Date: Tue, 22 Apr 2025 15:59:41 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: b7a61e09e4ad - main - netinet6: Do not forward or send ICMPv6 messages to the unspec address Message-ID: <202504221559.53MFxfvb031737@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=b7a61e09e4ad5fda44b7f4b6fee14f1b53996b41 commit b7a61e09e4ad5fda44b7f4b6fee14f1b53996b41 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2025-04-22 14:54:37 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2025-04-22 14:54:37 +0000 netinet6: Do not forward or send ICMPv6 messages to the unspec address As in f7174eb2b4c4 ("netinet: Do not forward or ICMP response to INADDR_ANY"), the IPv6 stack should avoid sending packets to the unspecified address. In particular: - Make sure that we do not forward received packets to the unspecified address; the check in ip6_input() catches this in the common case, but after commit 40faf87894ff it's possible for a pfil hook to bypass this check and pass the packet to ip6_forward() using the PACKET_TAG_IPFORWARD tag. - Make sure that we do not reflect packets back to the unspecified address; RFC 4443 section 2.4 states that we must not generate error messages in response to packets from the unspecified address. Reviewed by: zlei, glebius Reported by: Franco Fichtner <franco@opnsense.org> MFC after: 1 month Sponsored by: Klara, Inc. Sponsored by: OPNsense Differential Revision: https://reviews.freebsd.org/D49339 --- sys/netinet6/icmp6.c | 6 ++++++ sys/netinet6/ip6_forward.c | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index 3740a3eaec0d..764e57ef9b76 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -2087,6 +2087,12 @@ icmp6_reflect(struct mbuf *m, size_t off) hlim = 0; srcp = NULL; + if (__predict_false(IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src))) { + nd6log((LOG_DEBUG, + "icmp6_reflect: source address is unspecified\n")); + goto bad; + } + /* * If the incoming packet was addressed directly to us (i.e. unicast), * use dst as the src for the reply. diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index 44a349d1750f..ad8c95c9363c 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -109,7 +109,8 @@ ip6_forward(struct mbuf *m, int srcrt) */ if ((m->m_flags & (M_BCAST|M_MCAST)) != 0 || IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || - IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { + IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src) || + IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { IP6STAT_INC(ip6s_cantforward); /* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */ if (V_ip6_log_cannot_forward && ip6_log_ratelimit()) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202504221559.53MFxfvb031737>