diff options
| author | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 1999-12-21 15:41:09 +0000 |
|---|---|---|
| committer | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 1999-12-21 15:41:09 +0000 |
| commit | c6f2e6ddbf8895d1a9d1775390319964cb168b2a (patch) | |
| tree | 5f23c4c8ee4bd3936fc8190163c1b74945023cb2 | |
| parent | 742833335a9729682caa0fcac1e33e2e91ca2364 (diff) | |
be paranoid about malicious use of v4 mapped addr on v6 packet.
malicious party may try to use v4 mapped addr as source/dest to
confuse tcp/udp layer, or to bypass security checks,
for example, naive stack can mistakingly think a packet with
src = ::ffff:127.0.0.1 is from local node.
(sync with kame)
| -rw-r--r-- | sys/netinet/tcp_input.c | 9 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 9 | ||||
| -rw-r--r-- | sys/netinet6/raw_ipv6.c | 11 |
3 files changed, 25 insertions, 4 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index f4195de21a1..81362ad1b37 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.54 1999/12/15 16:37:20 provos Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.55 1999/12/21 15:41:07 itojun Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -489,6 +489,13 @@ tcp_input(m, va_alist) ti = NULL; ipv6 = mtod(m, struct ip6_hdr *); + /* Be proactive about malicious use of IPv4 mapped address */ + if (IN6_IS_ADDR_V4MAPPED(&ipv6->ip6_src) || + IN6_IS_ADDR_V4MAPPED(&ipv6->ip6_dst)) { + /* XXX stat */ + goto drop; + } + if (in6_cksum(m, IPPROTO_TCP, sizeof(struct ip6_hdr), tlen)) { tcpstat.tcps_rcvbadsum++; goto drop; diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 7ca77e74e76..1c5edcd4e55 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.32 1999/12/19 02:52:21 itojun Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.33 1999/12/21 15:41:08 itojun Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -287,6 +287,13 @@ udp_input(m, va_alist) savesum = uh->uh_sum; #ifdef INET6 if (ipv6) { + /* Be proactive about malicious use of IPv4 mapped address */ + if (IN6_IS_ADDR_V4MAPPED(&ipv6->ip6_src) || + IN6_IS_ADDR_V4MAPPED(&ipv6->ip6_dst)) { + /* XXX stat */ + goto bad; + } + /* * In IPv6, the UDP checksum is ALWAYS used. */ diff --git a/sys/netinet6/raw_ipv6.c b/sys/netinet6/raw_ipv6.c index 34f7f68f341..bb1520f761c 100644 --- a/sys/netinet6/raw_ipv6.c +++ b/sys/netinet6/raw_ipv6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ipv6.c,v 1.10 1999/12/19 02:54:29 itojun Exp $ */ +/* $OpenBSD: raw_ipv6.c,v 1.11 1999/12/21 15:41:08 itojun Exp $ */ /* %%% copyright-nrl-95 This software is Copyright 1995-1998 by Randall Atkinson, Ronald Lee, @@ -43,7 +43,7 @@ didn't get a copy, you may request one from <license@ipv6.nrl.navy.mil>. * SUCH DAMAGE. * * @(#)raw_ip.c 8.7 (Berkeley) 5/15/95 - * $Id: raw_ipv6.c,v 1.10 1999/12/19 02:54:29 itojun Exp $ + * $Id: raw_ipv6.c,v 1.11 1999/12/21 15:41:08 itojun Exp $ */ #include <sys/param.h> @@ -212,6 +212,13 @@ rip6_input(mp, offp, proto) #endif /* IPSEC */ int extra = *offp; + /* Be proactive about malicious use of IPv4 mapped address */ + if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || + IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { + /* XXX stat */ + goto ret; + } + bzero(&srcsa, sizeof(struct sockaddr_in6)); srcsa.sin6_family = AF_INET6; srcsa.sin6_len = sizeof(struct sockaddr_in6); |