[src/trunk]: src/sys Remove the IN6_IS_ADDR_V4MAPPED checks in the protocol f...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/sys Remove the IN6_IS_ADDR_V4MAPPED checks in the protocol f...
From: maxv <maxv%NetBSD.org@localhost>
Date: Tue, 07 Apr 2020 09:24:43 +0000

details:   https://anonhg.NetBSD.org/src/rev/91e499e46657
branches:  trunk
changeset: 829690:91e499e46657
user:      maxv <maxv%NetBSD.org@localhost>
date:      Thu Feb 08 19:58:05 2018 +0000

description:
Remove the IN6_IS_ADDR_V4MAPPED checks in the protocol functions. They
are useless, because the IPv6 entry point (ip6_input) already performs
them.

The checks were first added in the protocol functions:

        Wed Dec 22 04:03:02 1999 UTC (18 years, 1 month ago) by itojun

"drop IPv6 packets with v4 mapped address on src/dst.  they are illegal
and may be used to fool IPv6 implementations (by using ::ffff:127.0.0.1 as
source you may be able to pretend the packet is from local node)"

Shortly afterwards they were also added in the IPv6 entry point, but
where not removed from the protocol functions:

        Mon Jan 31 10:33:22 2000 UTC (18 years ago) by itojun

"be proactive about malicious packet on the wire.  we fear that v4 mapped
address to be used as a tool to hose security filters (like bypassing
"local host only" filter by using ::ffff:127.0.0.1)."

OpenBSD did the same a few months ago. FreeBSD has never had these checks.

diffstat:

 sys/netinet/tcp_input.c    |  11 ++---------
 sys/netinet6/raw_ip6.c     |  12 ++----------
 sys/netinet6/udp6_usrreq.c |  11 ++---------
 3 files changed, 6 insertions(+), 28 deletions(-)

diffs (97 lines):

diff -r 796dc78328cf -r 91e499e46657 sys/netinet/tcp_input.c
--- a/sys/netinet/tcp_input.c   Thu Feb 08 19:38:21 2018 +0000
+++ b/sys/netinet/tcp_input.c   Thu Feb 08 19:58:05 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: tcp_input.c,v 1.368 2018/02/08 19:38:21 maxv Exp $     */
+/*     $NetBSD: tcp_input.c,v 1.369 2018/02/08 19:58:05 maxv Exp $     */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -148,7 +148,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.368 2018/02/08 19:38:21 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.369 2018/02/08 19:58:05 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -1312,13 +1312,6 @@
                        return;
                }
 
-               /* Be proactive about malicious use of IPv4 mapped address */
-               if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
-                   IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
-                       /* XXX stat */
-                       goto drop;
-               }
-
                /*
                 * Be proactive about unspecified IPv6 address in source.
                 * As we use all-zero to indicate unbounded/unconnected pcb,
diff -r 796dc78328cf -r 91e499e46657 sys/netinet6/raw_ip6.c
--- a/sys/netinet6/raw_ip6.c    Thu Feb 08 19:38:21 2018 +0000
+++ b/sys/netinet6/raw_ip6.c    Thu Feb 08 19:58:05 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: raw_ip6.c,v 1.161 2018/02/01 15:53:16 maxv Exp $       */
+/*     $NetBSD: raw_ip6.c,v 1.162 2018/02/08 19:58:05 maxv Exp $       */
 /*     $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $        */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.161 2018/02/01 15:53:16 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.162 2018/02/08 19:58:05 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ipsec.h"
@@ -162,14 +162,6 @@
        }
 #endif
 
-       /* Be proactive about malicious use of IPv4 mapped address */
-       if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
-           IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
-               /* XXX stat */
-               m_freem(m);
-               return IPPROTO_DONE;
-       }
-
        sockaddr_in6_init(&rip6src, &ip6->ip6_src, 0, 0, 0);
        if (sa6_recoverscope(&rip6src) != 0) {
                /* XXX: should be impossible. */
diff -r 796dc78328cf -r 91e499e46657 sys/netinet6/udp6_usrreq.c
--- a/sys/netinet6/udp6_usrreq.c        Thu Feb 08 19:38:21 2018 +0000
+++ b/sys/netinet6/udp6_usrreq.c        Thu Feb 08 19:58:05 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: udp6_usrreq.c,v 1.133 2018/02/08 11:49:37 maxv Exp $ */
+/* $NetBSD: udp6_usrreq.c,v 1.134 2018/02/08 19:58:05 maxv Exp $ */
 /* $KAME: udp6_usrreq.c,v 1.86 2001/05/27 17:33:00 itojun Exp $ */
 /* $KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $ */
 
@@ -63,7 +63,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: udp6_usrreq.c,v 1.133 2018/02/08 11:49:37 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp6_usrreq.c,v 1.134 2018/02/08 19:58:05 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -612,13 +612,6 @@
        if (uh->uh_dport == 0)
                goto bad;
 
-       /* Be proactive about malicious use of IPv4 mapped address */
-       if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
-           IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
-               /* XXX stat */
-               goto bad;
-       }
-
        /*
         * Checksum extended UDP header and data.  Maybe skip checksum
         * on loopback interfaces.

Prev by Date: [src/trunk]: src/sys/netinet Style, and remove outdated comments.
Next by Date: [src/trunk]: src/sys/netinet Dedup code.
Previous by Thread: [src/trunk]: src/sys/netinet Style, and remove outdated comments.
Next by Thread: [src/trunk]: src/sys/netinet Dedup code.
Indexes:

Home | Main Index | Thread Index | Old Index