Date: Fri, 21 Jan 2000 20:05:07 -0500 From: Jared Mauch <jared@puck.nether.net> To: Brett Glass <brett@lariat.org> Cc: Don Lewis <gdonl@tsc.tdk.com>, Jared Mauch <jared@puck.nether.net>, Wes Peters <wes@softweyr.com>, TrouBle <trouble@netquick.net>, security@FreeBSD.ORG Subject: Re: stream.c worst-case kernel paths Message-ID: <20000121200507.D4055@puck.nether.net> In-Reply-To: <4.2.2.20000121170250.01986ea0@localhost>; from brett@lariat.org on Fri, Jan 21, 2000 at 05:44:48PM -0700 References: <Brett <brett@lariat.org> <200001212350.PAA14888@salsa.gv.tsc.tdk.com> <4.2.2.20000121170250.01986ea0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 21, 2000 at 05:44:48PM -0700, Brett Glass wrote: > At 04:50 PM 1/21/2000 , Don Lewis wrote: > > >I'm tempted to move the existing multicast tests up to the top > >of tcp_input() and check the source address as well. I just hate > >to add extra code to the main code path, though. > > Checking the source address early would not hurt, since > it seems to be done so much anyway. Go to the /sys/netinet > directory and do a "grep IN_MULTICAST *" to see what I > mean! > > In fact, the number of scattered tests makes a strong argument > for doing this check lower down in the stack and setting > a flag. It might also prevent other problems if multicast > packets were intercepted before they were ever passed to > non-multicast protocols. I'd hate to see an attack based > on, for example, sending ICMP packets to or from a multicast > source address (shudder). IMHO this should be available, but restricted as it is a brodcast (multicast) ping, not just a ping against a host. I may want to ping 224.0.0.5 and if I'm running gated on a freebsd box, I want it to respond. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000121200507.D4055>