Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netinet6 Move the address checks into one function, ip6_...
details: https://anonhg.NetBSD.org/src/rev/a6985b1e86e4
branches: trunk
changeset: 832004:a6985b1e86e4
user: maxv <maxv%NetBSD.org@localhost>
date: Thu Apr 26 07:01:38 2018 +0000
description:
Move the address checks into one function, ip6_badaddr(). In this function,
reinstate the "IPv4-compatible IPv6 addresses" check; these addresses are
deprecated by RFC4291 (2006).
diffstat:
sys/netinet6/ip6_input.c | 86 ++++++++++++++++++++++-------------------------
1 files changed, 41 insertions(+), 45 deletions(-)
diffs (127 lines):
diff -r 3a9312c44967 -r a6985b1e86e4 sys/netinet6/ip6_input.c
--- a/sys/netinet6/ip6_input.c Thu Apr 26 06:23:33 2018 +0000
+++ b/sys/netinet6/ip6_input.c Thu Apr 26 07:01:38 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_input.c,v 1.198 2018/04/15 08:31:18 maxv Exp $ */
+/* $NetBSD: ip6_input.c,v 1.199 2018/04/26 07:01:38 maxv Exp $ */
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.198 2018/04/15 08:31:18 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.199 2018/04/26 07:01:38 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_gateway.h"
@@ -138,6 +138,7 @@
static void ip6_init2(void);
static void ip6intr(void *);
+static bool ip6_badaddr(struct ip6_hdr *);
static struct m_tag *ip6_setdstifaddr(struct mbuf *, const struct in6_ifaddr *);
static int ip6_process_hopopts(struct mbuf *, u_int8_t *, int, u_int32_t *,
@@ -320,55 +321,13 @@
goto bad;
}
- /*
- * Check against address spoofing/corruption.
- */
- if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) ||
- IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
- /*
- * XXX: "badscope" is not very suitable for a multicast source.
- */
+ if (ip6_badaddr(ip6)) {
IP6_STATINC(IP6_STAT_BADSCOPE);
in6_ifstat_inc(rcvif, ifs6_in_addrerr);
goto bad;
}
/*
- * The following check is not documented in specs. A malicious
- * party may be able to use IPv4 mapped addr to confuse tcp/udp stack
- * and bypass security checks (act as if it was from 127.0.0.1 by using
- * IPv6 src ::ffff:127.0.0.1). Be cautious.
- *
- * This check chokes if we are in an SIIT cloud. As none of BSDs
- * support IPv4-less kernel compilation, we cannot support SIIT
- * environment at all. So, it makes more sense for us to reject any
- * malicious packets for non-SIIT environment, than try to do a
- * partial support for SIIT environment.
- */
- if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
- IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
- IP6_STATINC(IP6_STAT_BADSCOPE);
- in6_ifstat_inc(rcvif, ifs6_in_addrerr);
- goto bad;
- }
-
-#if 0
- /*
- * Reject packets with IPv4 compatible addresses (auto tunnel).
- *
- * The code forbids auto tunnel relay case in RFC1933 (the check is
- * stronger than RFC1933). We may want to re-enable it if mech-xx
- * is revised to forbid relaying case.
- */
- if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
- IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
- IP6_STATINC(IP6_STAT_BADSCOPE);
- in6_ifstat_inc(rcvif, ifs6_in_addrerr);
- goto bad;
- }
-#endif
-
- /*
* Assume that we can create a fast-forward IP flow entry
* based on this packet.
*/
@@ -804,6 +763,43 @@
return;
}
+static bool
+ip6_badaddr(struct ip6_hdr *ip6)
+{
+ /* Check against address spoofing/corruption. */
+ if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) ||
+ IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
+ return true;
+ }
+
+ /*
+ * The following check is not documented in specs. A malicious
+ * party may be able to use IPv4 mapped addr to confuse tcp/udp stack
+ * and bypass security checks (act as if it was from 127.0.0.1 by using
+ * IPv6 src ::ffff:127.0.0.1). Be cautious.
+ *
+ * This check chokes if we are in an SIIT cloud. As none of BSDs
+ * support IPv4-less kernel compilation, we cannot support SIIT
+ * environment at all. So, it makes more sense for us to reject any
+ * malicious packets for non-SIIT environment, than try to do a
+ * partial support for SIIT environment.
+ */
+ if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
+ IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
+ return true;
+ }
+
+ /*
+ * Reject packets with IPv4-compatible IPv6 addresses (RFC4291).
+ */
+ if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
+ IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
+ return true;
+ }
+
+ return false;
+}
+
/*
* set/grab in6_ifaddr correspond to IPv6 destination address.
*/
Home |
Main Index |
Thread Index |
Old Index