diff options
| author |   mpi <mpi@openbsd.org> | 2014-11-20 11:05:19 +0000 |
|---|---|---|
| committer | mpi <mpi@openbsd.org> | 2014-11-20 11:05:19 +0000 |
| commit | 7e5860a99c6711cecfbf255f88bb15e43abe37ce (patch) | |
| tree | da317cf883a9e0c4d88535deb5b65e90a9fd82ac /sys/netinet | |
| parent | Fix previous. (diff) | |
| download | wireguard-openbsd-7e5860a99c6711cecfbf255f88bb15e43abe37ce.tar.xz wireguard-openbsd-7e5860a99c6711cecfbf255f88bb15e43abe37ce.zip | |
In TCP and UDP layers do not (ab)use the receiving interface to check
for a multicast/broadcast destination address.
These checks have already been done in the Ethernet and IP layers and
the mbuf(9) should contain all the required information at this point.
But since we cannot trust this spaghetti stack, be paranoid and make
sure to set the flags in the IP input routines.
Use explicit comments, requested by deraadt@. ok claudio@
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/ip_input.c | 10 | ||||
| -rw-r--r-- | sys/netinet/tcp_input.c | 7 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 13 |
3 files changed, 12 insertions, 18 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 202b11fc763..838fe48de0e 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.241 2014/11/05 14:03:02 mpi Exp $ */ +/* $OpenBSD: ip_input.c,v 1.242 2014/11/20 11:05:19 mpi Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -348,6 +348,14 @@ ipv4_input(struct mbuf *m) if (IN_MULTICAST(ip->ip_dst.s_addr)) { struct in_multi *inm; + + /* + * Make sure M_MCAST is set. It should theoretically + * already be there, but let's play safe because upper + * layers check for this flag. + */ + m->m_flags |= M_MCAST; + #ifdef MROUTING if (ipmforwarding && ip_mrouter) { if (m->m_flags & M_EXT) { diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index cea9fc617b4..cd76159fe44 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.283 2014/11/18 02:37:31 tedu Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.284 2014/11/20 11:05:19 mpi Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -394,7 +394,6 @@ tcp_input(struct mbuf *m, ...) /* * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN - * See below for AF specific multicast. */ if (m->m_flags & (M_BCAST|M_MCAST)) goto drop; @@ -459,10 +458,6 @@ tcp_input(struct mbuf *m, ...) switch (af) { case AF_INET: ip = mtod(m, struct ip *); - if (IN_MULTICAST(ip->ip_dst.s_addr) || - in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif, - m->m_pkthdr.ph_rtableid)) - goto drop; #ifdef TCP_ECN /* save ip_tos before clearing it for checksum */ iptos = ip->ip_tos; diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 1ccc39ee992..f8e192bcc72 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.191 2014/11/09 22:05:08 bluhm Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.192 2014/11/20 11:05:19 mpi Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -400,16 +400,7 @@ udp_input(struct mbuf *m, ...) } #endif -#ifdef INET6 - if ((ip6 && IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) || - (ip && IN_MULTICAST(ip->ip_dst.s_addr)) || - (ip && in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif, - m->m_pkthdr.ph_rtableid))) { -#else /* INET6 */ - if (IN_MULTICAST(ip->ip_dst.s_addr) || - in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif, - m->m_pkthdr.ph_rtableid)) { -#endif /* INET6 */ + if (m->m_flags & (M_BCAST|M_MCAST)) { struct inpcb *last; /* * Deliver a multicast or broadcast datagram to *all* sockets |