diff options
| author |   itojun <itojun@openbsd.org> | 2000-07-06 10:11:21 +0000 |
|---|---|---|
| committer | itojun <itojun@openbsd.org> | 2000-07-06 10:11:21 +0000 |
| commit | f6e5559941d2bc223ffe9c1b93149ebdfc1f0f3a (patch) | |
| tree | 81547a32d4d546a2c0faf6e70de292af312440bf /sys/netinet6/ip6_input.c | |
| parent | Don't write password lines longer than 1023 chars. (diff) | |
| download | wireguard-openbsd-f6e5559941d2bc223ffe9c1b93149ebdfc1f0f3a.tar.xz wireguard-openbsd-f6e5559941d2bc223ffe9c1b93149ebdfc1f0f3a.zip | |
- more icmp6/ip6 stats.
- protect IPv6 ND from being hosed (due to neighbor unreachability detection
hint) by wrong tcp traffic. still not sure if there's real attack, but
it is good to be cautious.
- avoid bitfield for router renumbering header decl.
- implement packet-per-sec limitation for icmp6 errors, turn interval
limit off (it is not very useful due to unix timer resolution).
Diffstat (limited to 'sys/netinet6/ip6_input.c')
| -rw-r--r-- | sys/netinet6/ip6_input.c | 29 |
1 files changed, 24 insertions, 5 deletions
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 8381025c768..98f45003ac9 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_input.c,v 1.17 2000/07/02 10:10:55 itojun Exp $ */ +/* $OpenBSD: ip6_input.c,v 1.18 2000/07/06 10:11:25 itojun Exp $ */ /* $KAME: ip6_input.c,v 1.95 2000/07/02 07:49:37 jinmei Exp $ */ /* @@ -428,13 +428,14 @@ ip6_input(m) * Unicast check */ if (ip6_forward_rt.ro_rt != NULL && - (ip6_forward_rt.ro_rt->rt_flags & RTF_UP) != 0 && + (ip6_forward_rt.ro_rt->rt_flags & RTF_UP) != 0 && IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &ip6_forward_rt.ro_dst.sin6_addr)) - ; /* cache hit */ + ip6stat.ip6s_forward_cachehit++; else { if (ip6_forward_rt.ro_rt) { /* route is down or destination is different */ + ip6stat.ip6s_forward_cachemiss++; RTFREE(ip6_forward_rt.ro_rt); ip6_forward_rt.ro_rt = 0; } @@ -565,7 +566,7 @@ ip6_input(m) ip6 = mtod(m, struct ip6_hdr *); /* - * if the payload length field is 0 and the next header field + * if the payload length field is 0 and the next header field * indicates Hop-by-Hop Options header, then a Jumbo Payload * option MUST be included. */ @@ -573,7 +574,7 @@ ip6_input(m) /* * Note that if a valid jumbo payload option is * contained, ip6_hoptops_input() must set a valid - * (non-zero) payload length to the variable plen. + * (non-zero) payload length to the variable plen. */ ip6stat.ip6s_badoptions++; in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); @@ -650,6 +651,24 @@ ip6_input(m) return; } + ip6 = mtod(m, struct ip6_hdr *); + + /* + * Malicious party may be able to use IPv4 mapped addr to confuse + * tcp/udp stack and bypass security checks (act as if it was from + * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious. + * + * For SIIT end node behavior, you may want to disable the check. + * However, you will become vulnerable to attacks using IPv4 mapped + * source. + */ + if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || + IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { + ip6stat.ip6s_badscope++; + in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); + goto bad; + } + /* * Tell launch routine the next header */ |