reject packets with 127/8 on IPv4 src/dst, they must not appear on wire

(RFC1122). torture-tests will be welcomed. XXX do we want to check source routing headers as well?
2001-03-02 02:05:36 +00:00 · 2001-03-02 02:05:36 +00:00 · 89b4c3edc6
parent 5cc6423696
commit 89b4c3edc6
1 changed files with 8 additions and 1 deletions
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.128 2001/03/01 16:31:39 itojun Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.129 2001/03/02 02:05:36 itojun Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -418,6 +418,13 @@ ip_input(struct mbuf *m)
 		goto bad;
 	}

+	/* 127/8 must not appear on wire - RFC1122 */
+	if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
+	    (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
+		if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0)
+			goto bad;
+	}
+
 	if (in_cksum(m, hlen) != 0) {
 		ipstat.ips_badsum++;
 		goto bad;