Source-Changes-D archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: CVS commit: src/sys/netinet

On Mon, 05 Feb 2018, at 13:23:11 +0000, Maxime Villard wrote:
>Module Name:    src
>Committed By:   maxv
>Date:           Mon Feb  5 13:23:11 UTC 2018
>Modified Files:
>        src/sys/netinet: ip_input.c
>Log Message:
>Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a
>completely dumb idea, because they have security implications.
>By sending an IPv4 packet containing an LSRR option, an attacker will
>cause the system to forward the packet to another IPv4 address - and
>this way he white-washes the source of the packet.
>It is also possible for an attacker to reach hidden networks: if a
>has a public address, and a private one on an internal network (network
>which has several internal machines connected), the attacker can send a
>packet with:
>        source =
>        destination = public address of the server
>        LSRR first address = address of a machine on the internal
>And the packet will be forwarded, by the server, to the internal
>in some cases even with the internal IP address of the server as a


This particular fix has been pulled up to the various 6.x and 7.x
branches, but not to 8.0_BETA. Is that still pending because it's part
of a larger planned change set?

Thanks for all the improvements you've been making!



Home | Main Index | Thread Index | Old Index