diff options
Diffstat (limited to 'sys/netinet/ip_output.c')
| -rw-r--r-- | sys/netinet/ip_output.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index f8ae21f0cc3..de189da7995 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.220 2011/05/02 13:48:38 mikeb Exp $ */ +/* $OpenBSD: ip_output.c,v 1.221 2011/05/28 12:51:40 weerd Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -163,6 +163,15 @@ ip_output(struct mbuf *m0, ...) } /* + * We should not send traffic to 0/8 say both Stevens and RFCs + * 5735 section 3 and 1122 sections 3.2.1.3 and 3.3.6. + */ + if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == 0) { + error = ENETUNREACH; + goto bad; + } + + /* * If we're missing the IP source address, do a route lookup. We'll * remember this result, in case we don't need to do any IPsec * processing on the packet. We need the source address so we can |