Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netinet6 Perform the IP (src/dst) checks _before_ callin...
details: https://anonhg.NetBSD.org/src/rev/5ebc02aff9bc
branches: trunk
changeset: 360323:5ebc02aff9bc
user: maxv <maxv%NetBSD.org@localhost>
date: Tue Mar 06 17:39:36 2018 +0000
description:
Perform the IP (src/dst) checks _before_ calling the packet filter, because
if the filter has a "return-icmp" rule it may call icmp6_error with an src
field that was not entirely validated.
diffstat:
sys/netinet6/ip6_input.c | 100 +++++++++++++++++++++++-----------------------
1 files changed, 50 insertions(+), 50 deletions(-)
diffs (128 lines):
diff -r 4eaffe3b5442 -r 5ebc02aff9bc sys/netinet6/ip6_input.c
--- a/sys/netinet6/ip6_input.c Tue Mar 06 17:24:57 2018 +0000
+++ b/sys/netinet6/ip6_input.c Tue Mar 06 17:39:36 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_input.c,v 1.193 2018/02/24 07:37:09 ozaki-r Exp $ */
+/* $NetBSD: ip6_input.c,v 1.194 2018/03/06 17:39:36 maxv Exp $ */
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.193 2018/02/24 07:37:09 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.194 2018/03/06 17:39:36 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_gateway.h"
@@ -321,6 +321,54 @@
}
/*
+ * Check against address spoofing/corruption.
+ */
+ if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) ||
+ IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
+ /*
+ * XXX: "badscope" is not very suitable for a multicast source.
+ */
+ IP6_STATINC(IP6_STAT_BADSCOPE);
+ in6_ifstat_inc(rcvif, ifs6_in_addrerr);
+ goto bad;
+ }
+
+ /*
+ * The following check is not documented in specs. A malicious
+ * party may be able to use IPv4 mapped addr to confuse tcp/udp stack
+ * and bypass security checks (act as if it was from 127.0.0.1 by using
+ * IPv6 src ::ffff:127.0.0.1). Be cautious.
+ *
+ * This check chokes if we are in an SIIT cloud. As none of BSDs
+ * support IPv4-less kernel compilation, we cannot support SIIT
+ * environment at all. So, it makes more sense for us to reject any
+ * malicious packets for non-SIIT environment, than try to do a
+ * partial support for SIIT environment.
+ */
+ if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
+ IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
+ IP6_STATINC(IP6_STAT_BADSCOPE);
+ in6_ifstat_inc(rcvif, ifs6_in_addrerr);
+ goto bad;
+ }
+
+#if 0
+ /*
+ * Reject packets with IPv4 compatible addresses (auto tunnel).
+ *
+ * The code forbids auto tunnel relay case in RFC1933 (the check is
+ * stronger than RFC1933). We may want to re-enable it if mech-xx
+ * is revised to forbid relaying case.
+ */
+ if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
+ IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
+ IP6_STATINC(IP6_STAT_BADSCOPE);
+ in6_ifstat_inc(rcvif, ifs6_in_addrerr);
+ goto bad;
+ }
+#endif
+
+ /*
* Assume that we can create a fast-forward IP flow entry
* based on this packet.
*/
@@ -369,54 +417,6 @@
#endif
/*
- * Check against address spoofing/corruption.
- */
- if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) ||
- IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
- /*
- * XXX: "badscope" is not very suitable for a multicast source.
- */
- IP6_STATINC(IP6_STAT_BADSCOPE);
- in6_ifstat_inc(rcvif, ifs6_in_addrerr);
- goto bad;
- }
-
- /*
- * The following check is not documented in specs. A malicious
- * party may be able to use IPv4 mapped addr to confuse tcp/udp stack
- * and bypass security checks (act as if it was from 127.0.0.1 by using
- * IPv6 src ::ffff:127.0.0.1). Be cautious.
- *
- * This check chokes if we are in an SIIT cloud. As none of BSDs
- * support IPv4-less kernel compilation, we cannot support SIIT
- * environment at all. So, it makes more sense for us to reject any
- * malicious packets for non-SIIT environment, than try to do a
- * partial support for SIIT environment.
- */
- if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
- IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
- IP6_STATINC(IP6_STAT_BADSCOPE);
- in6_ifstat_inc(rcvif, ifs6_in_addrerr);
- goto bad;
- }
-
-#if 0
- /*
- * Reject packets with IPv4 compatible addresses (auto tunnel).
- *
- * The code forbids auto tunnel relay case in RFC1933 (the check is
- * stronger than RFC1933). We may want to re-enable it if mech-xx
- * is revised to forbid relaying case.
- */
- if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
- IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
- IP6_STATINC(IP6_STAT_BADSCOPE);
- in6_ifstat_inc(rcvif, ifs6_in_addrerr);
- goto bad;
- }
-#endif
-
- /*
* Disambiguate address scope zones (if there is ambiguity).
* We first make sure that the original source or destination address
* is not in our internal form for scoped addresses. Such addresses
Home |
Main Index |
Thread Index |
Old Index