diff options
| author | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2000-07-27 04:05:28 +0000 |
|---|---|---|
| committer | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2000-07-27 04:05:28 +0000 |
| commit | 6722de2908d59f0c52e470c09db302c083f1862b (patch) | |
| tree | 03390a8ef28d390a828843dd4d4418d0f3db55a3 /sys/netinet | |
| parent | 850b57f0dac75236ab3724f2b23328fbbbc3ec05 (diff) | |
be proactive about unspecified IPv6 source address. pcb layer uses
unspecified address (::) to mean "unbounded" or "unconnected",
and can be confused by packets from outside.
use of :: as source is not documented well in IPv6 specification.
not sure if it presents a real threat. the worst case scenario is a DoS
against TCP listening socket:
- outsider transmit TCP SYN with :: as IPv6 source
- receiving side creates TCP control block with:
local address = my addres
remote address = :: (meaning "unconnected")
state = SYN_RCVD
note that SYN ACK will not be sent due to ip6_output() filter.
this stays until it timeouts.
- the TCP control block prevents listening TCP control block from
being contacted (DoS).
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/tcp_input.c | 15 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 15 |
2 files changed, 28 insertions, 2 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 72cf27e59f8..e84f649e326 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.67 2000/07/11 16:53:22 provos Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.68 2000/07/27 04:05:26 itojun Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -527,6 +527,19 @@ tcp_input(m, va_alist) } /* + * Be proactive about unspecified IPv6 address in source. + * As we use all-zero to indicate unbounded/unconnected pcb, + * unspecified IPv6 address can be used to confuse us. + * + * Note that packets with unspecified IPv6 destination is + * already dropped in ip6_input. + */ + if (IN6_IS_ADDR_UNSPECIFIED(&ipv6->ip6_src)) { + /* XXX stat */ + goto drop; + } + + /* * Checksum extended TCP header and data. */ if (in6_cksum(m, IPPROTO_TCP, sizeof(struct ip6_hdr), tlen)) { diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index f57471be513..2547b166ffb 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.45 2000/06/18 17:32:48 itojun Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.46 2000/07/27 04:05:27 itojun Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -290,6 +290,19 @@ udp_input(m, va_alist) } /* + * Be proactive about unspecified IPv6 address in source. + * As we use all-zero to indicate unbounded/unconnected pcb, + * unspecified IPv6 address can be used to confuse us. + * + * Note that packets with unspecified IPv6 destination is + * already dropped in ip6_input. + */ + if (IN6_IS_ADDR_UNSPECIFIED(&ipv6->ip6_src)) { + /* XXX stat */ + goto bad; + } + + /* * In IPv6, the UDP checksum is ALWAYS used. */ if ((uh->uh_sum = in6_cksum(m, IPPROTO_UDP, iphlen, len))) { |