[src/trunk]: src/sys/netinet be proactive about unspecified IPv6 source addre...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/sys/netinet be proactive about unspecified IPv6 source addre...
From: itojun <itojun%NetBSD.org@localhost>
Date: Fri, 24 Jan 2020 07:51:30 +0000

details:   https://anonhg.NetBSD.org/src/rev/0df08ccb6c5b
branches:  trunk
changeset: 495384:0df08ccb6c5b
user:      itojun <itojun%NetBSD.org@localhost>
date:      Thu Jul 27 06:18:13 2000 +0000

description:
be proactive about unspecified IPv6 source address.  pcb layer uses
unspecified address (::) to mean "unbounded" or "unconnected",
and can be confused by packets from outside.

use of :: as source is not documented well in IPv6 specification.

not sure if it presents a real threat.  the worst case scenario is a DoS
against TCP listening socket:
- outsider transmit TCP SYN with :: as IPv6 source
- receiving side creates TCP control block with:
        local address = my addres
        remote address = ::     (meaning "unconnected")
        state = SYN_RCVD
  note that SYN ACK will not be sent due to ip6_output() filter.
  this stays until it timeouts.
- the TCP control block prevents listening TCP control block from
  being contacted (DoS).

udp6/raw6 socket may have similar problem, but as they are connectionless,
it may too much to filter it out.

diffstat:

 sys/netinet/tcp_input.c |  15 ++++++++++++++-
 1 files changed, 14 insertions(+), 1 deletions(-)

diffs (29 lines):

diff -r 7323aaaaa188 -r 0df08ccb6c5b sys/netinet/tcp_input.c
--- a/sys/netinet/tcp_input.c   Thu Jul 27 05:01:06 2000 +0000
+++ b/sys/netinet/tcp_input.c   Thu Jul 27 06:18:13 2000 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: tcp_input.c,v 1.114 2000/07/23 05:00:01 itojun Exp $   */
+/*     $NetBSD: tcp_input.c,v 1.115 2000/07/27 06:18:13 itojun Exp $   */
 
 /*
 %%% portions-copyright-nrl-95
@@ -689,6 +689,19 @@
                }
 
                /*
+                * Be proactive about unspecified IPv6 address in source.
+                * As we use all-zero to indicate unbounded/unconnected pcb,
+                * unspecified IPv6 address can be used to confuse us.
+                *
+                * Note that packets with unspecified IPv6 destination is
+                * already dropped in ip6_input.
+                */
+               if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) {
+                       /* XXX stat */
+                       goto drop;
+               }
+
+               /*
                 * Make sure destination address is not multicast.
                 * Source address checked in ip6_input().
                 */

Prev by Date: [src/trunk]: src/sys/arch/mips/mips Do not attempt mips3 style cache flush on...
Next by Date: [src/trunk]: src/sys/arch/arm32/arm32 Fix grammatical error in panic msg
Previous by Thread: [src/trunk]: src/sys/arch/mips/mips Do not attempt mips3 style cache flush on...
Next by Thread: [src/trunk]: src/sys/arch/arm32/arm32 Fix grammatical error in panic msg
Indexes:

Home | Main Index | Thread Index | Old Index