mirror of
https://github.com/opnsense/src.git
synced 2026-06-11 01:30:30 -04:00
The TCP code did not do sufficient checks on whether incoming packets
were destined for a broadcast IP address. All TCP packets with a broadcast destination must be ignored. The system only ignored packets that were _link-layer_ broadcasts or multicast. We need to check the IP address too since it is quite possible for a broadcast IP address to come in with a unicast link-layer address. Note that the check existed prior to CSRG revision 7.35, but was removed. This commit effectively backs out that nine-year-old change. PR: misc/35022
This commit is contained in:
Crist J. Clark
parent
10acff06b9
commit
2ca2159f22
2 changed files with 26 additions and 14 deletions
|
|
@ -798,11 +798,15 @@ findpcb:
|
|||
}
|
||||
/*
|
||||
* RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
|
||||
* in_broadcast() should never return true on a received
|
||||
* packet with M_BCAST not set.
|
||||
*
|
||||
* Packets with a multicast source address should also
|
||||
* be discarded.
|
||||
*
|
||||
* It is possible for a malicious (or misconfigured)
|
||||
* attacker to send unicast link-layer packets with a
|
||||
* broadcast IP address. Use in_broadcast() to find them.
|
||||
* (This check was erroneously removed in CSRG revision
|
||||
* 7.35.)
|
||||
*
|
||||
* Packets with a multicast source address should also
|
||||
* be discarded.
|
||||
*/
|
||||
if (m->m_flags & (M_BCAST|M_MCAST))
|
||||
goto drop;
|
||||
|
|
@ -815,7 +819,8 @@ findpcb:
|
|||
#endif
|
||||
if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
|
||||
IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
|
||||
ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
|
||||
ip->ip_src.s_addr == htonl(INADDR_BROADCAST) ||
|
||||
in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
|
||||
goto drop;
|
||||
/*
|
||||
* SYN appears to be valid; create compressed TCP state
|
||||
|
|
@ -2171,7 +2176,8 @@ dropwithreset:
|
|||
#endif /* INET6 */
|
||||
if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
|
||||
IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
|
||||
ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
|
||||
ip->ip_src.s_addr == htonl(INADDR_BROADCAST) ||
|
||||
in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
|
||||
goto drop;
|
||||
/* IPv6 anycast check is done at tcp6_input() */
|
||||
|
||||
|
|
|
|||
|
|
@ -798,11 +798,15 @@ findpcb:
|
|||
}
|
||||
/*
|
||||
* RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
|
||||
* in_broadcast() should never return true on a received
|
||||
* packet with M_BCAST not set.
|
||||
*
|
||||
* Packets with a multicast source address should also
|
||||
* be discarded.
|
||||
*
|
||||
* It is possible for a malicious (or misconfigured)
|
||||
* attacker to send unicast link-layer packets with a
|
||||
* broadcast IP address. Use in_broadcast() to find them.
|
||||
* (This check was erroneously removed in CSRG revision
|
||||
* 7.35.)
|
||||
*
|
||||
* Packets with a multicast source address should also
|
||||
* be discarded.
|
||||
*/
|
||||
if (m->m_flags & (M_BCAST|M_MCAST))
|
||||
goto drop;
|
||||
|
|
@ -815,7 +819,8 @@ findpcb:
|
|||
#endif
|
||||
if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
|
||||
IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
|
||||
ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
|
||||
ip->ip_src.s_addr == htonl(INADDR_BROADCAST) ||
|
||||
in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
|
||||
goto drop;
|
||||
/*
|
||||
* SYN appears to be valid; create compressed TCP state
|
||||
|
|
@ -2171,7 +2176,8 @@ dropwithreset:
|
|||
#endif /* INET6 */
|
||||
if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
|
||||
IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
|
||||
ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
|
||||
ip->ip_src.s_addr == htonl(INADDR_BROADCAST) ||
|
||||
in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
|
||||
goto drop;
|
||||
/* IPv6 anycast check is done at tcp6_input() */
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue