Submitted by: Archie cobbs (IPDIVERT author)

close small security hole where an atacker could sendpackets with IPDIVERT protocol, and select how it would be diverted thus bypassing the ipfirewall. Discovered by inspection rather than attack. (you'd have to know how the firewall was configured (EXACTLY) to make use of this but..)
svn path=/head/; revision=31163
2024-12-01 21:33:04 +00:00 · 1997-11-13 22:57:57 +00:00 · 1997-11-13 22:57:57 +00:00 · 79755dc52b · 2020-12-20 02:59:44 +00:00
commit 79755dc52b
parent 9fecb4e63f
1 changed files with 7 additions and 1 deletions
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@ -31,7 +31,7 @@
 * SUCH DAMAGE.
 *
 *	@(#)ip_input.c	8.2 (Berkeley) 1/4/94
- * $Id: ip_input.c,v 1.70 1997/11/05 02:51:32 julian Exp $
+ * $Id: ip_input.c,v 1.71 1997/11/05 20:17:21 joerg Exp $
 *	$ANA: ip_input.c,v 1.5 1996/09/18 14:34:59 wollman Exp $
 */

@ -577,6 +577,12 @@ found:
 		(*inetsw[ip_protox[IPPROTO_DIVERT]].pr_input)(m, hlen);
 		return;
 	}
+
+	/* Don't let packets divert themselves */
+	if (ip->ip_p == IPPROTO_DIVERT) {
+		ipstat.ips_noproto++;
+		goto bad;
+	}
 #endif

 	/*