diff options
author | julian <julian@FreeBSD.org> | 1997-11-13 22:57:57 +0000 |
---|---|---|
committer | julian <julian@FreeBSD.org> | 1997-11-13 22:57:57 +0000 |
commit | 83b332152002f5dc498ef596c2e78bc8792cc211 (patch) | |
tree | ff909b5a40d7c063688a3a7045c37060afef040f /sys/netinet | |
parent | ac24f713f0369cb6c1a32025a602f88e91b9181d (diff) | |
download | FreeBSD-src-83b332152002f5dc498ef596c2e78bc8792cc211.zip FreeBSD-src-83b332152002f5dc498ef596c2e78bc8792cc211.tar.gz |
Submitted by: Archie cobbs (IPDIVERT author)
close small security hole where an atacker could sendpackets with
IPDIVERT protocol, and select how it would be diverted thus bypassing
the ipfirewall. Discovered by inspection rather than attack.
(you'd have to know how the firewall was configured (EXACTLY) to
make use of this but..)
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/ip_input.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index c395d9e..f8cd538 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 - * $Id: ip_input.c,v 1.70 1997/11/05 02:51:32 julian Exp $ + * $Id: ip_input.c,v 1.71 1997/11/05 20:17:21 joerg Exp $ * $ANA: ip_input.c,v 1.5 1996/09/18 14:34:59 wollman Exp $ */ @@ -577,6 +577,12 @@ found: (*inetsw[ip_protox[IPPROTO_DIVERT]].pr_input)(m, hlen); return; } + + /* Don't let packets divert themselves */ + if (ip->ip_p == IPPROTO_DIVERT) { + ipstat.ips_noproto++; + goto bad; + } #endif /* |