The TCP code did not do sufficient checks on whether incoming packets
were destined for a broadcast IP address. All TCP packets with a broadcast destination must be ignored. The system only ignored packets that were _link-layer_ broadcasts or multicast. We need to check the IP address too since it is quite possible for a broadcast IP address to come in with a unicast link-layer address. Note that the check existed prior to CSRG revision 7.35, but was removed. This commit effectively backs out that nine-year-old change. PR: misc/35022
This commit is contained in:
parent
10acff06b9
commit
2ca2159f22
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=91234
@ -798,11 +798,15 @@ tcp_input(m, off0)
|
|||||||
}
|
}
|
||||||
/*
|
/*
|
||||||
* RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
|
* RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
|
||||||
* in_broadcast() should never return true on a received
|
*
|
||||||
* packet with M_BCAST not set.
|
* It is possible for a malicious (or misconfigured)
|
||||||
*
|
* attacker to send unicast link-layer packets with a
|
||||||
* Packets with a multicast source address should also
|
* broadcast IP address. Use in_broadcast() to find them.
|
||||||
* be discarded.
|
* (This check was erroneously removed in CSRG revision
|
||||||
|
* 7.35.)
|
||||||
|
*
|
||||||
|
* Packets with a multicast source address should also
|
||||||
|
* be discarded.
|
||||||
*/
|
*/
|
||||||
if (m->m_flags & (M_BCAST|M_MCAST))
|
if (m->m_flags & (M_BCAST|M_MCAST))
|
||||||
goto drop;
|
goto drop;
|
||||||
@ -815,7 +819,8 @@ tcp_input(m, off0)
|
|||||||
#endif
|
#endif
|
||||||
if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
|
if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
|
||||||
IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
|
IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
|
||||||
ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
|
ip->ip_src.s_addr == htonl(INADDR_BROADCAST) ||
|
||||||
|
in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
|
||||||
goto drop;
|
goto drop;
|
||||||
/*
|
/*
|
||||||
* SYN appears to be valid; create compressed TCP state
|
* SYN appears to be valid; create compressed TCP state
|
||||||
@ -2171,7 +2176,8 @@ tcp_input(m, off0)
|
|||||||
#endif /* INET6 */
|
#endif /* INET6 */
|
||||||
if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
|
if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
|
||||||
IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
|
IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
|
||||||
ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
|
ip->ip_src.s_addr == htonl(INADDR_BROADCAST) ||
|
||||||
|
in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
|
||||||
goto drop;
|
goto drop;
|
||||||
/* IPv6 anycast check is done at tcp6_input() */
|
/* IPv6 anycast check is done at tcp6_input() */
|
||||||
|
|
||||||
|
@ -798,11 +798,15 @@ tcp_input(m, off0)
|
|||||||
}
|
}
|
||||||
/*
|
/*
|
||||||
* RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
|
* RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
|
||||||
* in_broadcast() should never return true on a received
|
*
|
||||||
* packet with M_BCAST not set.
|
* It is possible for a malicious (or misconfigured)
|
||||||
*
|
* attacker to send unicast link-layer packets with a
|
||||||
* Packets with a multicast source address should also
|
* broadcast IP address. Use in_broadcast() to find them.
|
||||||
* be discarded.
|
* (This check was erroneously removed in CSRG revision
|
||||||
|
* 7.35.)
|
||||||
|
*
|
||||||
|
* Packets with a multicast source address should also
|
||||||
|
* be discarded.
|
||||||
*/
|
*/
|
||||||
if (m->m_flags & (M_BCAST|M_MCAST))
|
if (m->m_flags & (M_BCAST|M_MCAST))
|
||||||
goto drop;
|
goto drop;
|
||||||
@ -815,7 +819,8 @@ tcp_input(m, off0)
|
|||||||
#endif
|
#endif
|
||||||
if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
|
if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
|
||||||
IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
|
IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
|
||||||
ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
|
ip->ip_src.s_addr == htonl(INADDR_BROADCAST) ||
|
||||||
|
in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
|
||||||
goto drop;
|
goto drop;
|
||||||
/*
|
/*
|
||||||
* SYN appears to be valid; create compressed TCP state
|
* SYN appears to be valid; create compressed TCP state
|
||||||
@ -2171,7 +2176,8 @@ tcp_input(m, off0)
|
|||||||
#endif /* INET6 */
|
#endif /* INET6 */
|
||||||
if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
|
if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
|
||||||
IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
|
IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
|
||||||
ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
|
ip->ip_src.s_addr == htonl(INADDR_BROADCAST) ||
|
||||||
|
in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
|
||||||
goto drop;
|
goto drop;
|
||||||
/* IPv6 anycast check is done at tcp6_input() */
|
/* IPv6 anycast check is done at tcp6_input() */
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user