be paranoid about malicious use of v4 mapped addr on v6 packet.

malicious party may try to use v4 mapped addr as source/dest to
confuse tcp/udp layer, or to bypass security checks,
for example, naive stack can mistakingly think a packet with
src = ::ffff:127.0.0.1 is from local node.

(sync with kame)

1 files changed, 9 insertions, 2 deletions

diff --git a/sys/netinet6/raw_ipv6.c b/sys/netinet6/raw_ipv6.c
index 34f7f68f341..bb1520f761c 100644
--- a/sys/netinet6/raw_ipv6.c
+++ b/sys/netinet6/raw_ipv6.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: raw_ipv6.c,v 1.10 1999/12/19 02:54:29 itojun Exp $ */
+/* $OpenBSD: raw_ipv6.c,v 1.11 1999/12/21 15:41:08 itojun Exp $ */
 /*
 %%% copyright-nrl-95
 This software is Copyright 1995-1998 by Randall Atkinson, Ronald Lee,
@@ -43,7 +43,7 @@ didn't get a copy, you may request one from <license@ipv6.nrl.navy.mil>.
  * SUCH DAMAGE.
  *
  *	@(#)raw_ip.c	8.7 (Berkeley) 5/15/95
- *	$Id: raw_ipv6.c,v 1.10 1999/12/19 02:54:29 itojun Exp $
+ *	$Id: raw_ipv6.c,v 1.11 1999/12/21 15:41:08 itojun Exp $
  */
 
 #include <sys/param.h>
@@ -212,6 +212,13 @@ rip6_input(mp, offp, proto)
 #endif /* IPSEC */
   int extra = *offp;
 
+	/* Be proactive about malicious use of IPv4 mapped address */
+	if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
+	    IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
+		/* XXX stat */
+		goto ret;
+	}
+
   bzero(&srcsa, sizeof(struct sockaddr_in6));
   srcsa.sin6_family = AF_INET6;
   srcsa.sin6_len = sizeof(struct sockaddr_in6);