Skip to content

Commit

Permalink
added stricter validation on source address (for reference purpose only)
Browse files Browse the repository at this point in the history
  • Loading branch information
jinmei committed Oct 3, 2008
1 parent f5f9627 commit 7170935
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 4 deletions.
21 changes: 20 additions & 1 deletion kame/sys/netinet6/nd6_nbr.c
View file
@@ -1,4 +1,4 @@
/* $KAME: nd6_nbr.c,v 1.174 2007/06/14 12:09:44 itojun Exp $ */ /* $KAME: nd6_nbr.c,v 1.175 2008/10/03 22:40:16 jinmei Exp $ */


/* /*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
Expand Down Expand Up @@ -184,6 +184,25 @@ nd6_ns_input(struct mbuf *m, int off, int icmp6len)
"(wrong ip6 dst)\n")); "(wrong ip6 dst)\n"));
goto bad; goto bad;
} }
} else {
struct sockaddr_in6 src_sa6;

/*
* According to recent IETF discussions, it's not a good idea
* to accept an NS from an address which would not be deemed
* to be a neighbor otherwise. This point is expected to be
* clarified in future revisions of the specification.
*/

bzero(&src_sa6, sizeof(src_sa6));
src_sa6.sin6_family = AF_INET6;
src_sa6.sin6_len = sizeof(src_sa6);
src_sa6.sin6_addr = saddr6;
if (!nd6_is_addr_neighbor(&src_sa6, ifp)) {
nd6log((LOG_INFO, "nd6_ns_input: "
"NS packet from non-neighbor\n"));
goto bad;
}
} }


if (IN6_IS_ADDR_MULTICAST(&taddr6)) { if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
Expand Down
20 changes: 17 additions & 3 deletions kame/sys/netinet6/nd6_rtr.c
View file
@@ -1,4 +1,4 @@
/* $KAME: nd6_rtr.c,v 1.282 2007/06/14 12:09:44 itojun Exp $ */ /* $KAME: nd6_rtr.c,v 1.283 2008/10/03 22:40:16 jinmei Exp $ */


/* /*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
Expand Down Expand Up @@ -162,11 +162,25 @@ nd6_rs_input(struct mbuf *m, int off, int icmp6len)
} }


/* /*
* Don't update the neighbor cache, if src = ::. * Don't update the neighbor cache, if src = :: or a non-neighbor.
* This indicates that the src has no IP address assigned yet. * The former case indicates that the src has no IP address assigned
* yet. See nd6_ns_input() for the latter case.
*/ */
if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src))
goto freeit; goto freeit;
else {
struct sockaddr_in6 src_sa6;

bzero(&src_sa6, sizeof(src_sa6));
src_sa6.sin6_family = AF_INET6;
src_sa6.sin6_len = sizeof(src_sa6);
src_sa6.sin6_addr = ip6->ip6_src;
if (!nd6_is_addr_neighbor(&src_sa6, ifp)) {
nd6log((LOG_INFO, "nd6_rs_input: "
"RS packet from non-neighbor\n"));
goto freeit;
}
}


#ifndef PULLDOWN_TEST #ifndef PULLDOWN_TEST
IP6_EXTHDR_CHECK(m, off, icmp6len,); IP6_EXTHDR_CHECK(m, off, icmp6len,);
Expand Down

0 comments on commit 7170935

Please sign in to comment.