upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Switch gif(4) path verification to fib[46]_check_urfp().

Browse source 
fibX_lookup_nh_ represents pre-epoch generation of fib api,
providing less guarantees over pointer validness and requiring
on-stack data copying.
Use specialized fib[46]_check_urpf() from newer KPI instead,
to allow removal of older KPI.

Reviewed by:	ae
Differential Revision:	https://reviews.freebsd.org/D24978
This commit is contained in:
Alexander V. Chernikov 2020-05-28 07:26:18 +00:00
parent cb86ca48bf
commit 7bfc98af12
2 changed files with 5 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
sys/netinet/in_gif.c
View file

@ -379,13 +379,8 @@ done:
return (0);
/* ingress filters on outer source */
if ((GIF2IFP(sc)->if_flags & IFF_LINK2) == 0) {
struct nhop4_basic nh4;
struct in_addr dst;
dst = ip->ip_src;
if (fib4_lookup_nh_basic(sc->gif_fibnum, dst, 0, 0, &nh4) != 0)
return (0);
if (nh4.nh_ifp != m->m_pkthdr.rcvif)
if (fib4_check_urpf(sc->gif_fibnum, ip->ip_src, 0, NHR_NONE,
m->m_pkthdr.rcvif) == 0)
return (0);
}
*arg = sc;

10
sys/netinet6/in6_gif.c
View file

@ -402,13 +402,9 @@ done:
return (0);
/* ingress filters on outer source */
if ((GIF2IFP(sc)->if_flags & IFF_LINK2) == 0) {
struct nhop6_basic nh6;
if (fib6_lookup_nh_basic(sc->gif_fibnum, &ip6->ip6_src,
ntohs(in6_getscope(&ip6->ip6_src)), 0, 0, &nh6) != 0)
return (0);
if (nh6.nh_ifp != m->m_pkthdr.rcvif)
if (fib6_check_urpf(sc->gif_fibnum, &ip6->ip6_src,
ntohs(in6_getscope(&ip6->ip6_src)), NHR_NONE,
m->m_pkthdr.rcvif) == 0)
return (0);
}
*arg = sc;