diff options
| author |   jsing <jsing@openbsd.org> | 2009-06-22 17:04:02 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2009-06-22 17:04:02 +0000 |
| commit | c8b05fab2d90c86c24b79e6f2105b605569431c4 (patch) | |
| tree | 0d5e44443546cb495306b45acda91a71fdafaf18 | |
| parent | Always drop ICMPv6 in IPv4 datagrams, not only when compiled with INET6. (diff) | |
| download | wireguard-openbsd-c8b05fab2d90c86c24b79e6f2105b605569431c4.tar.xz wireguard-openbsd-c8b05fab2d90c86c24b79e6f2105b605569431c4.zip | |
Check that the address family is appropriate before processing ICMPv4 and
ICMPv6 messages.
ok henning@
| -rw-r--r-- | sys/net/pf.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 2c6618ba7df..a02706f7d88 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.653 2009/06/22 16:55:14 jsing Exp $ */ +/* $OpenBSD: pf.c,v 1.654 2009/06/22 17:04:02 jsing Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2798,6 +2798,9 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, break; #ifdef INET case IPPROTO_ICMP: + if (af != AF_INET) + break; + if (PF_ANEQ(saddr, &nk->addr[pd->sidx], AF_INET)) pf_change_a(&saddr->v4.s_addr, pd->ip_sum, nk->addr[pd->sidx].v4.s_addr, 0); @@ -2819,6 +2822,9 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, #endif /* INET */ #ifdef INET6 case IPPROTO_ICMPV6: + if (af != AF_INET6) + break; + if (PF_ANEQ(saddr, &nk->addr[pd->sidx], AF_INET6)) pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum, &nk->addr[pd->sidx], 0); |