summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--sys/netinet/tcp_subr.c14
-rw-r--r--sys/netinet/tcp_timewait.c14
-rw-r--r--sys/netinet/udp_usrreq.c13
3 files changed, 41 insertions, 0 deletions
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 7ec8429..ed33547 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -1032,6 +1032,20 @@ tcp_ctlinput(cmd, sa, vip)
+ (IP_VHL_HL(ip->ip_vhl) << 2));
if (tcp_seq_check == 1)
tcp_sequence = ntohl(th->th_seq);
+ /*
+ * Only call in_pcbnotify if the src port number != 0, as we
+ * treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify()
+ *
+ * It's sufficient to check for src|local port, as we'll have no
+ * sessions with src|local port == 0
+ *
+ * Without this a attacker sending ICMP messages, where the attached
+ * IP header (+ 8 bytes) has the address and port numbers == 0, would
+ * have the ICMP message applied to all sessions (modulo TCP sequence
+ * number check).
+ */
+ if (th->th_sport == 0)
+ return;
in_pcbnotify(&tcb, sa, th->th_dport, ip->ip_src, th->th_sport,
cmd, notify, tcp_sequence, tcp_seq_check);
} else
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c
index 7ec8429..ed33547 100644
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@@ -1032,6 +1032,20 @@ tcp_ctlinput(cmd, sa, vip)
+ (IP_VHL_HL(ip->ip_vhl) << 2));
if (tcp_seq_check == 1)
tcp_sequence = ntohl(th->th_seq);
+ /*
+ * Only call in_pcbnotify if the src port number != 0, as we
+ * treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify()
+ *
+ * It's sufficient to check for src|local port, as we'll have no
+ * sessions with src|local port == 0
+ *
+ * Without this a attacker sending ICMP messages, where the attached
+ * IP header (+ 8 bytes) has the address and port numbers == 0, would
+ * have the ICMP message applied to all sessions (modulo TCP sequence
+ * number check).
+ */
+ if (th->th_sport == 0)
+ return;
in_pcbnotify(&tcb, sa, th->th_dport, ip->ip_src, th->th_sport,
cmd, notify, tcp_sequence, tcp_seq_check);
} else
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 5588956..7edcfcd 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -511,6 +511,19 @@ udp_ctlinput(cmd, sa, vip)
return;
if (ip) {
uh = (struct udphdr *)((caddr_t)ip + (ip->ip_hl << 2));
+ /*
+ * Only call in_pcbnotify if the src port number != 0, as we
+ * treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify()
+ *
+ * It's sufficient to check for src|local port, as we'll have no
+ * sessions with src|local port == 0
+ *
+ * Without this a attacker sending ICMP messages, where the attached
+ * IP header (+ 8 bytes) has the address and port numbers == 0, would
+ * have the ICMP message applied to all sessions.
+ */
+ if (uh->uh_sport == 0)
+ return;
in_pcbnotify(&udb, sa, uh->uh_dport, ip->ip_src, uh->uh_sport,
cmd, udp_notify, 0, 0);
} else
OpenPOWER on IntegriCloud