Module Name:    src
Committed By:   martin
Date:           Fri Feb  9 14:09:35 UTC 2018

Modified Files:
        src/sys/netinet [netbsd-6]: ip_input.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1526):
        sys/netinet/ip_input.c: revision 1.366

Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a
completely dumb idea, because they have security implications.

By sending an IPv4 packet containing an LSRR option, an attacker will
cause the system to forward the packet to another IPv4 address - and
this way he white-washes the source of the packet.

It is also possible for an attacker to reach hidden networks: if a server
has a public address, and a private one on an internal network (network
which has several internal machines connected), the attacker can send a
packet with:
        source = 0.0.0.0
        destination = public address of the server
        LSRR first address = address of a machine on the internal network
And the packet will be forwarded, by the server, to the internal machine,
in some cases even with the internal IP address of the server as a source.


To generate a diff of this commit:
cvs rdiff -u -r1.298 -r1.298.2.1 src/sys/netinet/ip_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet/ip_input.c
diff -u src/sys/netinet/ip_input.c:1.298 src/sys/netinet/ip_input.c:1.298.2.1
--- src/sys/netinet/ip_input.c:1.298	Mon Jan  9 14:31:22 2012
+++ src/sys/netinet/ip_input.c	Fri Feb  9 14:09:35 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.298 2012/01/09 14:31:22 liamjfoy Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.298.2.1 2018/02/09 14:09:35 martin Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.298 2012/01/09 14:31:22 liamjfoy Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.298.2.1 2018/02/09 14:09:35 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_compat_netbsd.h"
@@ -161,10 +161,10 @@ __KERNEL_RCSID(0, "$NetBSD: ip_input.c,v
 #define	IPSENDREDIRECTS	1
 #endif
 #ifndef IPFORWSRCRT
-#define	IPFORWSRCRT	1	/* forward source-routed packets */
+#define	IPFORWSRCRT	0	/* forward source-routed packets */
 #endif
 #ifndef IPALLOWSRCRT
-#define	IPALLOWSRCRT	1	/* allow source-routed packets */
+#define	IPALLOWSRCRT	0	/* allow source-routed packets */
 #endif
 #ifndef IPMTUDISC
 #define IPMTUDISC	1

Reply via email to