diff options
| author |   itojun <itojun@openbsd.org> | 2000-07-27 04:05:26 +0000 |
|---|---|---|
| committer | itojun <itojun@openbsd.org> | 2000-07-27 04:05:26 +0000 |
| commit | 16cbd65c640d6a5f66760db9973e3da4fd59a96f (patch) | |
| tree | 8d5da63b477065b287b16131ea4a571435732baa /sys/netinet6/raw_ipv6.c | |
| parent | sync (diff) | |
| download | wireguard-openbsd-16cbd65c640d6a5f66760db9973e3da4fd59a96f.tar.xz wireguard-openbsd-16cbd65c640d6a5f66760db9973e3da4fd59a96f.zip | |
be proactive about unspecified IPv6 source address. pcb layer uses
unspecified address (::) to mean "unbounded" or "unconnected",
and can be confused by packets from outside.
use of :: as source is not documented well in IPv6 specification.
not sure if it presents a real threat. the worst case scenario is a DoS
against TCP listening socket:
- outsider transmit TCP SYN with :: as IPv6 source
- receiving side creates TCP control block with:
local address = my addres
remote address = :: (meaning "unconnected")
state = SYN_RCVD
note that SYN ACK will not be sent due to ip6_output() filter.
this stays until it timeouts.
- the TCP control block prevents listening TCP control block from
being contacted (DoS).
Diffstat (limited to 'sys/netinet6/raw_ipv6.c')
| -rw-r--r-- | sys/netinet6/raw_ipv6.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/sys/netinet6/raw_ipv6.c b/sys/netinet6/raw_ipv6.c index 427ce5a7c5a..b20a4c53120 100644 --- a/sys/netinet6/raw_ipv6.c +++ b/sys/netinet6/raw_ipv6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ipv6.c,v 1.25 2000/07/13 13:41:45 itojun Exp $ */ +/* $OpenBSD: raw_ipv6.c,v 1.26 2000/07/27 04:05:27 itojun Exp $ */ /* %%% copyright-nrl-95 @@ -44,7 +44,7 @@ didn't get a copy, you may request one from <license@ipv6.nrl.navy.mil>. * SUCH DAMAGE. * * @(#)raw_ip.c 8.7 (Berkeley) 5/15/95 - * $Id: raw_ipv6.c,v 1.25 2000/07/13 13:41:45 itojun Exp $ + * $Id: raw_ipv6.c,v 1.26 2000/07/27 04:05:27 itojun Exp $ */ #include <sys/param.h> @@ -224,6 +224,22 @@ rip6_input(mp, offp, proto) goto ret; } + /* + * Be proactive about unspecified IPv6 address in source. + * As we use all-zero to indicate unbounded/unconnected pcb, + * unspecified IPv6 address can be used to confuse us. + * + * Note that packets with unspecified IPv6 destination is + * already dropped in ip6_input. + * + * XXX not sure if we want this for raw IPv6 socket... + */ + if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { + /* XXX stat */ + goto ret; + } + + bzero(&opts, sizeof(opts)); bzero(&srcsa, sizeof(struct sockaddr_in6)); srcsa.sin6_family = AF_INET6; srcsa.sin6_len = sizeof(struct sockaddr_in6); |