diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2013-10-19 21:25:16 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2013-10-19 21:25:16 +0000 |
| commit | fb710b85369ca80339a0463f12f7d756d2a2bd04 (patch) | |
| tree | 05778a1172b1ff6c79923250e6c92988a1fee15b /sys/netinet6/route6.c | |
| parent | 345dfbd3013f0ebce5a0c2510b22ae5b673c3feb (diff) | |
Our IPv6 stack was scanning all extension headers for routing header
type 0 and dropped the packet if it found one. RFC 5095 demands
to handle a routing header type 0 like an unrecognised routing type.
This is enough to protect the own machine.
To protect a network as a firewall, we have pf which does the same
full scan in pf_walk_header6(). As pf is enabled by default, nothing
changes for most users. If you turn off pf on your router, you
should not expect extra protection.
Get rid of the double scanning in ip6_input() and and the older
disabled code in route6_input(). No more special treatment of
routing header type 0 in the IPv6 stack.
OK henning@ mikeb@
Diffstat (limited to 'sys/netinet6/route6.c')
| -rw-r--r-- | sys/netinet6/route6.c | 123 |
1 files changed, 4 insertions, 119 deletions
diff --git a/sys/netinet6/route6.c b/sys/netinet6/route6.c index 62aa3de5b1f..d129046b700 100644 --- a/sys/netinet6/route6.c +++ b/sys/netinet6/route6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: route6.c,v 1.17 2008/06/11 19:00:50 mcbride Exp $ */ +/* $OpenBSD: route6.c,v 1.18 2013/10/19 21:25:15 bluhm Exp $ */ /* $KAME: route6.c,v 1.22 2000/12/03 00:54:00 itojun Exp $ */ /* @@ -44,10 +44,6 @@ #include <netinet/icmp6.h> -#if 0 -static int ip6_rthdr0(struct mbuf *, struct ip6_hdr *, struct ip6_rthdr0 *); -#endif - /* * proto is unused */ @@ -68,43 +64,12 @@ route6_input(struct mbuf **mp, int *offp, int proto) } switch (rh->ip6r_type) { -#if 0 - /* - * See http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf - * for why IPV6_RTHDR_TYPE_0 is banned here. - * - * We return ICMPv6 parameter problem so that innocent people - * (not an attacker) would notice about the use of IPV6_RTHDR_TYPE_0. - * Since there's no amplification, and ICMPv6 error will be rate- - * controlled, it shouldn't cause any problem. - * If you are concerned about this, you may want to use the following - * code fragment: - * - * case IPV6_RTHDR_TYPE_0: - * m_freem(m); - * return (IPPROTO_DONE); - */ case IPV6_RTHDR_TYPE_0: - rhlen = (rh->ip6r_len + 1) << 3; - if (rh->ip6r_segleft == 0) - break; /* Final dst. Just ignore the header. */ /* - * note on option length: - * maximum rhlen: 2048 - * max mbuf m_pulldown can handle: MCLBYTES == usually 2048 - * so, here we are assuming that m_pulldown can handle - * rhlen == 2048 case. this may not be a good thing to - * assume - we may want to avoid pulling it up altogether. + * RFC 5095 specifies to handle routing header type 0 + * the same way as an unrecognised routing type. */ - IP6_EXTHDR_GET(rh, struct ip6_rthdr *, m, off, rhlen); - if (rh == NULL) { - ip6stat.ip6s_tooshort++; - return IPPROTO_DONE; - } - if (ip6_rthdr0(m, ip6, (struct ip6_rthdr0 *)rh)) - return (IPPROTO_DONE); - break; -#endif + /* FALLTHROUGH */ default: /* unknown routing type */ if (rh->ip6r_segleft == 0) { @@ -120,83 +85,3 @@ route6_input(struct mbuf **mp, int *offp, int proto) *offp += rhlen; return (rh->ip6r_nxt); } - -#if 0 -/* - * Type0 routing header processing - * - * RFC2292 backward compatibility warning: no support for strict/loose bitmap, - * as it was dropped between RFC1883 and RFC2460. - */ -static int -ip6_rthdr0(struct mbuf *m, struct ip6_hdr *ip6, struct ip6_rthdr0 *rh0) -{ - int addrs, index; - struct in6_addr *nextaddr, tmpaddr; - - if (rh0->ip6r0_segleft == 0) - return (0); - - if (rh0->ip6r0_len % 2) { - /* - * Type 0 routing header can't contain more than 23 addresses. - * RFC 2460: this limitation was removed since strict/loose - * bitmap field was deleted. - */ - ip6stat.ip6s_badoptions++; - icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, - (caddr_t)&rh0->ip6r0_len - (caddr_t)ip6); - return (-1); - } - - if ((addrs = rh0->ip6r0_len / 2) < rh0->ip6r0_segleft) { - ip6stat.ip6s_badoptions++; - icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, - (caddr_t)&rh0->ip6r0_segleft - (caddr_t)ip6); - return (-1); - } - - index = addrs - rh0->ip6r0_segleft; - rh0->ip6r0_segleft--; - nextaddr = ((struct in6_addr *)(rh0 + 1)) + index; - - /* - * reject invalid addresses. be proactive about malicious use of - * IPv4 mapped/compat address. - * XXX need more checks? - */ - if (IN6_IS_ADDR_MULTICAST(nextaddr) || - IN6_IS_ADDR_UNSPECIFIED(nextaddr) || - IN6_IS_ADDR_V4MAPPED(nextaddr) || - IN6_IS_ADDR_V4COMPAT(nextaddr)) { - ip6stat.ip6s_badoptions++; - goto bad; - } - if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || - IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst) || - IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst) || - IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { - ip6stat.ip6s_badoptions++; - goto bad; - } - - /* - * Swap the IPv6 destination address and nextaddr. Forward the packet. - */ - tmpaddr = *nextaddr; - *nextaddr = ip6->ip6_dst; - if (IN6_IS_ADDR_LINKLOCAL(nextaddr)) - nextaddr->s6_addr16[1] = 0; - ip6->ip6_dst = tmpaddr; - if (IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst)) - ip6->ip6_dst.s6_addr16[1] = htons(m->m_pkthdr.rcvif->if_index); - - ip6_forward(m, 1); - - return (-1); /* m would be freed in ip6_forward() */ - - bad: - m_freem(m); - return (-1); -} -#endif |