diff options
author | jesper <jesper@FreeBSD.org> | 2001-02-20 23:25:04 +0000 |
---|---|---|
committer | jesper <jesper@FreeBSD.org> | 2001-02-20 23:25:04 +0000 |
commit | 7a1cf4a1265160ee52f1ea14a39fdcc7fc60fae5 (patch) | |
tree | 25b7cd0e6487d1cdfcf02eaaec144ecae3e4fbb3 /sys/netinet/udp_usrreq.c | |
parent | 557b41f4e9ce086047aaffd2325d860ef65cd318 (diff) | |
download | FreeBSD-src-7a1cf4a1265160ee52f1ea14a39fdcc7fc60fae5.zip FreeBSD-src-7a1cf4a1265160ee52f1ea14a39fdcc7fc60fae5.tar.gz |
Only call in_pcbnotify if the src port number != 0, as we
treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify()
It's sufficient to check for src|local port, as we'll have no
sessions with src|local port == 0
Without this a attacker sending ICMP messages, where the attached
IP header (+ 8 bytes) has the address and port numbers == 0, would
have the ICMP message applied to all sessions.
PR: kern/25195
Submitted by: originally by jesper, reimplimented by jlemon's advice
Reviewed by: jlemon
Approved by: jlemon
Diffstat (limited to 'sys/netinet/udp_usrreq.c')
-rw-r--r-- | sys/netinet/udp_usrreq.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 5588956..7edcfcd 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -511,6 +511,19 @@ udp_ctlinput(cmd, sa, vip) return; if (ip) { uh = (struct udphdr *)((caddr_t)ip + (ip->ip_hl << 2)); + /* + * Only call in_pcbnotify if the src port number != 0, as we + * treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify() + * + * It's sufficient to check for src|local port, as we'll have no + * sessions with src|local port == 0 + * + * Without this a attacker sending ICMP messages, where the attached + * IP header (+ 8 bytes) has the address and port numbers == 0, would + * have the ICMP message applied to all sessions. + */ + if (uh->uh_sport == 0) + return; in_pcbnotify(&udb, sa, uh->uh_dport, ip->ip_src, uh->uh_sport, cmd, udp_notify, 0, 0); } else |