drop packets with more than 1 routing headers.

from claudio@openbsd
kame · May 3, 2007 · 7a346f7 · 7a346f7
1 parent ea41c03
commit 7a346f7
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/kame/sys/netinet6/ip6_input.c b/kame/sys/netinet6/ip6_input.c
@@ -1,4 +1,4 @@
-/*	$KAME: ip6_input.c,v 1.370 2007/04/08 17:04:31 jinmei Exp $	*/
+/*	$KAME: ip6_input.c,v 1.371 2007/05/03 22:07:39 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -375,7 +375,7 @@ ip6_input(m)
 	int off = sizeof(struct ip6_hdr), nest;
 	u_int32_t plen;
 	u_int32_t rtalert = ~0;
-	int nxt, ours = 0;
+	int nxt, ours = 0, rh_present = 0;
 	struct ifnet *deliverifp = NULL;
 #if 0
 	struct mbuf *mhist;	/* onion peeling history */
@@ -1056,9 +1056,11 @@ ip6_input(m)
 	in6_ifstat_inc(deliverifp, ifs6_in_deliver);
 	nest = 0;
 
+	rh_present = 0;
 	while (nxt != IPPROTO_DONE) {
 		if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) {
 			ip6stat.ip6s_toomanyhdr++;
+			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
 			goto bad;
 		}
 
@@ -1088,6 +1090,15 @@ ip6_input(m)
 		}
 #endif
 
+		if (nxt == IPPROTO_ROUTING) {
+			if (rh_present++) {
+				in6_ifstat_inc(m->m_pkthdr.rcvif,
+				    ifs6_in_hdrerr);
+				ip6stat.ip6s_badoptions++;
+				goto bad;
+			}
+		}
+
 #if defined(IPSEC) && !defined(__OpenBSD__)
 		/*
 		 * enforce IPsec policy checking if we are seeing last header.