1 files changed, 15 insertions, 17 deletions

diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index ed3354747d4c..03b5870a845c 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -1024,32 +1024,30 @@ tcp_ctlinput(cmd, sa, vip)
 		}
 	} else if (cmd == PRC_MSGSIZE)
 		notify = tcp_mtudisc;
-	else if (!PRC_IS_REDIRECT(cmd) &&
-		 ((unsigned)cmd > PRC_NCMDS || inetctlerrmap[cmd] == 0))
+	else if (PRC_IS_REDIRECT(cmd)) {
+		/*
+		 * Redirects go to all references to the destination,
+		 * and use in_rtchange to invalidate the route cache.
+		 */
+		ip = 0;
+		notify = in_rtchange;
+	} else if (cmd == PRC_HOSTDEAD)
+		/*
+		 * Dead host indications: notify all references to the
+		 * destination.
+		 */
+		ip = 0;
+	else if ((unsigned)cmd > PRC_NCMDS || inetctlerrmap[cmd] == 0)
 		return;
 	if (ip) {
 		th = (struct tcphdr *)((caddr_t)ip 
 				       + (IP_VHL_HL(ip->ip_vhl) << 2));
 		if (tcp_seq_check == 1)
 			tcp_sequence = ntohl(th->th_seq);
-		/*
-		 * Only call in_pcbnotify if the src port number != 0, as we 
-		 * treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify()
-		 *
-		 * It's sufficient to check for src|local port, as we'll have no
-		 * sessions with src|local port == 0
-		 *
-		 * Without this a attacker sending ICMP messages, where the attached 
-		 * IP header (+ 8 bytes) has the address and port numbers == 0, would
-		 * have the ICMP message applied to all sessions (modulo TCP sequence
-		 * number check).
-		 */
-		if (th->th_sport == 0)
-			return;
 		in_pcbnotify(&tcb, sa, th->th_dport, ip->ip_src, th->th_sport,
 			cmd, notify, tcp_sequence, tcp_seq_check);
 	} else
-		in_pcbnotify(&tcb, sa, 0, zeroin_addr, 0, cmd, notify, 0, 0);
+		in_pcbnotifyall(&tcb, sa, cmd, notify);
 }
 
 #ifdef INET6