Only call in_pcbnotify if the src port number != 0, as we

treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify() It's sufficient to check for src|local port, as we'll have no sessions with src|local port == 0 Without this a attacker sending ICMP messages, where the attached IP header (+ 8 bytes) has the address and port numbers == 0, would have the ICMP message applied to all sessions. PR: kern/25195 Submitted by: originally by jesper, reimplimented by jlemon's advice Reviewed by: jlemon Approved by: jlemon
2001-02-20 23:25:04 +00:00 · 2001-02-20 23:25:04 +00:00 · 58e9b41722
commit 58e9b41722
parent 729d4f1db0
3 changed files with 41 additions and 0 deletions
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@ -1032,6 +1032,20 @@ tcp_ctlinput(cmd, sa, vip)
 				       + (IP_VHL_HL(ip->ip_vhl) << 2));
 		if (tcp_seq_check == 1)
 			tcp_sequence = ntohl(th->th_seq);
+		/*
+		 * Only call in_pcbnotify if the src port number != 0, as we 
+		 * treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify()
+		 *
+		 * It's sufficient to check for src|local port, as we'll have no
+		 * sessions with src|local port == 0
+		 *
+		 * Without this a attacker sending ICMP messages, where the attached 
+		 * IP header (+ 8 bytes) has the address and port numbers == 0, would
+		 * have the ICMP message applied to all sessions (modulo TCP sequence
+		 * number check).
+		 */
+		if (th->th_sport == 0)
+			return;
 		in_pcbnotify(&tcb, sa, th->th_dport, ip->ip_src, th->th_sport,
 			cmd, notify, tcp_sequence, tcp_seq_check);
 	} else
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@ -1032,6 +1032,20 @@ tcp_ctlinput(cmd, sa, vip)
 				       + (IP_VHL_HL(ip->ip_vhl) << 2));
 		if (tcp_seq_check == 1)
 			tcp_sequence = ntohl(th->th_seq);
+		/*
+		 * Only call in_pcbnotify if the src port number != 0, as we 
+		 * treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify()
+		 *
+		 * It's sufficient to check for src|local port, as we'll have no
+		 * sessions with src|local port == 0
+		 *
+		 * Without this a attacker sending ICMP messages, where the attached 
+		 * IP header (+ 8 bytes) has the address and port numbers == 0, would
+		 * have the ICMP message applied to all sessions (modulo TCP sequence
+		 * number check).
+		 */
+		if (th->th_sport == 0)
+			return;
 		in_pcbnotify(&tcb, sa, th->th_dport, ip->ip_src, th->th_sport,
 			cmd, notify, tcp_sequence, tcp_seq_check);
 	} else
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@ -511,6 +511,19 @@ udp_ctlinput(cmd, sa, vip)
 		return;
 	if (ip) {
 		uh = (struct udphdr *)((caddr_t)ip + (ip->ip_hl << 2));
+		/*
+		 * Only call in_pcbnotify if the src port number != 0, as we 
+		 * treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify()
+		 *
+		 * It's sufficient to check for src|local port, as we'll have no 
+		 * sessions with src|local port == 0
+		 *
+		 * Without this a attacker sending ICMP messages, where the attached    
+		 * IP header (+ 8 bytes) has the address and port numbers == 0, would
+		 * have the ICMP message applied to all sessions.
+		 */
+		if (uh->uh_sport == 0)
+			return;
 		in_pcbnotify(&udb, sa, uh->uh_dport, ip->ip_src, uh->uh_sport,
 			cmd, udp_notify, 0, 0);
 	} else