[src/trunk]: src/sys/netinet6 Perform the IP (src/dst) checks _before_ callin...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/c25af56b0d2d
branches:  trunk
changeset: 830979:c25af56b0d2d
user:      maxv <maxv%NetBSD.org@localhost>
date:      Tue Mar 06 17:39:36 2018 +0000

description:
Perform the IP (src/dst) checks _before_ calling the packet filter, because
if the filter has a "return-icmp" rule it may call icmp6_error with an src
field that was not entirely validated.

diffstat:

 sys/netinet6/ip6_input.c |  100 +++++++++++++++++++++++-----------------------
 1 files changed, 50 insertions(+), 50 deletions(-)

diffs (128 lines):

diff -r 6bae8e43edcd -r c25af56b0d2d sys/netinet6/ip6_input.c
--- a/sys/netinet6/ip6_input.c  Tue Mar 06 17:24:57 2018 +0000
+++ b/sys/netinet6/ip6_input.c  Tue Mar 06 17:39:36 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_input.c,v 1.193 2018/02/24 07:37:09 ozaki-r Exp $  */
+/*     $NetBSD: ip6_input.c,v 1.194 2018/03/06 17:39:36 maxv Exp $     */
 /*     $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $     */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.193 2018/02/24 07:37:09 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.194 2018/03/06 17:39:36 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_gateway.h"
@@ -321,6 +321,54 @@
        }
 
        /*
+        * Check against address spoofing/corruption.
+        */
+       if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) ||
+           IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
+               /*
+                * XXX: "badscope" is not very suitable for a multicast source.
+                */
+               IP6_STATINC(IP6_STAT_BADSCOPE);
+               in6_ifstat_inc(rcvif, ifs6_in_addrerr);
+               goto bad;
+       }
+
+       /*
+        * The following check is not documented in specs.  A malicious
+        * party may be able to use IPv4 mapped addr to confuse tcp/udp stack
+        * and bypass security checks (act as if it was from 127.0.0.1 by using
+        * IPv6 src ::ffff:127.0.0.1).  Be cautious.
+        *
+        * This check chokes if we are in an SIIT cloud.  As none of BSDs
+        * support IPv4-less kernel compilation, we cannot support SIIT
+        * environment at all.  So, it makes more sense for us to reject any
+        * malicious packets for non-SIIT environment, than try to do a
+        * partial support for SIIT environment.
+        */
+       if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
+           IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
+               IP6_STATINC(IP6_STAT_BADSCOPE);
+               in6_ifstat_inc(rcvif, ifs6_in_addrerr);
+               goto bad;
+       }
+
+#if 0
+       /*
+        * Reject packets with IPv4 compatible addresses (auto tunnel).
+        *
+        * The code forbids auto tunnel relay case in RFC1933 (the check is
+        * stronger than RFC1933).  We may want to re-enable it if mech-xx
+        * is revised to forbid relaying case.
+        */
+       if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
+           IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
+               IP6_STATINC(IP6_STAT_BADSCOPE);
+               in6_ifstat_inc(rcvif, ifs6_in_addrerr);
+               goto bad;
+       }
+#endif
+
+       /*
         * Assume that we can create a fast-forward IP flow entry
         * based on this packet.
         */
@@ -369,54 +417,6 @@
 #endif
 
        /*
-        * Check against address spoofing/corruption.
-        */
-       if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) ||
-           IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
-               /*
-                * XXX: "badscope" is not very suitable for a multicast source.
-                */
-               IP6_STATINC(IP6_STAT_BADSCOPE);
-               in6_ifstat_inc(rcvif, ifs6_in_addrerr);
-               goto bad;
-       }
-
-       /*
-        * The following check is not documented in specs.  A malicious
-        * party may be able to use IPv4 mapped addr to confuse tcp/udp stack
-        * and bypass security checks (act as if it was from 127.0.0.1 by using
-        * IPv6 src ::ffff:127.0.0.1).  Be cautious.
-        *
-        * This check chokes if we are in an SIIT cloud.  As none of BSDs
-        * support IPv4-less kernel compilation, we cannot support SIIT
-        * environment at all.  So, it makes more sense for us to reject any
-        * malicious packets for non-SIIT environment, than try to do a
-        * partial support for SIIT environment.
-        */
-       if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
-           IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
-               IP6_STATINC(IP6_STAT_BADSCOPE);
-               in6_ifstat_inc(rcvif, ifs6_in_addrerr);
-               goto bad;
-       }
-
-#if 0
-       /*
-        * Reject packets with IPv4 compatible addresses (auto tunnel).
-        *
-        * The code forbids auto tunnel relay case in RFC1933 (the check is
-        * stronger than RFC1933).  We may want to re-enable it if mech-xx
-        * is revised to forbid relaying case.
-        */
-       if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
-           IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
-               IP6_STATINC(IP6_STAT_BADSCOPE);
-               in6_ifstat_inc(rcvif, ifs6_in_addrerr);
-               goto bad;
-       }
-#endif
-
-       /*
         * Disambiguate address scope zones (if there is ambiguity).
         * We first make sure that the original source or destination address
         * is not in our internal form for scoped addresses.  Such addresses