diff options
| author | Alexandr Nedvedicky <sashan@cvs.openbsd.org> | 2019-12-08 11:08:23 +0000 |
|---|---|---|
| committer | Alexandr Nedvedicky <sashan@cvs.openbsd.org> | 2019-12-08 11:08:23 +0000 |
| commit | 4e4a0b842c6076f1efa6cd26ce66e0e0bbebe5ba (patch) | |
| tree | c9ee89d3d9e5c523c43f6378841b09936fb83177 /sys/netinet6 | |
| parent | 0f80d65821cbe039080c9a41a9c60cc6974f9acb (diff) | |
Make sure packet destination address matches interface address,
where such packet is bound to. This check is enforced if and only
IP forwarding is disabled.
Change discussed with bluhm@, claudio@, deraadt@, markus@, tobhe@
OK bluhm@, claudio@, tobhe@
Diffstat (limited to 'sys/netinet6')
| -rw-r--r-- | sys/netinet6/ip6_input.c | 27 | ||||
| -rw-r--r-- | sys/netinet6/ip6_var.h | 4 |
2 files changed, 29 insertions, 2 deletions
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 3383def8cd2..5404d7ccfb4 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_input.c,v 1.220 2019/11/29 16:41:01 nayden Exp $ */ +/* $OpenBSD: ip6_input.c,v 1.221 2019/12/08 11:08:22 sashan Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -432,6 +432,31 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) struct in6_ifaddr *ia6 = ifatoia6(rt->rt_ifa); if (ia6->ia6_flags & IN6_IFF_ANYCAST) m->m_flags |= M_ACAST; + + if (ip6_forwarding == 0 && rt->rt_ifidx != ifp->if_index && + !((ifp->if_flags & IFF_LOOPBACK) || + (ifp->if_type == IFT_ENC))) { + /* received on wrong interface */ +#if NCARP > 0 + struct ifnet *out_if; + + /* + * Virtual IPs on carp interfaces need to be checked + * also against the parent interface and other carp + * interfaces sharing the same parent. + */ + out_if = if_get(rt->rt_ifidx); + if (!(out_if && carp_strict_addr_chk(out_if, ifp))) { + ip6stat_inc(ip6s_wrongif); + if_put(out_if); + goto bad; + } + if_put(out_if); +#else + ip6stat_inc(ip6s_wrongif); + goto bad; +#endif + } /* * packets to a tentative, duplicated, or somehow invalid * address must not be accepted. diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h index 8fb28bb7be0..3d766f6aeda 100644 --- a/sys/netinet6/ip6_var.h +++ b/sys/netinet6/ip6_var.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_var.h,v 1.85 2019/08/26 18:47:53 bluhm Exp $ */ +/* $OpenBSD: ip6_var.h,v 1.86 2019/12/08 11:08:22 sashan Exp $ */ /* $KAME: ip6_var.h,v 1.33 2000/06/11 14:59:20 jinmei Exp $ */ /* @@ -198,6 +198,7 @@ struct ip6stat { u_int64_t ip6s_forward_cachehit; u_int64_t ip6s_forward_cachemiss; + u_int64_t ip6s_wrongif; }; #ifdef _KERNEL @@ -243,6 +244,7 @@ enum ip6stat_counters { ip6s_sources_deprecated = ip6s_sources_otherscope + 16, ip6s_forward_cachehit = ip6s_sources_deprecated + 16, ip6s_forward_cachemiss, + ip6s_wrongif, ip6s_ncounters, }; |