diff options
-rw-r--r-- | sys/netinet/tcp_input.c | 20 | ||||
-rw-r--r-- | sys/netinet/tcp_reass.c | 20 |
2 files changed, 26 insertions, 14 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index dc06328..266d587 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -798,11 +798,15 @@ findpcb: } /* * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN - * in_broadcast() should never return true on a received - * packet with M_BCAST not set. - * - * Packets with a multicast source address should also - * be discarded. + * + * It is possible for a malicious (or misconfigured) + * attacker to send unicast link-layer packets with a + * broadcast IP address. Use in_broadcast() to find them. + * (This check was erroneously removed in CSRG revision + * 7.35.) + * + * Packets with a multicast source address should also + * be discarded. */ if (m->m_flags & (M_BCAST|M_MCAST)) goto drop; @@ -815,7 +819,8 @@ findpcb: #endif if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) || IN_MULTICAST(ntohl(ip->ip_src.s_addr)) || - ip->ip_src.s_addr == htonl(INADDR_BROADCAST)) + ip->ip_src.s_addr == htonl(INADDR_BROADCAST) || + in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif)) goto drop; /* * SYN appears to be valid; create compressed TCP state @@ -2171,7 +2176,8 @@ dropwithreset: #endif /* INET6 */ if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) || IN_MULTICAST(ntohl(ip->ip_src.s_addr)) || - ip->ip_src.s_addr == htonl(INADDR_BROADCAST)) + ip->ip_src.s_addr == htonl(INADDR_BROADCAST) || + in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif)) goto drop; /* IPv6 anycast check is done at tcp6_input() */ diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index dc06328..266d587 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -798,11 +798,15 @@ findpcb: } /* * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN - * in_broadcast() should never return true on a received - * packet with M_BCAST not set. - * - * Packets with a multicast source address should also - * be discarded. + * + * It is possible for a malicious (or misconfigured) + * attacker to send unicast link-layer packets with a + * broadcast IP address. Use in_broadcast() to find them. + * (This check was erroneously removed in CSRG revision + * 7.35.) + * + * Packets with a multicast source address should also + * be discarded. */ if (m->m_flags & (M_BCAST|M_MCAST)) goto drop; @@ -815,7 +819,8 @@ findpcb: #endif if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) || IN_MULTICAST(ntohl(ip->ip_src.s_addr)) || - ip->ip_src.s_addr == htonl(INADDR_BROADCAST)) + ip->ip_src.s_addr == htonl(INADDR_BROADCAST) || + in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif)) goto drop; /* * SYN appears to be valid; create compressed TCP state @@ -2171,7 +2176,8 @@ dropwithreset: #endif /* INET6 */ if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) || IN_MULTICAST(ntohl(ip->ip_src.s_addr)) || - ip->ip_src.s_addr == htonl(INADDR_BROADCAST)) + ip->ip_src.s_addr == htonl(INADDR_BROADCAST) || + in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif)) goto drop; /* IPv6 anycast check is done at tcp6_input() */ |