author: Jesper Skriver <jesper@FreeBSD.org> 2001-02-20 23:25:04 +0000
committer: Jesper Skriver <jesper@FreeBSD.org> 2001-02-20 23:25:04 +0000
commit: 58e9b417225efeb5f4adea684f8f0a1dd7130b5a (patch)
tree: 4051391115753cca52b36d7ee71fff8844ebd504 /sys/netinet/tcp_subr.c
parent: 729d4f1db0bba0cf7fcd3a286d06556f94f194aa (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 7ec84296aee1..ed3354747d4c 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -1032,6 +1032,20 @@ tcp_ctlinput(cmd, sa, vip)
 				       + (IP_VHL_HL(ip->ip_vhl) << 2));
 		if (tcp_seq_check == 1)
 			tcp_sequence = ntohl(th->th_seq);
+		/*
+		 * Only call in_pcbnotify if the src port number != 0, as we 
+		 * treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify()
+		 *
+		 * It's sufficient to check for src|local port, as we'll have no
+		 * sessions with src|local port == 0
+		 *
+		 * Without this a attacker sending ICMP messages, where the attached 
+		 * IP header (+ 8 bytes) has the address and port numbers == 0, would
+		 * have the ICMP message applied to all sessions (modulo TCP sequence
+		 * number check).
+		 */
+		if (th->th_sport == 0)
+			return;
 		in_pcbnotify(&tcb, sa, th->th_dport, ip->ip_src, th->th_sport,
 			cmd, notify, tcp_sequence, tcp_seq_check);
 	} else
author	Jesper Skriver <jesper@FreeBSD.org>	2001-02-20 23:25:04 +0000
committer	Jesper Skriver <jesper@FreeBSD.org>	2001-02-20 23:25:04 +0000
commit	58e9b417225efeb5f4adea684f8f0a1dd7130b5a (patch)
tree	4051391115753cca52b36d7ee71fff8844ebd504 /sys/netinet/tcp_subr.c
parent	729d4f1db0bba0cf7fcd3a286d06556f94f194aa (diff)