Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.250.4.1 retrieving revision 1.254.4.3 diff -u -p -r1.250.4.1 -r1.254.4.3 --- src/sys/netinet/ip_input.c 2007/08/16 11:03:46 1.250.4.1 +++ src/sys/netinet/ip_input.c 2007/12/27 00:46:29 1.254.4.3 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.250.4.1 2007/08/16 11:03:46 jmcneill Exp $ */ +/* $NetBSD: ip_input.c,v 1.254.4.3 2007/12/27 00:46:29 mjf Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -98,7 +98,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.250.4.1 2007/08/16 11:03:46 jmcneill Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.254.4.3 2007/12/27 00:46:29 mjf Exp $"); #include "opt_inet.h" #include "opt_gateway.h" @@ -469,7 +469,6 @@ ipintr(void) splx(s); if (m == 0) return; - MCLAIM(m, &ip_rx_mowner); ip_input(m); } } @@ -897,7 +896,18 @@ ours: * but it's not worth the time; just let them time out.) */ if (ip->ip_off & ~htons(IP_DF|IP_RF)) { - + uint16_t off; + /* + * Prevent TCP blind data attacks by not allowing non-initial + * fragments to start at less than 68 bytes (minimal fragment + * size) and making sure the first fragment is at least 68 + * bytes. + */ + off = (ntohs(ip->ip_off) & IP_OFFMASK) << 3; + if ((off > 0 ? off + hlen : len) < IP_MINFRAGSIZE - 1) { + ipstat.ips_badfrags++; + goto bad; + } /* * Look for queue of fragments * of this datagram. @@ -908,9 +918,17 @@ ours: if (ip->ip_id == fp->ipq_id && in_hosteq(ip->ip_src, fp->ipq_src) && in_hosteq(ip->ip_dst, fp->ipq_dst) && - ip->ip_p == fp->ipq_p) + ip->ip_p == fp->ipq_p) { + /* + * Make sure the TOS is matches previous + * fragments. + */ + if (ip->ip_tos != fp->ipq_tos) { + ipstat.ips_badfrags++; + goto bad; + } goto found; - + } } fp = 0; found: @@ -1013,7 +1031,6 @@ found: /* XXX error stat??? */ error = EINVAL; DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/ - goto bad; } splx(s); if (error) @@ -1107,6 +1124,7 @@ ip_reass(struct ipqent *ipqe, struct ipq fp->ipq_ttl = IPFRAGTTL; fp->ipq_p = ipqe->ipqe_ip->ip_p; fp->ipq_id = ipqe->ipqe_ip->ip_id; + fp->ipq_tos = ipqe->ipqe_ip->ip_tos; TAILQ_INIT(&fp->ipq_fragq); fp->ipq_src = ipqe->ipqe_ip->ip_src; fp->ipq_dst = ipqe->ipqe_ip->ip_dst; @@ -1777,39 +1795,16 @@ ip_srcroute(void) return (m); } -/* - * Strip out IP options, at higher - * level protocol in the kernel. - * Second argument is buffer to which options - * will be moved, and return value is their length. - * XXX should be deleted; last arg currently ignored. - */ -void -ip_stripoptions(struct mbuf *m, struct mbuf *mopt) -{ - int i; - struct ip *ip = mtod(m, struct ip *); - void *opts; - int olen; - - olen = (ip->ip_hl << 2) - sizeof (struct ip); - opts = (void *)(ip + 1); - i = m->m_len - (sizeof (struct ip) + olen); - memmove(opts, (char *)opts + olen, (unsigned)i); - m->m_len -= olen; - if (m->m_flags & M_PKTHDR) - m->m_pkthdr.len -= olen; - ip->ip_len = htons(ntohs(ip->ip_len) - olen); - ip->ip_hl = sizeof (struct ip) >> 2; -} - const int inetctlerrmap[PRC_NCMDS] = { - 0, 0, 0, 0, - 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, - EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, - EMSGSIZE, EHOSTUNREACH, 0, 0, - 0, 0, 0, 0, - ENOPROTOOPT + [PRC_MSGSIZE] = EMSGSIZE, + [PRC_HOSTDEAD] = EHOSTDOWN, + [PRC_HOSTUNREACH] = EHOSTUNREACH, + [PRC_UNREACH_NET] = EHOSTUNREACH, + [PRC_UNREACH_HOST] = EHOSTUNREACH, + [PRC_UNREACH_PROTOCOL] = ECONNREFUSED, + [PRC_UNREACH_PORT] = ECONNREFUSED, + [PRC_UNREACH_SRCFAIL] = EHOSTUNREACH, + [PRC_PARAMPROB] = ENOPROTOOPT, }; /* @@ -1959,8 +1954,8 @@ ip_forward(struct mbuf *m, int srcrt) type = ICMP_UNREACH; code = ICMP_UNREACH_NEEDFRAG; #if !defined(IPSEC) && !defined(FAST_IPSEC) - if (ipforward_rt.ro_rt != NULL) - destmtu = ipforward_rt.ro_rt->rt_ifp->if_mtu; + if ((rt = rtcache_getrt(&ipforward_rt)) != NULL) + destmtu = rt->rt_ifp->if_mtu; #else /* * If the packet is routed over IPsec tunnel, tell the @@ -1968,7 +1963,7 @@ ip_forward(struct mbuf *m, int srcrt) * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz * XXX quickhack!!! */ - if (ipforward_rt.ro_rt != NULL) { + if ((rt = rtcache_getrt(&ipforward_rt)) != NULL) { struct secpolicy *sp; int ipsecerror; size_t ipsechdr; @@ -1979,7 +1974,7 @@ ip_forward(struct mbuf *m, int srcrt) &ipsecerror); if (sp == NULL) - destmtu = ipforward_rt.ro_rt->rt_ifp->if_mtu; + destmtu = rt->rt_ifp->if_mtu; else { /* count IPsec header size */ ipsechdr = ipsec4_hdrsiz(mcopy, @@ -1994,11 +1989,11 @@ ip_forward(struct mbuf *m, int srcrt) && sp->req->sav != NULL && sp->req->sav->sah != NULL) { ro = &sp->req->sav->sah->sa_route; - if (ro->ro_rt && ro->ro_rt->rt_ifp) { + if (rt && rt->rt_ifp) { destmtu = - ro->ro_rt->rt_rmx.rmx_mtu ? - ro->ro_rt->rt_rmx.rmx_mtu : - ro->ro_rt->rt_ifp->if_mtu; + rt->rt_rmx.rmx_mtu ? + rt->rt_rmx.rmx_mtu : + rt->rt_ifp->if_mtu; destmtu -= ipsechdr; } } @@ -2079,8 +2074,11 @@ ip_savecontrol(struct inpcb *inp, struct if (inp->inp_flags & INP_RECVIF) { struct sockaddr_dl sdl; - sockaddr_dl_init(&sdl, (m->m_pkthdr.rcvif != NULL) ? - m->m_pkthdr.rcvif->if_index : 0, 0, NULL, 0, NULL, 0); + sockaddr_dl_init(&sdl, sizeof(sdl), + (m->m_pkthdr.rcvif != NULL) + ? m->m_pkthdr.rcvif->if_index + : 0, + 0, NULL, 0, NULL, 0); *mp = sbcreatecontrol(&sdl, sdl.sdl_len, IP_RECVIF, IPPROTO_IP); if (*mp) mp = &(*mp)->m_next;