From 2ca2159f22cccc13d6085d34bd5ed57a8b2346b1 Mon Sep 17 00:00:00 2001 From: "Crist J. Clark" Date: Mon, 25 Feb 2002 08:29:21 +0000 Subject: [PATCH] The TCP code did not do sufficient checks on whether incoming packets were destined for a broadcast IP address. All TCP packets with a broadcast destination must be ignored. The system only ignored packets that were _link-layer_ broadcasts or multicast. We need to check the IP address too since it is quite possible for a broadcast IP address to come in with a unicast link-layer address. Note that the check existed prior to CSRG revision 7.35, but was removed. This commit effectively backs out that nine-year-old change. PR: misc/35022 --- sys/netinet/tcp_input.c | 20 +++++++++++++------- sys/netinet/tcp_reass.c | 20 +++++++++++++------- 2 files changed, 26 insertions(+), 14 deletions(-) diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index dc063289bca..266d5874668 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -798,11 +798,15 @@ findpcb: } /* * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN - * in_broadcast() should never return true on a received - * packet with M_BCAST not set. - * - * Packets with a multicast source address should also - * be discarded. + * + * It is possible for a malicious (or misconfigured) + * attacker to send unicast link-layer packets with a + * broadcast IP address. Use in_broadcast() to find them. + * (This check was erroneously removed in CSRG revision + * 7.35.) + * + * Packets with a multicast source address should also + * be discarded. */ if (m->m_flags & (M_BCAST|M_MCAST)) goto drop; @@ -815,7 +819,8 @@ findpcb: #endif if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) || IN_MULTICAST(ntohl(ip->ip_src.s_addr)) || - ip->ip_src.s_addr == htonl(INADDR_BROADCAST)) + ip->ip_src.s_addr == htonl(INADDR_BROADCAST) || + in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif)) goto drop; /* * SYN appears to be valid; create compressed TCP state @@ -2171,7 +2176,8 @@ dropwithreset: #endif /* INET6 */ if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) || IN_MULTICAST(ntohl(ip->ip_src.s_addr)) || - ip->ip_src.s_addr == htonl(INADDR_BROADCAST)) + ip->ip_src.s_addr == htonl(INADDR_BROADCAST) || + in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif)) goto drop; /* IPv6 anycast check is done at tcp6_input() */ diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index dc063289bca..266d5874668 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -798,11 +798,15 @@ findpcb: } /* * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN - * in_broadcast() should never return true on a received - * packet with M_BCAST not set. - * - * Packets with a multicast source address should also - * be discarded. + * + * It is possible for a malicious (or misconfigured) + * attacker to send unicast link-layer packets with a + * broadcast IP address. Use in_broadcast() to find them. + * (This check was erroneously removed in CSRG revision + * 7.35.) + * + * Packets with a multicast source address should also + * be discarded. */ if (m->m_flags & (M_BCAST|M_MCAST)) goto drop; @@ -815,7 +819,8 @@ findpcb: #endif if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) || IN_MULTICAST(ntohl(ip->ip_src.s_addr)) || - ip->ip_src.s_addr == htonl(INADDR_BROADCAST)) + ip->ip_src.s_addr == htonl(INADDR_BROADCAST) || + in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif)) goto drop; /* * SYN appears to be valid; create compressed TCP state @@ -2171,7 +2176,8 @@ dropwithreset: #endif /* INET6 */ if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) || IN_MULTICAST(ntohl(ip->ip_src.s_addr)) || - ip->ip_src.s_addr == htonl(INADDR_BROADCAST)) + ip->ip_src.s_addr == htonl(INADDR_BROADCAST) || + in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif)) goto drop; /* IPv6 anycast check is done at tcp6_input() */