1 files changed, 13 insertions, 7 deletions

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index dc063289bcab..266d58746681 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -798,11 +798,15 @@ findpcb:
 		}
 		/*
 		 * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
-		 * in_broadcast() should never return true on a received
-		 * packet with M_BCAST not set.
- 		 *
- 		 * Packets with a multicast source address should also
- 		 * be discarded.
+		 *
+		 * It is possible for a malicious (or misconfigured)
+		 * attacker to send unicast link-layer packets with a
+		 * broadcast IP address. Use in_broadcast() to find them.
+		 * (This check was erroneously removed in CSRG revision
+		 * 7.35.)
+		 *
+		 * Packets with a multicast source address should also
+		 * be discarded.
 		 */
 		if (m->m_flags & (M_BCAST|M_MCAST))
 			goto drop;
@@ -815,7 +819,8 @@ findpcb:
 #endif
 		if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
 		    IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
-		    ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
+		    ip->ip_src.s_addr == htonl(INADDR_BROADCAST) ||
+		    in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
 			goto drop;
 		/*
 		 * SYN appears to be valid; create compressed TCP state
@@ -2171,7 +2176,8 @@ dropwithreset:
 #endif /* INET6 */
 	if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
 	    IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
-	    ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
+	    ip->ip_src.s_addr == htonl(INADDR_BROADCAST) ||
+	    in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
 		goto drop;
 	/* IPv6 anycast check is done at tcp6_input() */