diff options
| author | Paul de Weerd <weerd@cvs.openbsd.org> | 2011-05-28 12:51:41 +0000 |
|---|---|---|
| committer | Paul de Weerd <weerd@cvs.openbsd.org> | 2011-05-28 12:51:41 +0000 |
| commit | 35f39c9b25f9b98af13bac74af910435a87cf01a (patch) | |
| tree | f9851caa17ce798e6d36146fb08ecef641d60e2a /sys | |
| parent | 6006b01a575eabf2ae9a0cad4a4a0f662cae9e24 (diff) | |
Do not allow traffic to be sent with a destination address in 0/8;
this is not allowed according to Stevens and RFCs 5735 and 1122.
Suggestion to use ENETUNREACH from claudio.
OK phessler@, claudio@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/ip_output.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index f8ae21f0cc3..de189da7995 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.220 2011/05/02 13:48:38 mikeb Exp $ */ +/* $OpenBSD: ip_output.c,v 1.221 2011/05/28 12:51:40 weerd Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -163,6 +163,15 @@ ip_output(struct mbuf *m0, ...) } /* + * We should not send traffic to 0/8 say both Stevens and RFCs + * 5735 section 3 and 1122 sections 3.2.1.3 and 3.3.6. + */ + if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == 0) { + error = ENETUNREACH; + goto bad; + } + + /* * If we're missing the IP source address, do a route lookup. We'll * remember this result, in case we don't need to do any IPsec * processing on the packet. We need the source address so we can |