svn commit: r355450 - head/sys/netinet6
Bjoern A. Zeeb
bz at FreeBSD.org
Fri Dec 6 16:42:59 UTC 2019
Author: bz
Date: Fri Dec 6 16:42:58 2019
New Revision: 355450
URL: https://svnweb.freebsd.org/changeset/base/355450
Log:
ip6_input: remove redundant v4mapped check
In ip6_input() we apply the same v4mapped address check twice. The only
case which skipps the first one is M_FASTFWD_OURS which should have passed
the check on the firstinput pass and passed the firewall.
Remove the 2nd redundant check.
Reviewed by: kp, melifaro
MFC after: 2 weeks
Sponsored by: Netflix (originally)
Differential Revision: https://reviews.freebsd.org/D22462
Modified:
head/sys/netinet6/ip6_input.c
Modified: head/sys/netinet6/ip6_input.c
==============================================================================
--- head/sys/netinet6/ip6_input.c Fri Dec 6 16:35:48 2019 (r355449)
+++ head/sys/netinet6/ip6_input.c Fri Dec 6 16:42:58 2019 (r355450)
@@ -897,24 +897,6 @@ passin:
return;
}
- ip6 = mtod(m, struct ip6_hdr *);
-
- /*
- * Malicious party may be able to use IPv4 mapped addr to confuse
- * tcp/udp stack and bypass security checks (act as if it was from
- * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious.
- *
- * For SIIT end node behavior, you may want to disable the check.
- * However, you will become vulnerable to attacks using IPv4 mapped
- * source.
- */
- if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
- IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
- IP6STAT_INC(ip6s_badscope);
- in6_ifstat_inc(rcvif, ifs6_in_addrerr);
- goto bad;
- }
-
/*
* Tell launch routine the next header
*/
More information about the svn-src-head
mailing list