be proactive about unspecified IPv6 source address. pcb layer uses

unspecified address (::) to mean "unbounded" or "unconnected",
and can be confused by packets from outside.

use of :: as source is not documented well in IPv6 specification.

not sure if it presents a real threat.  the worst case scenario is a DoS
against TCP listening socket:
- outsider transmit TCP SYN with :: as IPv6 source
- receiving side creates TCP control block with:
	local address = my addres
	remote address = ::	(meaning "unconnected")
	state = SYN_RCVD
  note that SYN ACK will not be sent due to ip6_output() filter.
  this stays until it timeouts.
- the TCP control block prevents listening TCP control block from
  being contacted (DoS).

3 files changed, 46 insertions, 4 deletions

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 72cf27e59f8..e84f649e326 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.67 2000/07/11 16:53:22 provos Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.68 2000/07/27 04:05:26 itojun Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -527,6 +527,19 @@ tcp_input(m, va_alist)
 		}
 
 		/*
+		 * Be proactive about unspecified IPv6 address in source.
+		 * As we use all-zero to indicate unbounded/unconnected pcb,
+		 * unspecified IPv6 address can be used to confuse us.
+		 *
+		 * Note that packets with unspecified IPv6 destination is
+		 * already dropped in ip6_input.
+		 */
+		if (IN6_IS_ADDR_UNSPECIFIED(&ipv6->ip6_src)) {
+			/* XXX stat */
+			goto drop;
+		}
+
+		/*
 		 * Checksum extended TCP header and data.
 		 */
 		if (in6_cksum(m, IPPROTO_TCP, sizeof(struct ip6_hdr), tlen)) {
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index f57471be513..2547b166ffb 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: udp_usrreq.c,v 1.45 2000/06/18 17:32:48 itojun Exp $	*/
+/*	$OpenBSD: udp_usrreq.c,v 1.46 2000/07/27 04:05:27 itojun Exp $	*/
 /*	$NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $	*/
 
 /*
@@ -290,6 +290,19 @@ udp_input(m, va_alist)
 		}
 
 		/*
+		 * Be proactive about unspecified IPv6 address in source.
+		 * As we use all-zero to indicate unbounded/unconnected pcb,
+		 * unspecified IPv6 address can be used to confuse us.
+		 *
+		 * Note that packets with unspecified IPv6 destination is
+		 * already dropped in ip6_input.
+		 */
+		if (IN6_IS_ADDR_UNSPECIFIED(&ipv6->ip6_src)) {
+			/* XXX stat */
+			goto bad;
+		}
+
+		/*
 		 * In IPv6, the UDP checksum is ALWAYS used.
 		 */
 		if ((uh->uh_sum = in6_cksum(m, IPPROTO_UDP, iphlen, len))) {
diff --git a/sys/netinet6/raw_ipv6.c b/sys/netinet6/raw_ipv6.c
index 427ce5a7c5a..b20a4c53120 100644
--- a/sys/netinet6/raw_ipv6.c
+++ b/sys/netinet6/raw_ipv6.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: raw_ipv6.c,v 1.25 2000/07/13 13:41:45 itojun Exp $	*/
+/*	$OpenBSD: raw_ipv6.c,v 1.26 2000/07/27 04:05:27 itojun Exp $	*/
 
 /*
 %%% copyright-nrl-95
@@ -44,7 +44,7 @@ didn't get a copy, you may request one from <license@ipv6.nrl.navy.mil>.
  * SUCH DAMAGE.
  *
  *	@(#)raw_ip.c	8.7 (Berkeley) 5/15/95
- *	$Id: raw_ipv6.c,v 1.25 2000/07/13 13:41:45 itojun Exp $
+ *	$Id: raw_ipv6.c,v 1.26 2000/07/27 04:05:27 itojun Exp $
  */
 
 #include <sys/param.h>
@@ -224,6 +224,22 @@ rip6_input(mp, offp, proto)
 		goto ret;
 	}
 
+	/*
+	 * Be proactive about unspecified IPv6 address in source.
+	 * As we use all-zero to indicate unbounded/unconnected pcb,
+	 * unspecified IPv6 address can be used to confuse us.
+	 *
+	 * Note that packets with unspecified IPv6 destination is
+	 * already dropped in ip6_input.
+	 *
+	 * XXX not sure if we want this for raw IPv6 socket...
+	 */
+	if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) {
+		/* XXX stat */
+		goto ret;
+	}
+
+	bzero(&opts, sizeof(opts));
 	bzero(&srcsa, sizeof(struct sockaddr_in6));
 	srcsa.sin6_family = AF_INET6;
 	srcsa.sin6_len = sizeof(struct sockaddr_in6);