Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.sbin/inetd be more paranoid about UDP-based echo service...
details: https://anonhg.NetBSD.org/src/rev/272a98432f85
branches: trunk
changeset: 495612:272a98432f85
user: itojun <itojun%NetBSD.org@localhost>
date: Tue Aug 01 18:42:08 2000 +0000
description:
be more paranoid about UDP-based echo services validation. namely,
reject the following sources:
0.0.0.0/8 127.0.0.0/8 240.0.0.0/4 255.0.0.0/8
ff00::/8 ::/128
::ffff:0.0.0.0/96 and ::0.0.0.0/96 obeys IPv4 rule.
hint from deraadt.
diffstat:
usr.sbin/inetd/inetd.c | 55 +++++++++++++++++++++++++++++++++----------------
1 files changed, 37 insertions(+), 18 deletions(-)
diffs (101 lines):
diff -r 4bac1554800c -r 272a98432f85 usr.sbin/inetd/inetd.c
--- a/usr.sbin/inetd/inetd.c Tue Aug 01 17:39:46 2000 +0000
+++ b/usr.sbin/inetd/inetd.c Tue Aug 01 18:42:08 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: inetd.c,v 1.70 2000/07/23 22:54:51 mycroft Exp $ */
+/* $NetBSD: inetd.c,v 1.71 2000/08/01 18:42:08 itojun Exp $ */
/*-
* Copyright (c) 1998 The NetBSD Foundation, Inc.
@@ -77,7 +77,7 @@
#if 0
static char sccsid[] = "@(#)inetd.c 8.4 (Berkeley) 4/13/94";
#else
-__RCSID("$NetBSD: inetd.c,v 1.70 2000/07/23 22:54:51 mycroft Exp $");
+__RCSID("$NetBSD: inetd.c,v 1.71 2000/08/01 18:42:08 itojun Exp $");
#endif
#endif /* not lint */
@@ -2448,7 +2448,7 @@
#endif
/*
- * check if the port where send data to is one of the obvious ports
+ * check if the address/port where send data to is one of the obvious ports
* that are used for denial of service attacks like two echo ports
* just echoing data between them
*/
@@ -2456,6 +2456,10 @@
port_good_dg(sa)
struct sockaddr *sa;
{
+ struct in_addr in;
+#ifdef INET6
+ struct in6_addr *in6;
+#endif
u_int16_t port;
int i, bad;
char hbuf[NI_MAXHOST];
@@ -2464,11 +2468,28 @@
switch (sa->sa_family) {
case AF_INET:
+ in.s_addr = ntohl(((struct sockaddr_in *)sa)->sin_addr.s_addr);
port = ntohs(((struct sockaddr_in *)sa)->sin_port);
+ v4chk:
+ if (IN_MULTICAST(in.s_addr))
+ goto bad;
+ switch ((in.s_addr & 0xff000000) >> 24) {
+ case 0: case 127: case 255:
+ goto bad;
+ }
+ /* XXX check for subnet broadcast using getifaddrs(3) */
break;
#ifdef INET6
case AF_INET6:
+ in6 = &((struct sockaddr_in6 *)sa)->sin6_addr;
port = ntohs(((struct sockaddr_in6 *)sa)->sin6_port);
+ if (IN6_IS_ADDR_MULTICAST(in6) || IN6_IS_ADDR_UNSPECIFIED(in6))
+ goto bad;
+ if (IN6_IS_ADDR_V4MAPPED(in6) || IN6_IS_ADDR_V4COMPAT(in6)) {
+ memcpy(&in, &in6->s6_addr[12], sizeof(in));
+ in.s_addr = ntohl(in.s_addr);
+ goto v4chk;
+ }
break;
#endif
default:
@@ -2476,20 +2497,18 @@
return 1;
}
- for (i = 0; bad_ports[i] != 0; i++)
- if (port == bad_ports[i]) {
- bad = 1;
- break;
- }
+ for (i = 0; bad_ports[i] != 0; i++) {
+ if (port == bad_ports[i])
+ goto bad;
+ }
+
+ return (1);
- if (bad) {
- if (getnameinfo(sa, sa->sa_len, hbuf, sizeof(hbuf),
- NULL, 0, niflags) != 0)
- strcpy(hbuf, "?");
- syslog(LOG_WARNING,"Possible DoS attack from %s, Port %d",
- hbuf, port);
- return (0);
- } else
- return (1);
+bad:
+ if (getnameinfo(sa, sa->sa_len, hbuf, sizeof(hbuf),
+ NULL, 0, niflags) != 0)
+ strcpy(hbuf, "?");
+ syslog(LOG_WARNING,"Possible DoS attack from %s, Port %d",
+ hbuf, port);
+ return (0);
}
-
Home |
Main Index |
Thread Index |
Old Index