diff options
Diffstat (limited to 'sys/netinet/udp_usrreq.c')
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 5588956..7edcfcd 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -511,6 +511,19 @@ udp_ctlinput(cmd, sa, vip) return; if (ip) { uh = (struct udphdr *)((caddr_t)ip + (ip->ip_hl << 2)); + /* + * Only call in_pcbnotify if the src port number != 0, as we + * treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify() + * + * It's sufficient to check for src|local port, as we'll have no + * sessions with src|local port == 0 + * + * Without this a attacker sending ICMP messages, where the attached + * IP header (+ 8 bytes) has the address and port numbers == 0, would + * have the ICMP message applied to all sessions. + */ + if (uh->uh_sport == 0) + return; in_pcbnotify(&udb, sa, uh->uh_dport, ip->ip_src, uh->uh_sport, cmd, udp_notify, 0, 0); } else |
