svn commit: r264126 - head/sys/netipsec
Andrey V. Elsukov
ae at FreeBSD.org
Fri Apr 4 16:58:33 UTC 2014
Author: ae
Date: Fri Apr 4 16:58:32 2014
New Revision: 264126
URL: http://svnweb.freebsd.org/changeset/base/264126
Log:
The check for local address spoofing lacks ifaddr locking.
Remove these loops and use in_localip() and in6_localip()
functions instead.
MFC after: 1 week
Sponsored by: Yandex LLC
Modified:
head/sys/netipsec/xform_ipip.c
Modified: head/sys/netipsec/xform_ipip.c
==============================================================================
--- head/sys/netipsec/xform_ipip.c Fri Apr 4 15:57:27 2014 (r264125)
+++ head/sys/netipsec/xform_ipip.c Fri Apr 4 16:58:32 2014 (r264126)
@@ -159,14 +159,8 @@ ip4_input(struct mbuf *m, int off)
static void
_ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
{
-#ifdef INET
- register struct sockaddr_in *sin;
-#endif
- register struct ifnet *ifp;
- register struct ifaddr *ifa;
struct ip *ipo;
#ifdef INET6
- register struct sockaddr_in6 *sin6;
struct ip6_hdr *ip6 = NULL;
u_int8_t itos;
#endif
@@ -294,47 +288,22 @@ _ipip_input(struct mbuf *m, int iphlen,
if ((m->m_pkthdr.rcvif == NULL ||
!(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) &&
V_ipip_allow != 2) {
- IFNET_RLOCK_NOSLEEP();
- TAILQ_FOREACH(ifp, &V_ifnet, if_link) {
- TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
-#ifdef INET
- if (ipo) {
- if (ifa->ifa_addr->sa_family !=
- AF_INET)
- continue;
-
- sin = (struct sockaddr_in *) ifa->ifa_addr;
-
- if (sin->sin_addr.s_addr ==
- ipo->ip_src.s_addr) {
- IPIPSTAT_INC(ipips_spoof);
- m_freem(m);
- IFNET_RUNLOCK_NOSLEEP();
- return;
- }
- }
-#endif /* INET */
-
+#ifdef INET
+ if ((v >> 4) == IPVERSION &&
+ in_localip(ipo->ip_src) != 0) {
+ IPIPSTAT_INC(ipips_spoof);
+ m_freem(m);
+ return;
+ }
+#endif
#ifdef INET6
- if (ip6) {
- if (ifa->ifa_addr->sa_family !=
- AF_INET6)
- continue;
-
- sin6 = (struct sockaddr_in6 *) ifa->ifa_addr;
-
- if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) {
- IPIPSTAT_INC(ipips_spoof);
- m_freem(m);
- IFNET_RUNLOCK_NOSLEEP();
- return;
- }
-
- }
-#endif /* INET6 */
- }
+ if ((v & IPV6_VERSION_MASK) == IPV6_VERSION &&
+ in6_localip(&ip6->ip6_src) != 0) {
+ IPIPSTAT_INC(ipips_spoof);
+ m_freem(m);
+ return;
}
- IFNET_RUNLOCK_NOSLEEP();
+#endif
}
/* Statistics */
More information about the svn-src-head
mailing list