[src/trunk]: src/sys/netinet6 be proactive about malicious packet on the wire...

[itojun <itojun%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/d3d77c10a99c
branches:  trunk
changeset: 481431:d3d77c10a99c
user:      itojun <itojun%NetBSD.org@localhost>
date:      Mon Jan 31 10:33:22 2000 +0000

description:
be proactive about malicious packet on the wire.  we fear that v4 mapped
address to be used as a tool to hose security filters (like bypassing
"local host only" filter by using ::ffff:127.0.0.1).

diffstat:

 sys/netinet6/ip6_input.c |  25 ++++++++++++++++++++++++-
 sys/netinet6/route6.c    |  19 +++++++++++++++++--
 2 files changed, 41 insertions(+), 3 deletions(-)

diffs (73 lines):

diff -r be0bd803ee69 -r d3d77c10a99c sys/netinet6/ip6_input.c
--- a/sys/netinet6/ip6_input.c  Mon Jan 31 10:23:03 2000 +0000
+++ b/sys/netinet6/ip6_input.c  Mon Jan 31 10:33:22 2000 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_input.c,v 1.12 2000/01/06 15:46:09 itojun Exp $    */
+/*     $NetBSD: ip6_input.c,v 1.13 2000/01/31 10:33:22 itojun Exp $    */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -325,6 +325,29 @@
                in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
                goto bad;
        }
+       /*
+        * The following check is not documented in the spec.  Malicious party
+        * may be able to use IPv4 mapped addr to confuse tcp/udp stack and
+        * bypass security checks (act as if it was from 127.0.0.1 by using
+        * IPv6 src ::ffff:127.0.0.1).  Be cautious.
+        */
+       if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
+           IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
+               ip6stat.ip6s_badscope++;
+               in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
+               goto bad;
+       }
+#if 1
+       /*
+        * We don't support it, so it is strange to get this.
+        */
+       if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
+           IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
+               ip6stat.ip6s_badscope++;
+               in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
+               goto bad;
+       }
+#endif
        if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) ||
            IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) {
                if (m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) {
diff -r be0bd803ee69 -r d3d77c10a99c sys/netinet6/route6.c
--- a/sys/netinet6/route6.c     Mon Jan 31 10:23:03 2000 +0000
+++ b/sys/netinet6/route6.c     Mon Jan 31 10:33:22 2000 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: route6.c,v 1.4 1999/12/13 15:17:24 itojun Exp $        */
+/*     $NetBSD: route6.c,v 1.5 2000/01/31 10:33:23 itojun Exp $        */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -141,8 +141,23 @@
        rh0->ip6r0_segleft--;
        nextaddr = rh0->ip6r0_addr + index;
 
+       /*
+        * reject invalid addresses.  be proactive about malicious use of
+        * IPv4 mapped/compat address.
+        * XXX need more checks?
+        */
        if (IN6_IS_ADDR_MULTICAST(nextaddr) ||
-           IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
+           IN6_IS_ADDR_UNSPECIFIED(nextaddr) ||
+           IN6_IS_ADDR_V4MAPPED(nextaddr) ||
+           IN6_IS_ADDR_V4COMPAT(nextaddr)) {
+               ip6stat.ip6s_badoptions++;
+               m_freem(m);
+               return(-1);
+       }
+       if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
+           IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst) ||
+           IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst) ||
+           IN6_IS_ADDR_V4COMPAT(nextaddr)) {
                ip6stat.ip6s_badoptions++;
                m_freem(m);
                return(-1);