From c6f2e6ddbf8895d1a9d1775390319964cb168b2a Mon Sep 17 00:00:00 2001
From: Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org>
Date: Tue, 21 Dec 1999 15:41:09 +0000
Subject: be paranoid about malicious use of v4 mapped addr on v6 packet.
 malicious party may try to use v4 mapped addr as source/dest to confuse
 tcp/udp layer, or to bypass security checks, for example, naive stack can
 mistakingly think a packet with src = ::ffff:127.0.0.1 is from local node.

(sync with kame)
---
 sys/netinet/tcp_input.c  |  9 ++++++++-
 sys/netinet/udp_usrreq.c |  9 ++++++++-
 sys/netinet6/raw_ipv6.c  | 11 +++++++++--
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index f4195de21a1..81362ad1b37 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.54 1999/12/15 16:37:20 provos Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.55 1999/12/21 15:41:07 itojun Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -489,6 +489,13 @@ tcp_input(m, va_alist)
 	  ti = NULL;
 	  ipv6 = mtod(m, struct ip6_hdr *);
 
+		/* Be proactive about malicious use of IPv4 mapped address */
+		if (IN6_IS_ADDR_V4MAPPED(&ipv6->ip6_src) ||
+		    IN6_IS_ADDR_V4MAPPED(&ipv6->ip6_dst)) {
+			/* XXX stat */
+			goto drop;
+		}
+
 	  if (in6_cksum(m, IPPROTO_TCP, sizeof(struct ip6_hdr), tlen)) {
 	    tcpstat.tcps_rcvbadsum++;
 	    goto drop;
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 7ca77e74e76..1c5edcd4e55 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: udp_usrreq.c,v 1.32 1999/12/19 02:52:21 itojun Exp $	*/
+/*	$OpenBSD: udp_usrreq.c,v 1.33 1999/12/21 15:41:08 itojun Exp $	*/
 /*	$NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $	*/
 
 /*
@@ -287,6 +287,13 @@ udp_input(m, va_alist)
 	savesum = uh->uh_sum;
 #ifdef INET6
 	if (ipv6) {
+		/* Be proactive about malicious use of IPv4 mapped address */
+		if (IN6_IS_ADDR_V4MAPPED(&ipv6->ip6_src) ||
+		    IN6_IS_ADDR_V4MAPPED(&ipv6->ip6_dst)) {
+			/* XXX stat */
+			goto bad;
+		}
+
 		/*
 		 * In IPv6, the UDP checksum is ALWAYS used.
 		 */
diff --git a/sys/netinet6/raw_ipv6.c b/sys/netinet6/raw_ipv6.c
index 34f7f68f341..bb1520f761c 100644
--- a/sys/netinet6/raw_ipv6.c
+++ b/sys/netinet6/raw_ipv6.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: raw_ipv6.c,v 1.10 1999/12/19 02:54:29 itojun Exp $ */
+/* $OpenBSD: raw_ipv6.c,v 1.11 1999/12/21 15:41:08 itojun Exp $ */
 /*
 %%% copyright-nrl-95
 This software is Copyright 1995-1998 by Randall Atkinson, Ronald Lee,
@@ -43,7 +43,7 @@ didn't get a copy, you may request one from <license@ipv6.nrl.navy.mil>.
  * SUCH DAMAGE.
  *
  *	@(#)raw_ip.c	8.7 (Berkeley) 5/15/95
- *	$Id: raw_ipv6.c,v 1.10 1999/12/19 02:54:29 itojun Exp $
+ *	$Id: raw_ipv6.c,v 1.11 1999/12/21 15:41:08 itojun Exp $
  */
 
 #include <sys/param.h>
@@ -212,6 +212,13 @@ rip6_input(mp, offp, proto)
 #endif /* IPSEC */
   int extra = *offp;
 
+	/* Be proactive about malicious use of IPv4 mapped address */
+	if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
+	    IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
+		/* XXX stat */
+		goto ret;
+	}
+
   bzero(&srcsa, sizeof(struct sockaddr_in6));
   srcsa.sin6_family = AF_INET6;
   srcsa.sin6_len = sizeof(struct sockaddr_in6);
-- 
cgit v1.2.3