In TCP and UDP layers do not (ab)use the receiving interface to check

for a multicast/broadcast destination address.

These checks have already been done in the Ethernet and IP layers and
the mbuf(9) should contain all the required information at this point.
But since we cannot trust this spaghetti stack, be paranoid and make
sure to set the flags in the IP input routines.

Use explicit comments, requested by deraadt@.  ok claudio@

4 files changed, 20 insertions, 19 deletions

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 202b11fc763..838fe48de0e 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_input.c,v 1.241 2014/11/05 14:03:02 mpi Exp $	*/
+/*	$OpenBSD: ip_input.c,v 1.242 2014/11/20 11:05:19 mpi Exp $	*/
 /*	$NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $	*/
 
 /*
@@ -348,6 +348,14 @@ ipv4_input(struct mbuf *m)
 
 	if (IN_MULTICAST(ip->ip_dst.s_addr)) {
 		struct in_multi *inm;
+
+		/*
+		 * Make sure M_MCAST is set.  It should theoretically
+		 * already be there, but let's play safe because upper
+		 * layers check for this flag.
+		 */
+		m->m_flags |= M_MCAST;
+
 #ifdef MROUTING
 		if (ipmforwarding && ip_mrouter) {
 			if (m->m_flags & M_EXT) {
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index cea9fc617b4..cd76159fe44 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.283 2014/11/18 02:37:31 tedu Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.284 2014/11/20 11:05:19 mpi Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -394,7 +394,6 @@ tcp_input(struct mbuf *m, ...)
 
 	/*
 	 * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
-	 * See below for AF specific multicast.
 	 */
 	if (m->m_flags & (M_BCAST|M_MCAST))
 		goto drop;
@@ -459,10 +458,6 @@ tcp_input(struct mbuf *m, ...)
 	switch (af) {
 	case AF_INET:
 		ip = mtod(m, struct ip *);
-		if (IN_MULTICAST(ip->ip_dst.s_addr) ||
-		    in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif,
-		    m->m_pkthdr.ph_rtableid))
-			goto drop;
 #ifdef TCP_ECN
 		/* save ip_tos before clearing it for checksum */
 		iptos = ip->ip_tos;
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 1ccc39ee992..f8e192bcc72 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: udp_usrreq.c,v 1.191 2014/11/09 22:05:08 bluhm Exp $	*/
+/*	$OpenBSD: udp_usrreq.c,v 1.192 2014/11/20 11:05:19 mpi Exp $	*/
 /*	$NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $	*/
 
 /*
@@ -400,16 +400,7 @@ udp_input(struct mbuf *m, ...)
 	}
 #endif
 
-#ifdef INET6
-	if ((ip6 && IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) ||
-	    (ip && IN_MULTICAST(ip->ip_dst.s_addr)) ||
-	    (ip && in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif,
-	    m->m_pkthdr.ph_rtableid))) {
-#else /* INET6 */
-	if (IN_MULTICAST(ip->ip_dst.s_addr) ||
-	    in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif,
-		m->m_pkthdr.ph_rtableid)) {
-#endif /* INET6 */
+	if (m->m_flags & (M_BCAST|M_MCAST)) {
 		struct inpcb *last;
 		/*
 		 * Deliver a multicast or broadcast datagram to *all* sockets
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index 76424275ee3..647347ab192 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_input.c,v 1.130 2014/10/14 09:52:26 mpi Exp $	*/
+/*	$OpenBSD: ip6_input.c,v 1.131 2014/11/20 11:05:19 mpi Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -398,6 +398,13 @@ ip6_input(struct mbuf *m)
 	if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
 	  	struct	in6_multi *in6m = 0;
 
+		/*
+		 * Make sure M_MCAST is set.  It should theoretically
+		 * already be there, but let's play safe because upper
+		 * layers check for this flag.
+		 */
+		m->m_flags |= M_MCAST;
+
 		in6_ifstat_inc(ifp, ifs6_in_mcast);
 		/*
 		 * See if we belong to the destination multicast group on the