Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Jan 2011 19:11:18 +0000 (UTC)
From:      "George V. Neville-Neil" <gnn@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r217315 - head/sys/netinet
Message-ID:  <201101121911.p0CJBIKG001157@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: gnn
Date: Wed Jan 12 19:11:17 2011
New Revision: 217315
URL: http://svn.freebsd.org/changeset/base/217315

Log:
  Fix several bugs in the ARP code related to improperly formatted
  packets.
  
  *) Reject requests with a protocol length not equal to 4.  This is IPv4
  and there is no reason to accept anything else.
  
  *) Reject packets that have a multicast source hardware address.
  
  *) Drop requests where the hardware address length is not equal
  to the hardware address length of the interface.
  
  Pointed out by:	Rozhuk Ivan
  MFC after:	1 week

Modified:
  head/sys/netinet/if_ether.c

Modified: head/sys/netinet/if_ether.c
==============================================================================
--- head/sys/netinet/if_ether.c	Wed Jan 12 19:06:59 2011	(r217314)
+++ head/sys/netinet/if_ether.c	Wed Jan 12 19:11:17 2011	(r217315)
@@ -531,6 +531,21 @@ in_arpinput(struct mbuf *m)
 	}
 
 	ah = mtod(m, struct arphdr *);
+	/* 
+	 * ARP is only for IPv4 so we can reject packets with
+	 * a protocol length not equal to an IPv4 address.
+	 */
+	if (ah->ar_pln != sizeof(struct in_addr)) {
+		log(LOG_ERR, "in_arp: requested protocol length != %ld\n",
+		    sizeof(struct in_addr));
+		return;
+	}
+
+	if (ETHER_IS_MULTICAST(ar_sha(ah))) {
+		log(LOG_ERR, "in_arp: source hardware address is multicast.");
+		return;
+	}
+
 	op = ntohs(ah->ar_op);
 	(void)memcpy(&isaddr, ar_spa(ah), sizeof (isaddr));
 	(void)memcpy(&itaddr, ar_tpa(ah), sizeof (itaddr));
@@ -702,7 +717,7 @@ match:
 			    "arp from %*D: addr len: new %d, i/f %d (ignored)",
 			    ifp->if_addrlen, (u_char *) ar_sha(ah), ":",
 			    ah->ar_hln, ifp->if_addrlen);
-			goto reply;
+			goto drop;
 		}
 		(void)memcpy(&la->ll_addr, ar_sha(ah), ifp->if_addrlen);
 		la->la_flags |= LLE_VALID;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201101121911.p0CJBIKG001157>