When using raw ip6 socket, one can connect(2) then send(2), or
just sendto(2). The code below would try to find the non-connected
raw ip6 socket corresponding to an incoming icmp6 message, to deliver
the failure. This code has been disabled ever since it has been put
in-tree, justifiably so because we are doing a wildcard socket search
based on barely-checked external input.
Better remove it altogether and prevent future useless head-scratching.
Ok?
Index: netinet6/raw_ip6.c
===================================================================
RCS file: /cvs/src/sys/netinet6/raw_ip6.c,v
retrieving revision 1.89
diff -u -p -r1.89 raw_ip6.c
--- netinet6/raw_ip6.c 29 Mar 2016 11:57:51 -0000 1.89
+++ netinet6/raw_ip6.c 8 Apr 2016 17:55:24 -0000
@@ -285,21 +285,6 @@ rip6_ctlinput(int cmd, struct sockaddr *
*/
in6p = in6_pcbhashlookup(&rawin6pcbtable, &sa6->sin6_addr, 0,
&sa6_src->sin6_addr, 0, rdomain);
-#if 0
- if (!in6p) {
- /*
- * As the use of sendto(2) is fairly popular,
- * we may want to allow non-connected pcb too.
- * But it could be too weak against attacks...
- * We should at least check if the local
- * address (= s) is really ours.
- */
- in6p = in_pcblookup(&rawin6pcbtable, &sa6->sin6_addr, 0,
- (struct in6_addr *)&sa6_src->sin6_addr, 0,
- INPLOOKUP_WILDCARD | INPLOOKUP_IPV6,
- rdomain);
- }
-#endif
if (in6p && in6p->inp_ipv6.ip6_nxt &&
in6p->inp_ipv6.ip6_nxt == nxt)
