Stuart Henderson <[email protected]> writes:
> On 2016/05/06 15:05, Martin Pieuchot wrote:
>> This look like a bad merge from 2000s. This check is present twice in
>> ip6_input(), so let's remove the late one, ok?
>>
>> Index: netinet6/ip6_input.c
>> ===================================================================
>> RCS file: /cvs/src/sys/netinet6/ip6_input.c,v
>> retrieving revision 1.158
>> diff -u -p -r1.158 ip6_input.c
>> --- netinet6/ip6_input.c 19 Apr 2016 08:23:13 -0000 1.158
>> +++ netinet6/ip6_input.c 6 May 2016 13:01:34 -0000
>> @@ -600,21 +600,6 @@ ip6_input(struct mbuf *m)
>> ip6 = mtod(m, struct ip6_hdr *);
>
> OK, but I believe you can also remove this mtod.
Hmm, can't pf_test and ip6_hopopts_input actually modify "m" between the
two checks, making the second check possibly relevant? pf_test would
modify m according to the config controlled by the admin, but after
a quick look I'm not sure about ip6_hopopts_input... paranoid, maybe?
>> /*
>> - * Malicious party may be able to use IPv4 mapped addr to confuse
>> - * tcp/udp stack and bypass security checks (act as if it was from
>> - * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious.
>> - *
>> - * For SIIT end node behavior, you may want to disable the check.
>> - * However, you will become vulnerable to attacks using IPv4 mapped
>> - * source.
>> - */
>> - if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
>> - IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
>> - ip6stat.ip6s_badscope++;
>> - goto bad;
>> - }
>> -
>> - /*
>> * Tell launch routine the next header
>> */
>> ip6stat.ip6s_delivered++;
>>
>
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
