Add fix for ip_id information leakage. Since the leakage information is
primarily used with TCP SYN and RST packets and such packets are less than the smallest sized packet that an IP stack is allowed to fragment, we simply set ip_id to 0 for all packets 68 bytes or less.
This commit is contained in:
parent
d8654d5866
commit
15c4637507
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ip.h,v 1.29 2006/12/17 20:07:36 christos Exp $ */
|
||||
/* $NetBSD: ip.h,v 1.30 2007/12/21 02:07:54 matt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1982, 1986, 1993
|
||||
@ -68,6 +68,7 @@ struct ip {
|
||||
} __attribute__((__packed__));
|
||||
|
||||
#define IP_MAXPACKET 65535 /* maximum packet size */
|
||||
#define IP_MINFRAGSIZE 69 /* minumum size that can be fraged */
|
||||
|
||||
/*
|
||||
* Definitions for IP type of service (ip_tos)
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ip_carp.c,v 1.21 2007/12/20 21:08:22 dyoung Exp $ */
|
||||
/* $NetBSD: ip_carp.c,v 1.22 2007/12/21 02:07:55 matt Exp $ */
|
||||
/* $OpenBSD: ip_carp.c,v 1.113 2005/11/04 08:11:54 mcbride Exp $ */
|
||||
|
||||
/*
|
||||
@ -28,7 +28,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.21 2007/12/20 21:08:22 dyoung Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.22 2007/12/21 02:07:55 matt Exp $");
|
||||
|
||||
/*
|
||||
* TODO:
|
||||
@ -973,7 +973,7 @@ carp_send_ad(void *v)
|
||||
ip->ip_hl = sizeof(*ip) >> 2;
|
||||
ip->ip_tos = IPTOS_LOWDELAY;
|
||||
ip->ip_len = htons(len);
|
||||
ip->ip_id = htons(ip_randomid());
|
||||
ip->ip_id = 0; /* no need for id, we don't support fragments */
|
||||
ip->ip_off = htons(IP_DF);
|
||||
ip->ip_ttl = CARP_DFLTTL;
|
||||
ip->ip_p = IPPROTO_CARP;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ip_mroute.c,v 1.109 2007/11/27 22:45:29 christos Exp $ */
|
||||
/* $NetBSD: ip_mroute.c,v 1.110 2007/12/21 02:07:55 matt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1992, 1993
|
||||
@ -93,7 +93,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: ip_mroute.c,v 1.109 2007/11/27 22:45:29 christos Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: ip_mroute.c,v 1.110 2007/12/21 02:07:55 matt Exp $");
|
||||
|
||||
#include "opt_inet.h"
|
||||
#include "opt_ipsec.h"
|
||||
@ -1927,7 +1927,10 @@ encap_send(struct ip *ip, struct vif *vifp, struct mbuf *m)
|
||||
*/
|
||||
ip_copy = mtod(mb_copy, struct ip *);
|
||||
*ip_copy = multicast_encap_iphdr;
|
||||
ip_copy->ip_id = ip_newid();
|
||||
if (len < IP_MINFRAGSIZE)
|
||||
ip_copy->ip_id = 0;
|
||||
else
|
||||
ip_copy->ip_id = ip_newid();
|
||||
ip_copy->ip_len = htons(len);
|
||||
ip_copy->ip_src = vifp->v_lcl_addr;
|
||||
ip_copy->ip_dst = vifp->v_rmt_addr;
|
||||
@ -3291,7 +3294,10 @@ pim_register_send_rp(struct ip *ip, struct vif *vifp,
|
||||
*/
|
||||
ip_outer = mtod(mb_first, struct ip *);
|
||||
*ip_outer = pim_encap_iphdr;
|
||||
ip_outer->ip_id = ip_newid();
|
||||
if (mb_first->m_pkthdr.len < IP_MINFRAGSIZE)
|
||||
ip_outer->ip_id = 0;
|
||||
else
|
||||
ip_outer->ip_id = ip_newid();
|
||||
ip_outer->ip_len = htons(len + sizeof(pim_encap_iphdr) +
|
||||
sizeof(pim_encap_pimhdr));
|
||||
ip_outer->ip_src = viftable[vifi].v_lcl_addr;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ip_output.c,v 1.186 2007/12/20 19:53:32 dyoung Exp $ */
|
||||
/* $NetBSD: ip_output.c,v 1.187 2007/12/21 02:07:55 matt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -98,7 +98,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.186 2007/12/20 19:53:32 dyoung Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.187 2007/12/21 02:07:55 matt Exp $");
|
||||
|
||||
#include "opt_pfil_hooks.h"
|
||||
#include "opt_inet.h"
|
||||
@ -262,7 +262,9 @@ ip_output(struct mbuf *m0, ...)
|
||||
if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) {
|
||||
ip->ip_v = IPVERSION;
|
||||
ip->ip_off = htons(0);
|
||||
if ((m->m_pkthdr.csum_flags & M_CSUM_TSOv4) == 0) {
|
||||
if (m->m_pkthdr.len < IP_MINFRAGSIZE) {
|
||||
ip->ip_id = 0;
|
||||
} else if ((m->m_pkthdr.csum_flags & M_CSUM_TSOv4) == 0) {
|
||||
ip->ip_id = ip_newid();
|
||||
} else {
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: raw_ip.c,v 1.101 2007/11/27 22:45:29 christos Exp $ */
|
||||
/* $NetBSD: raw_ip.c,v 1.102 2007/12/21 02:07:55 matt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -61,7 +61,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1.101 2007/11/27 22:45:29 christos Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1.102 2007/12/21 02:07:55 matt Exp $");
|
||||
|
||||
#include "opt_inet.h"
|
||||
#include "opt_ipsec.h"
|
||||
@ -358,7 +358,7 @@ rip_output(struct mbuf *m, ...)
|
||||
}
|
||||
HTONS(ip->ip_len);
|
||||
HTONS(ip->ip_off);
|
||||
if (ip->ip_id == 0)
|
||||
if (ip->ip_id == 0 && m->m_pkthdr.len >= IP_MINFRAGSIZE)
|
||||
ip->ip_id = ip_newid();
|
||||
opts = NULL;
|
||||
/* XXX prevent ip_output from overwriting header fields */
|
||||
|
Loading…
Reference in New Issue
Block a user