From nobody Mon Mar 13 14:51:09 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Pb03204cLz3xnfW; Mon, 13 Mar 2023 14:51:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Pb0314HK2z40wr; Mon, 13 Mar 2023 14:51:09 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1678719069; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aq0Gx1d0rCjqVtAXIX2qrIsom9PAn8RgZ7Eji7WAe2Q=; b=eBAw0LlLIhvz5kG1KH1VBybEqjENrIVE5p/9mRDQVoggc82EOfEwG4ej45tCD/wTXSWIcF QF0D4cIM5CY5qLc5E+GipHgHK8AIRFFqorSCtBkpuMI53z0XslJ+oTFNoLRem+yD8oWLgJ lPfxZHsyGkR3wuGWTSa91ybM4nsJiHO29MhTbrM2a3bqLd5SPmVweIG7fBUX3tLXPYP6jo 9lP/lXHIpfDj0MprwRn0y0Kr/6azS9HXobK3YAL+UhF8ZwniNq0kc7LKbeCGFAA2mQwL7m t2Qni56AEzze4i56AJ27NIZgeEo5EzvtIta9hEXGHF8PAoNVtL9NgT/Id7xOCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1678719069; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aq0Gx1d0rCjqVtAXIX2qrIsom9PAn8RgZ7Eji7WAe2Q=; b=lxqggqG836FBd3YVQ3wI94prauCSBXfk2AaMa1mhU8rRjMUKb3PLSECxBx7ipQgCLFIYBF 0Fv9BRwnPTk79hLTHi7Qv0yKyMQI6hWzUroApN4YQIhPESR/sovlp9XEFxH+Gq286WV3Y4 BgJqikmPQjBHCHxFb75ocC6fY2TOJQULDGXTHLebx6mLI5Yx/0KpumTn90sZt9RU+9cTFC Cd90/qRwf3Vyq2ZmGJcv3PPm0inh1H5ByzbjwqxUEZEAfWHmifhbjHg7qejiSjg46ax7kK qTJf8A6TPuKJUPNXz2YXWnKe6yQrnT1PQw4lLA/Zh5xHVU+QT4ysVPD/ztuYmQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1678719069; a=rsa-sha256; cv=none; b=U/F3g20ZNcu62kjOapxJ3P1Gzf3QL+0PwU2R+wjFnMWRYH9iegeQ5hS3jbPMYCvPFdH50e eC282HL2S1wXgOZ6M8GV7jZVpWTV3O4AFyBjJ38H+e04npjSa/GeO24XN6q/Ug4/x3TjH+ ztSOkdpPWt4XxBZL1V5LmHmklo0H9fatS0QQHfl6fC1aVwqgL0KaPQeji/8BS5Ikb69CrH J1QxDPqxH9WyJolQSGBlX0c077orVIrmZKPFD23bcg+a+1maHdQLDhfsj52G5kIah+6GSi vwrrLm+g6A59280NmSoypetHiaxe3kEW15PT8KlZW/FzqnBwkhuVeF7rbdafuA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Pb0313JRbzxLD; Mon, 13 Mar 2023 14:51:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 32DEp90J037390; Mon, 13 Mar 2023 14:51:09 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 32DEp9tN037389; Mon, 13 Mar 2023 14:51:09 GMT (envelope-from git) Date: Mon, 13 Mar 2023 14:51:09 GMT Message-Id: <202303131451.32DEp9tN037389@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: aa71d6b4a2ec - main - netinet: Disallow unspecified addresses in ICMP-embedded packets List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: aa71d6b4a2ec3609303ca87ba75d0a2c539da9df Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=aa71d6b4a2ec3609303ca87ba75d0a2c539da9df commit aa71d6b4a2ec3609303ca87ba75d0a2c539da9df Author: Mark Johnston AuthorDate: 2023-03-13 14:45:56 +0000 Commit: Mark Johnston CommitDate: 2023-03-13 14:45:56 +0000 netinet: Disallow unspecified addresses in ICMP-embedded packets Reported by: glebius Reported by: syzbot+981c528ccb5c5534dffc@syzkaller.appspotmail.com Reviewed by: tuexen, glebius MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D38936 --- sys/netinet/ip_icmp.c | 3 ++- sys/netinet6/icmp6.c | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 98f290486ec5..9352289d62fe 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -561,7 +561,8 @@ icmp_input(struct mbuf **mp, int *offp, int proto) if (IN_MULTICAST(ntohl(icp->icmp_ip.ip_dst.s_addr))) goto badcode; /* Filter out responses to INADDR_ANY, protocols ignore it. */ - if (icp->icmp_ip.ip_dst.s_addr == INADDR_ANY) + if (icp->icmp_ip.ip_dst.s_addr == INADDR_ANY || + icp->icmp_ip.ip_src.s_addr == INADDR_ANY) goto freeit; #ifdef ICMPPRINTFS if (icmpprintfs) diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index 5c94a0c56be1..4166cabdc5cb 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -1070,6 +1070,14 @@ icmp6_notify_error(struct mbuf **mp, int off, int icmp6len) */ eip6 = (struct ip6_hdr *)(icmp6 + 1); + /* + * Protocol layers can't do anything useful with unspecified + * addresses. + */ + if (IN6_IS_ADDR_UNSPECIFIED(&eip6->ip6_src) || + IN6_IS_ADDR_UNSPECIFIED(&eip6->ip6_dst)) + goto freeit; + icmp6dst.sin6_len = sizeof(struct sockaddr_in6); icmp6dst.sin6_family = AF_INET6; if (IN6_IS_ADDR_UNSPECIFIED(&icmp6dst.sin6_addr))