summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorMartin Pieuchot <mpi@cvs.openbsd.org>2015-07-17 23:32:19 +0000
committerMartin Pieuchot <mpi@cvs.openbsd.org>2015-07-17 23:32:19 +0000
commitb4c5d5baf2964ac837c95004c8224a4a130cb098 (patch)
tree7b8a1c92ed2bb412eacb4b8cb26c96beb0a856cf /sys
parent9169229b986d1a3a3b5fc88c635cbd9e4fd04008 (diff)
Drop promiscuously received packets if the trunk(4) interface is not
in promiscuous mode. The long story is that claudio@ had his ssh session reset multiple times in the hackroom because czarkoff@'s machine was sending reset. We figured out that the packet was reaching pf because of this missing check. pf would then not find any state and sent a reset. Analyzed with and ok phessler@, claudio@
Diffstat (limited to 'sys')
-rw-r--r--sys/net/if_trunk.c17
1 files changed, 16 insertions, 1 deletions
diff --git a/sys/net/if_trunk.c b/sys/net/if_trunk.c
index 980c47224fc..f51d2c0d261 100644
--- a/sys/net/if_trunk.c
+++ b/sys/net/if_trunk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_trunk.c,v 1.108 2015/07/02 10:02:40 mpi Exp $ */
+/* $OpenBSD: if_trunk.c,v 1.109 2015/07/17 23:32:18 mpi Exp $ */
/*
* Copyright (c) 2005, 2006, 2007 Reyk Floeter <reyk@openbsd.org>
@@ -1116,6 +1116,21 @@ trunk_input(struct ifnet *ifp, struct mbuf *m)
if ((trifp->if_flags & (IFF_UP|IFF_RUNNING)) != (IFF_UP|IFF_RUNNING))
goto bad;
+ /*
+ * Drop promiscuously received packets if we are not in
+ * promiscuous mode.
+ */
+ if (!ETHER_IS_MULTICAST(eh->ether_dhost) &&
+ (ifp->if_flags & IFF_PROMISC) &&
+ (trifp->if_flags & IFF_PROMISC) == 0) {
+ if (bcmp(&tr->tr_ac.ac_enaddr, eh->ether_dhost,
+ ETHER_ADDR_LEN)) {
+ m_freem(m);
+ return (1);
+ }
+ }
+
+
ml_enqueue(&ml, m);
if_input(trifp, &ml);
return (1);