The TCP code did not do sufficient checks on whether incoming packets

were destined for a broadcast IP address. All TCP packets with a
broadcast destination must be ignored. The system only ignored packets
that were _link-layer_ broadcasts or multicast. We need to check the
IP address too since it is quite possible for a broadcast IP address
to come in with a unicast link-layer address.

Note that the check existed prior to CSRG revision 7.35, but was
removed. This commit effectively backs out that nine-year-old change.

PR:		misc/35022

sys/netinet/tcp_input.c

@@ -798,11 +798,15 @@ tcp_input(m, off0)
 		}
 		/*
 		 * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
-		 * in_broadcast() should never return true on a received
-		 * packet with M_BCAST not set.
- 		 *
- 		 * Packets with a multicast source address should also
- 		 * be discarded.
+		 *
+		 * It is possible for a malicious (or misconfigured)
+		 * attacker to send unicast link-layer packets with a
+		 * broadcast IP address. Use in_broadcast() to find them.
+		 * (This check was erroneously removed in CSRG revision
+		 * 7.35.)
+		 *
+		 * Packets with a multicast source address should also
+		 * be discarded.
 		 */
 		if (m->m_flags & (M_BCAST|M_MCAST))
 			goto drop;
@@ -815,7 +819,8 @@ tcp_input(m, off0)
 #endif
 		if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
 		    IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
-		    ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
+		    ip->ip_src.s_addr == htonl(INADDR_BROADCAST) ||
+		    in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
 			goto drop;
 		/*
 		 * SYN appears to be valid; create compressed TCP state
@@ -2171,7 +2176,8 @@ tcp_input(m, off0)
 #endif /* INET6 */
 	if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
 	    IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
-	    ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
+	    ip->ip_src.s_addr == htonl(INADDR_BROADCAST) ||
+	    in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
 		goto drop;
 	/* IPv6 anycast check is done at tcp6_input() */
 

sys/netinet/tcp_reass.c

@@ -798,11 +798,15 @@ tcp_input(m, off0)
 		}
 		/*
 		 * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
-		 * in_broadcast() should never return true on a received
-		 * packet with M_BCAST not set.
- 		 *
- 		 * Packets with a multicast source address should also
- 		 * be discarded.
+		 *
+		 * It is possible for a malicious (or misconfigured)
+		 * attacker to send unicast link-layer packets with a
+		 * broadcast IP address. Use in_broadcast() to find them.
+		 * (This check was erroneously removed in CSRG revision
+		 * 7.35.)
+		 *
+		 * Packets with a multicast source address should also
+		 * be discarded.
 		 */
 		if (m->m_flags & (M_BCAST|M_MCAST))
 			goto drop;
@@ -815,7 +819,8 @@ tcp_input(m, off0)
 #endif
 		if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
 		    IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
-		    ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
+		    ip->ip_src.s_addr == htonl(INADDR_BROADCAST) ||
+		    in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
 			goto drop;
 		/*
 		 * SYN appears to be valid; create compressed TCP state
@@ -2171,7 +2176,8 @@ tcp_input(m, off0)
 #endif /* INET6 */
 	if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
 	    IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
-	    ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
+	    ip->ip_src.s_addr == htonl(INADDR_BROADCAST) ||
+	    in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
 		goto drop;
 	/* IPv6 anycast check is done at tcp6_input() */