diff options
| author | jesper <jesper@FreeBSD.org> | 2001-02-22 21:23:45 +0000 |
|---|---|---|
| committer | jesper <jesper@FreeBSD.org> | 2001-02-22 21:23:45 +0000 |
| commit | 65fa889a568f28016bc5b0bec0e238ae1ba5f299 (patch) | |
| tree | 01d0c2e0ae3ce1757ab23b1a35913eb437998527 /sys/netinet/tcp_subr.c | |
| parent | c3777b879606a977b736ee62694097a83a1fa76a (diff) | |
| download | FreeBSD-src-65fa889a568f28016bc5b0bec0e238ae1ba5f299.zip FreeBSD-src-65fa889a568f28016bc5b0bec0e238ae1ba5f299.tar.gz | |
Redo the security update done in rev 1.54 of src/sys/netinet/tcp_subr.c
and 1.84 of src/sys/netinet/udp_usrreq.c
The changes broken down:
- remove 0 as a wildcard for addresses and port numbers in
src/sys/netinet/in_pcb.c:in_pcbnotify()
- add src/sys/netinet/in_pcb.c:in_pcbnotifyall() used to notify
all sessions with the specific remote address.
- change
- src/sys/netinet/udp_usrreq.c:udp_ctlinput()
- src/sys/netinet/tcp_subr.c:tcp_ctlinput()
to use in_pcbnotifyall() to notify multiple sessions, instead of
using in_pcbnotify() with 0 as src address and as port numbers.
- remove check for src port == 0 in
- src/sys/netinet/tcp_subr.c:tcp_ctlinput()
- src/sys/netinet/udp_usrreq.c:udp_ctlinput()
as they are no longer needed.
- move handling of redirects and host dead from in_pcbnotify() to
udp_ctlinput() and tcp_ctlinput(), so they will call
in_pcbnotifyall() to notify all sessions with the specific
remote address.
Approved by: jlemon
Inspired by: NetBSD
Diffstat (limited to 'sys/netinet/tcp_subr.c')
| -rw-r--r-- | sys/netinet/tcp_subr.c | 32 |
1 files changed, 15 insertions, 17 deletions
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index ed33547..03b5870 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -1024,32 +1024,30 @@ tcp_ctlinput(cmd, sa, vip) } } else if (cmd == PRC_MSGSIZE) notify = tcp_mtudisc; - else if (!PRC_IS_REDIRECT(cmd) && - ((unsigned)cmd > PRC_NCMDS || inetctlerrmap[cmd] == 0)) + else if (PRC_IS_REDIRECT(cmd)) { + /* + * Redirects go to all references to the destination, + * and use in_rtchange to invalidate the route cache. + */ + ip = 0; + notify = in_rtchange; + } else if (cmd == PRC_HOSTDEAD) + /* + * Dead host indications: notify all references to the + * destination. + */ + ip = 0; + else if ((unsigned)cmd > PRC_NCMDS || inetctlerrmap[cmd] == 0) return; if (ip) { th = (struct tcphdr *)((caddr_t)ip + (IP_VHL_HL(ip->ip_vhl) << 2)); if (tcp_seq_check == 1) tcp_sequence = ntohl(th->th_seq); - /* - * Only call in_pcbnotify if the src port number != 0, as we - * treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify() - * - * It's sufficient to check for src|local port, as we'll have no - * sessions with src|local port == 0 - * - * Without this a attacker sending ICMP messages, where the attached - * IP header (+ 8 bytes) has the address and port numbers == 0, would - * have the ICMP message applied to all sessions (modulo TCP sequence - * number check). - */ - if (th->th_sport == 0) - return; in_pcbnotify(&tcb, sa, th->th_dport, ip->ip_src, th->th_sport, cmd, notify, tcp_sequence, tcp_seq_check); } else - in_pcbnotify(&tcb, sa, 0, zeroin_addr, 0, cmd, notify, 0, 0); + in_pcbnotifyall(&tcb, sa, cmd, notify); } #ifdef INET6 |
