Only call in_pcbnotify if the src port number != 0, as we

treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify()

It's sufficient to check for src|local port, as we'll have no
sessions with src|local port == 0

Without this a attacker sending ICMP messages, where the attached
IP header (+ 8 bytes) has the address and port numbers == 0, would
have the ICMP message applied to all sessions.

PR:		kern/25195
Submitted by:	originally by jesper, reimplimented by jlemon's advice
Reviewed by:	jlemon
Approved by:	jlemon

1 files changed, 13 insertions, 0 deletions

diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 5588956..7edcfcd 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -511,6 +511,19 @@ udp_ctlinput(cmd, sa, vip)
 		return;
 	if (ip) {
 		uh = (struct udphdr *)((caddr_t)ip + (ip->ip_hl << 2));
+		/*
+		 * Only call in_pcbnotify if the src port number != 0, as we 
+		 * treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify()
+		 *
+		 * It's sufficient to check for src|local port, as we'll have no 
+		 * sessions with src|local port == 0
+		 *
+		 * Without this a attacker sending ICMP messages, where the attached    
+		 * IP header (+ 8 bytes) has the address and port numbers == 0, would
+		 * have the ICMP message applied to all sessions.
+		 */
+		if (uh->uh_sport == 0)
+			return;
 		in_pcbnotify(&udb, sa, uh->uh_dport, ip->ip_src, uh->uh_sport,
 			cmd, udp_notify, 0, 0);
 	} else