From e26d348adb5119d44a424bba5bf54a8fa532c47c Mon Sep 17 00:00:00 2001 From: ume Date: Tue, 17 Sep 2002 10:45:51 +0000 Subject: - reject SIOCSIFADDR if embedded address is in private address range - reject packets from private address range. from hitachi Obtained from: KAME --- sys/net/if_stf.c | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) (limited to 'sys/net') diff --git a/sys/net/if_stf.c b/sys/net/if_stf.c index 0514770..8323e07 100644 --- a/sys/net/if_stf.c +++ b/sys/net/if_stf.c @@ -150,6 +150,7 @@ static int stf_encapcheck(const struct mbuf *, int, int, void *); static struct in6_ifaddr *stf_getsrcifa6(struct ifnet *); static int stf_output(struct ifnet *, struct mbuf *, struct sockaddr *, struct rtentry *); +static int isrfc1918addr(struct in_addr *); static int stf_checkaddr4(struct stf_softc *, struct in_addr *, struct ifnet *); static int stf_checkaddr6(struct stf_softc *, struct in6_addr *, @@ -465,6 +466,22 @@ stf_output(ifp, m, dst, rt) } static int +isrfc1918addr(in) + struct in_addr *in; +{ + /* + * returns 1 if private address range: + * 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 + */ + if ((ntohl(in->s_addr) & 0xff000000) >> 24 == 10 || + (ntohl(in->s_addr) & 0xfff00000) >> 16 == 172 * 256 + 16 || + (ntohl(in->s_addr) & 0xffff0000) >> 16 == 192 * 256 + 168) + return 1; + + return 0; +} + +static int stf_checkaddr4(sc, in, inifp) struct stf_softc *sc; struct in_addr *in; @@ -484,6 +501,13 @@ stf_checkaddr4(sc, in, inifp) } /* + * reject packets with private address range. + * (requirement from RFC3056 section 2 1st paragraph) + */ + if (isrfc1918addr(in)) + return -1; + + /* * reject packets with broadcast */ for (ia4 = TAILQ_FIRST(&in_ifaddrhead); @@ -691,7 +715,8 @@ stf_ioctl(ifp, cmd, data) break; } sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; - if (IN6_IS_ADDR_6TO4(&sin6->sin6_addr)) { + if (IN6_IS_ADDR_6TO4(&sin6->sin6_addr) && + !isrfc1918addr(GET_V4(&sin6->sin6_addr))) { ifa->ifa_rtrequest = stf_rtrequest; ifp->if_flags |= IFF_UP; } else -- cgit v1.1