Date: Fri, 4 Apr 2014 16:58:32 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r264126 - head/sys/netipsec Message-ID: <201404041658.s34GwWkW089911@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Fri Apr 4 16:58:32 2014 New Revision: 264126 URL: http://svnweb.freebsd.org/changeset/base/264126 Log: The check for local address spoofing lacks ifaddr locking. Remove these loops and use in_localip() and in6_localip() functions instead. MFC after: 1 week Sponsored by: Yandex LLC Modified: head/sys/netipsec/xform_ipip.c Modified: head/sys/netipsec/xform_ipip.c ============================================================================== --- head/sys/netipsec/xform_ipip.c Fri Apr 4 15:57:27 2014 (r264125) +++ head/sys/netipsec/xform_ipip.c Fri Apr 4 16:58:32 2014 (r264126) @@ -159,14 +159,8 @@ ip4_input(struct mbuf *m, int off) static void _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) { -#ifdef INET - register struct sockaddr_in *sin; -#endif - register struct ifnet *ifp; - register struct ifaddr *ifa; struct ip *ipo; #ifdef INET6 - register struct sockaddr_in6 *sin6; struct ip6_hdr *ip6 = NULL; u_int8_t itos; #endif @@ -294,47 +288,22 @@ _ipip_input(struct mbuf *m, int iphlen, if ((m->m_pkthdr.rcvif == NULL || !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) && V_ipip_allow != 2) { - IFNET_RLOCK_NOSLEEP(); - TAILQ_FOREACH(ifp, &V_ifnet, if_link) { - TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { -#ifdef INET - if (ipo) { - if (ifa->ifa_addr->sa_family != - AF_INET) - continue; - - sin = (struct sockaddr_in *) ifa->ifa_addr; - - if (sin->sin_addr.s_addr == - ipo->ip_src.s_addr) { - IPIPSTAT_INC(ipips_spoof); - m_freem(m); - IFNET_RUNLOCK_NOSLEEP(); - return; - } - } -#endif /* INET */ - +#ifdef INET + if ((v >> 4) == IPVERSION && + in_localip(ipo->ip_src) != 0) { + IPIPSTAT_INC(ipips_spoof); + m_freem(m); + return; + } +#endif #ifdef INET6 - if (ip6) { - if (ifa->ifa_addr->sa_family != - AF_INET6) - continue; - - sin6 = (struct sockaddr_in6 *) ifa->ifa_addr; - - if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) { - IPIPSTAT_INC(ipips_spoof); - m_freem(m); - IFNET_RUNLOCK_NOSLEEP(); - return; - } - - } -#endif /* INET6 */ - } + if ((v & IPV6_VERSION_MASK) == IPV6_VERSION && + in6_localip(&ip6->ip6_src) != 0) { + IPIPSTAT_INC(ipips_spoof); + m_freem(m); + return; } - IFNET_RUNLOCK_NOSLEEP(); +#endif } /* Statistics */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404041658.s34GwWkW089911>