diff options
author | jesper <jesper@FreeBSD.org> | 2001-02-20 23:25:04 +0000 |
---|---|---|
committer | jesper <jesper@FreeBSD.org> | 2001-02-20 23:25:04 +0000 |
commit | 7a1cf4a1265160ee52f1ea14a39fdcc7fc60fae5 (patch) | |
tree | 25b7cd0e6487d1cdfcf02eaaec144ecae3e4fbb3 /sys/netinet/tcp_timewait.c | |
parent | 557b41f4e9ce086047aaffd2325d860ef65cd318 (diff) | |
download | FreeBSD-src-7a1cf4a1265160ee52f1ea14a39fdcc7fc60fae5.zip FreeBSD-src-7a1cf4a1265160ee52f1ea14a39fdcc7fc60fae5.tar.gz |
Only call in_pcbnotify if the src port number != 0, as we
treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify()
It's sufficient to check for src|local port, as we'll have no
sessions with src|local port == 0
Without this a attacker sending ICMP messages, where the attached
IP header (+ 8 bytes) has the address and port numbers == 0, would
have the ICMP message applied to all sessions.
PR: kern/25195
Submitted by: originally by jesper, reimplimented by jlemon's advice
Reviewed by: jlemon
Approved by: jlemon
Diffstat (limited to 'sys/netinet/tcp_timewait.c')
-rw-r--r-- | sys/netinet/tcp_timewait.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index 7ec8429..ed33547 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -1032,6 +1032,20 @@ tcp_ctlinput(cmd, sa, vip) + (IP_VHL_HL(ip->ip_vhl) << 2)); if (tcp_seq_check == 1) tcp_sequence = ntohl(th->th_seq); + /* + * Only call in_pcbnotify if the src port number != 0, as we + * treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify() + * + * It's sufficient to check for src|local port, as we'll have no + * sessions with src|local port == 0 + * + * Without this a attacker sending ICMP messages, where the attached + * IP header (+ 8 bytes) has the address and port numbers == 0, would + * have the ICMP message applied to all sessions (modulo TCP sequence + * number check). + */ + if (th->th_sport == 0) + return; in_pcbnotify(&tcb, sa, th->th_dport, ip->ip_src, th->th_sport, cmd, notify, tcp_sequence, tcp_seq_check); } else |