Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/sys/netinet/udp_usrreq.c,v
rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet/udp_usrreq.c,v: warning: Unknown phrases like `commitid ...;' are present.
retrieving revision 1.53
retrieving revision 1.57
diff -u -p -r1.53 -r1.57
--- src/sys/netinet/udp_usrreq.c	1999/12/13 15:17:21	1.53
+++ src/sys/netinet/udp_usrreq.c	2000/01/31 10:39:26	1.57
@@ -1,4 +1,4 @@
-/*	$NetBSD: udp_usrreq.c,v 1.53 1999/12/13 15:17:21 itojun Exp $	*/
+/*	$NetBSD: udp_usrreq.c,v 1.57 2000/01/31 10:39:26 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -155,6 +155,7 @@ udp_init()
 	in_pcbinit(&udbtable, udbhashsize, udbhashsize);
 }
 
+#ifndef UDP6
 void
 #if __STDC__
 udp_input(struct mbuf *m, ...)
@@ -218,6 +219,10 @@ udp_input(m, va_alist)
 	}
 #endif
 
+	/* destination port of 0 is illegal, based on RFC768. */
+	if (uh->uh_dport == 0)
+		goto bad;
+
 	/*
 	 * Make mbuf data length reflect UDP length.
 	 * If not enough data to reflect UDP length, drop.
@@ -375,6 +380,17 @@ udp6_input(mp, offp, proto)
 		goto bad;
 	}
 
+	/* destination port of 0 is illegal, based on RFC768. */
+	if (uh->uh_dport == 0)
+		goto bad;
+
+	/* Be proactive about malicious use of IPv4 mapped address */
+	if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
+	    IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
+		/* XXX stat */
+		goto bad;
+	}
+
 	/*
 	 * Checksum extended UDP header and data.
 	 */
@@ -758,11 +774,25 @@ udp6_realinput(af, src, dst, m, off)
 				 && !in6_mcmatch(in6p, dst6, m->m_pkthdr.rcvif))
 					continue;
 			}
+#ifndef INET6_BINDV6ONLY
+			else {
+				if (IN6_IS_ADDR_V4MAPPED(dst6)
+				 && (in6p->in6p_flags & IN6P_BINDV6ONLY))
+					continue;
+			}
+#endif
 			if (!IN6_IS_ADDR_UNSPECIFIED(&in6p->in6p_faddr)) {
 				if (!IN6_ARE_ADDR_EQUAL(&in6p->in6p_faddr, src6)
 				 || in6p->in6p_fport != *sport)
 					continue;
 			}
+#ifndef INET6_BINDV6ONLY
+			else {
+				if (IN6_IS_ADDR_V4MAPPED(src6)
+				 && (in6p->in6p_flags & IN6P_BINDV6ONLY))
+					continue;
+			}
+#endif
 
 			last = in6p;
 			udp6_sendup(m, off, (struct sockaddr *)src,
@@ -852,7 +882,8 @@ bad:
 }
 #endif
 
-#if 0
+#else /*UDP6*/
+
 void
 #if __STDC__
 udp_input(struct mbuf *m, ...)
@@ -905,6 +936,10 @@ udp_input(m, va_alist)
 	}
 	uh = (struct udphdr *)((caddr_t)ip + iphlen);
 
+	/* destination port of 0 is illegal, based on RFC768. */
+	if (uh->uh_dport == 0)
+		goto bad;
+
 	/*
 	 * Make mbuf data length reflect UDP length.
 	 * If not enough data to reflect UDP length, drop.
@@ -1123,7 +1158,7 @@ bad:
 	if (opts)
 		m_freem(opts);
 }
-#endif
+#endif /*UDP6*/
 
 /*
  * Notify a udp user of an asynchronous error;