Author: gnn
Date: Wed Jan 12 19:11:17 2011
New Revision: 217315
URL: http://svn.freebsd.org/changeset/base/217315
Log:
Fix several bugs in the ARP code related to improperly formatted
packets.
*) Reject requests with a protocol length not equal to 4. This is IPv4
and there is no reason to accept anything else.
*) Reject packets that have a multicast source hardware address.
*) Drop requests where the hardware address length is not equal
to the hardware address length of the interface.
Pointed out by: Rozhuk Ivan
MFC after: 1 week
Modified:
head/sys/netinet/if_ether.c
Modified: head/sys/netinet/if_ether.c
==============================================================================
--- head/sys/netinet/if_ether.c Wed Jan 12 19:06:59 2011 (r217314)
+++ head/sys/netinet/if_ether.c Wed Jan 12 19:11:17 2011 (r217315)
@@ -531,6 +531,21 @@ in_arpinput(struct mbuf *m)
}
ah = mtod(m, struct arphdr *);
+ /*
+ * ARP is only for IPv4 so we can reject packets with
+ * a protocol length not equal to an IPv4 address.
+ */
+ if (ah->ar_pln != sizeof(struct in_addr)) {
+ log(LOG_ERR, "in_arp: requested protocol length != %ld\n",
+ sizeof(struct in_addr));
+ return;
+ }
+
+ if (ETHER_IS_MULTICAST(ar_sha(ah))) {
+ log(LOG_ERR, "in_arp: source hardware address is multicast.");
+ return;
+ }
+
op = ntohs(ah->ar_op);
(void)memcpy(&isaddr, ar_spa(ah), sizeof (isaddr));
(void)memcpy(&itaddr, ar_tpa(ah), sizeof (itaddr));
@@ -702,7 +717,7 @@ match:
"arp from %*D: addr len: new %d, i/f %d (ignored)",
ifp->if_addrlen, (u_char *) ar_sha(ah), ":",
ah->ar_hln, ifp->if_addrlen);
- goto reply;
+ goto drop;
}
(void)memcpy(&la->ll_addr, ar_sha(ah), ifp->if_addrlen);
la->la_flags |= LLE_VALID;
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
