*** tcp_input.c.orig Fri Jan 21 09:04:37 2000
--- tcp_input.c Sat Jan 22 03:40:05 2000
***************
*** 381,386 ****
--- 381,387 ----
struct tcpopt to; /* options in this segment */
struct rmxp_tao *taop; /* pointer to our TAO cache entry */
struct rmxp_tao tao_noncached; /* in case there's no cached entry */
+ int wildcard = 0;
#ifdef TCPDEBUG
short ostate = 0;
#endif
***************
*** 511,518 ****
drop_hdrlen = off0 + off;
/*
! * Locate pcb for segment.
*/
findpcb:
#ifdef IPFIREWALL_FORWARD
if (ip_fw_fwd_addr != NULL
--- 512,528 ----
drop_hdrlen = off0 + off;
/*
! * Locate pcb for segment. If this is not a SYN segment, don't
! * bother searching for the pcb of a listening socket with a
! * wildcard address.
! *
! * Checking TH_RST isn't strictly necessary here, but it doesn't
! * cost anything, saves a hash lookup, takes a shorter path to
! * dropwithreset (which will drop the packet), and allows a test
! * to be removed from the TCPS_LISTEN case.
*/
+ if ((thflags & (TH_ACK|TH_SYN|TH_RST)) == TH_SYN)
+ wildcard = 1;
findpcb:
#ifdef IPFIREWALL_FORWARD
if (ip_fw_fwd_addr != NULL
***************
*** 533,544 ****
if (!ip_fw_fwd_addr->sin_port) {
inp = in_pcblookup_hash(&tcbinfo, ip->ip_src,
th->th_sport, ip_fw_fwd_addr->sin_addr,
! th->th_dport, 1, m->m_pkthdr.rcvif);
} else {
inp = in_pcblookup_hash(&tcbinfo,
ip->ip_src, th->th_sport,
ip_fw_fwd_addr->sin_addr,
! ntohs(ip_fw_fwd_addr->sin_port), 1,
m->m_pkthdr.rcvif);
}
}
--- 543,554 ----
if (!ip_fw_fwd_addr->sin_port) {
inp = in_pcblookup_hash(&tcbinfo, ip->ip_src,
th->th_sport, ip_fw_fwd_addr->sin_addr,
! th->th_dport, wildcard, m->m_pkthdr.rcvif);
} else {
inp = in_pcblookup_hash(&tcbinfo,
ip->ip_src, th->th_sport,
ip_fw_fwd_addr->sin_addr,
! ntohs(ip_fw_fwd_addr->sin_port), wildcard,
m->m_pkthdr.rcvif);
}
}
***************
*** 549,560 ****
#ifdef INET6
if (isipv6)
inp = in6_pcblookup_hash(&tcbinfo, &ip6->ip6_src, th->th_sport,
! &ip6->ip6_dst, th->th_dport, 1,
m->m_pkthdr.rcvif);
else
#endif /* INET6 */
inp = in_pcblookup_hash(&tcbinfo, ip->ip_src, th->th_sport,
! ip->ip_dst, th->th_dport, 1, m->m_pkthdr.rcvif);
}
#ifdef IPSEC
--- 559,570 ----
#ifdef INET6
if (isipv6)
inp = in6_pcblookup_hash(&tcbinfo, &ip6->ip6_src, th->th_sport,
! &ip6->ip6_dst, th->th_dport, wildcard,
m->m_pkthdr.rcvif);
else
#endif /* INET6 */
inp = in_pcblookup_hash(&tcbinfo, ip->ip_src, th->th_sport,
! ip->ip_dst, th->th_dport, wildcard, m->m_pkthdr.rcvif);
}
#ifdef IPSEC
***************
*** 615,624 ****
break;
}
}
- #ifdef ICMP_BANDLIM
- if (badport_bandlim(1) < 0)
- goto drop;
- #endif
if (blackhole) {
switch (blackhole) {
case 1:
--- 625,630 ----
***************
*** 996,1001 ****
--- 1002,1013 ----
register struct sockaddr_in6 *sin6;
#endif
+ /*
+ * XXX - the following three tests should no longer be
+ * necessary because of the "wildcard" test added
+ * above. These should probably be changed to assertions
+ * until the code is thoroughly shaked out.
+ */
if (thflags & TH_RST)
goto drop;
if (thflags & TH_ACK)
***************
*** 1017,1032 ****
* RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
* in_broadcast() should never return true on a received
* packet with M_BCAST not set.
*/
if (m->m_flags & (M_BCAST|M_MCAST))
goto drop;
#ifdef INET6
if (isipv6) {
! if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst))
goto drop;
} else
#endif
! if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)))
goto drop;
#ifdef INET6
if (isipv6) {
--- 1029,1050 ----
* RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
* in_broadcast() should never return true on a received
* packet with M_BCAST not set.
+ *
+ * Packets with a multicast source address should also
+ * be discarded.
*/
if (m->m_flags & (M_BCAST|M_MCAST))
goto drop;
#ifdef INET6
if (isipv6) {
! if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
! IN6_IS_ADDR_MULTICAST(&ip6->ip6_src))
goto drop;
} else
#endif
! if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
! IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
! IN_EXPERIMENTAL(ntohl(ip->ip_src.s_addr)))
goto drop;
#ifdef INET6
if (isipv6) {
***************
*** 2217,2229 ****
goto drop;
#ifdef INET6
if (isipv6) {
! if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst))
goto drop;
} else
#endif /* INET6 */
! if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)))
goto drop;
/* IPv6 anycast check is done at tcp6_input() */
#ifdef TCPDEBUG
if (tp == 0 || (tp->t_inpcb->inp_socket->so_options & SO_DEBUG))
tcp_trace(TA_DROP, ostate, tp, (void *)tcp_saveipgen,
--- 2235,2254 ----
goto drop;
#ifdef INET6
if (isipv6) {
! if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
! IN6_IS_ADDR_MULTICAST(&ip6->ip6_src))
goto drop;
} else
#endif /* INET6 */
! if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
! IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
! IN_EXPERIMENTAL(ntohl(ip->ip_src.s_addr)))
goto drop;
/* IPv6 anycast check is done at tcp6_input() */
+ #ifdef ICMP_BANDLIM
+ if (badport_bandlim(1) < 0)
+ goto drop;
+ #endif
#ifdef TCPDEBUG
if (tp == 0 || (tp->t_inpcb->inp_socket->so_options & SO_DEBUG))
tcp_trace(TA_DROP, ostate, tp, (void *)tcp_saveipgen,