From 79755dc52bdc71857579419a55e003df3636fc3a Mon Sep 17 00:00:00 2001 From: Julian Elischer Date: Thu, 13 Nov 1997 22:57:57 +0000 Subject: [PATCH] Submitted by: Archie cobbs (IPDIVERT author) close small security hole where an atacker could sendpackets with IPDIVERT protocol, and select how it would be diverted thus bypassing the ipfirewall. Discovered by inspection rather than attack. (you'd have to know how the firewall was configured (EXACTLY) to make use of this but..) --- sys/netinet/ip_input.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index c395d9eb32a..f8cd5386c18 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 - * $Id: ip_input.c,v 1.70 1997/11/05 02:51:32 julian Exp $ + * $Id: ip_input.c,v 1.71 1997/11/05 20:17:21 joerg Exp $ * $ANA: ip_input.c,v 1.5 1996/09/18 14:34:59 wollman Exp $ */ @@ -577,6 +577,12 @@ found: (*inetsw[ip_protox[IPPROTO_DIVERT]].pr_input)(m, hlen); return; } + + /* Don't let packets divert themselves */ + if (ip->ip_p == IPPROTO_DIVERT) { + ipstat.ips_noproto++; + goto bad; + } #endif /*