From owner-freebsd-bugs Fri Aug 22 19:10:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA15633 for bugs-outgoing; Fri, 22 Aug 1997 19:10:04 -0700 (PDT) Received: (from gnats@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA15626; Fri, 22 Aug 1997 19:10:02 -0700 (PDT) Resent-Date: Fri, 22 Aug 1997 19:10:02 -0700 (PDT) Resent-Message-Id: <199708230210.TAA15626@hub.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, traister@mojozone.org Received: from manta.mojozone.org (root@dfbfl1-6.gate.net [198.206.135.133]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA15389 for ; Fri, 22 Aug 1997 19:04:55 -0700 (PDT) Received: (from traister@localhost) by manta.mojozone.org (8.8.7/8.8.7) id WAA00386; Fri, 22 Aug 1997 22:04:49 -0400 (EDT) Message-Id: <199708230204.WAA00386@manta.mojozone.org> Date: Fri, 22 Aug 1997 22:04:49 -0400 (EDT) From: Joe Traister Reply-To: traister@mojozone.org To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: kern/4361: ICMP echo reply to broadcast cannot be turned off Sender: owner-freebsd-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >Number: 4361 >Category: kern >Synopsis: ICMP echo reply to broadcast cannot be turned off >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Aug 22 19:10:01 PDT 1997 >Last-Modified: >Originator: Joe Traister >Organization: None >Release: FreeBSD 2.2.2-RELEASE i386 >Environment: 2.2.2-RELEASE >Description: Due to a number of exploits becoming available to attack networks using ICMP echo requests to broadcast addresses, a simple way to defeat this is highly desirable. The patch below adds a sysctl variable (net.inet.icmp.broadecho) that controls whether or not the IP stack responds to ICMP echo requests to broadcast addresses of directly-connected interfaces. To comply with IP spec, it defaults to 'yes'. >How-To-Repeat: ping the broadcast address of a an ethernet with 2.2.2 boxes on it. >Fix: --- ip_icmp.c.dist Fri Sep 20 04:23:54 1996 +++ ip_icmp.c Fri Aug 22 21:17:48 1997 @@ -72,4 +72,8 @@ &icmpmaskrepl, 0, ""); +static int icmpbroadecho = 1; +SYSCTL_INT(_net_inet_icmp, ICMPCTL_BROADECHO, broadecho, CTLFLAG_RW, + &icmpbroadecho, 0, ""); + #ifdef ICMPPRINTFS int icmpprintfs = 0; @@ -373,4 +377,14 @@ case ICMP_ECHO: +#define satosin(sa) ((struct sockaddr_in *)(sa)) + if (!icmpbroadecho) { + for (ia = in_ifaddr; ia; ia = ia->ia_next) { + if (ia->ia_ifp && + (ia->ia_ifp->if_flags & IFF_BROADCAST) && + ip->ip_dst.s_addr == + satosin(&ia->ia_broadaddr)->sin_addr.s_addr) + goto freeit; + } + } icp->icmp_type = ICMP_ECHOREPLY; goto reflect; @@ -387,5 +401,4 @@ case ICMP_MASKREQ: -#define satosin(sa) ((struct sockaddr_in *)(sa)) if (icmpmaskrepl == 0) break; --- icmp_var.h.dist Fri Aug 22 20:36:39 1997 +++ icmp_var.h Fri Aug 22 20:39:12 1997 @@ -62,5 +62,6 @@ #define ICMPCTL_MASKREPL 1 /* allow replies to netmask requests */ #define ICMPCTL_STATS 2 /* statistics (read-only) */ -#define ICMPCTL_MAXID 3 +#define ICMPCTL_BROADECHO 3 +#define ICMPCTL_MAXID 4 #define ICMPCTL_NAMES { \ @@ -68,4 +69,5 @@ { "maskrepl", CTLTYPE_INT }, \ { "stats", CTLTYPE_STRUCT }, \ + { "broadecho", CTLTYPE_INT }, \ } >Audit-Trail: >Unformatted: