/forward.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/forward.c b/src/forward.c
index 163da09..f22c080 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -153,11 +153,20 @@ static int domain_no_rebind(char *domain)
 {
   struct rebind_domain *rbd;
   size_t tlen, dlen = strlen(domain);
-  
+  char *dots = strchr(domain, '.');
+
+  /* Match whole labels only. Empty domain matches no dots (any single label) */
   for (rbd = daemon->no_rebind; rbd; rbd = rbd->next)
-    if (dlen >= (tlen = strlen(rbd->domain)) && strcmp(rbd->domain, &domain[dlen - tlen]) == 0)
+    {
+      if (dlen >= (tlen = strlen(rbd->domain)) &&
+	hostname_isequal(rbd->domain, &domain[dlen - tlen]) &&
+	(dlen == tlen || domain[dlen - tlen - 1] == '.'))
       return 1;
 
+      if (tlen == 0 && !dots)
+	return 1;
+    }
+  
   return 0;
 }
 
-- 
2.20.1