From 8d39b1a152292b192e5a8bb43102f1c48836b1f7 Mon Sep 17 00:00:00 2001 From: fbernon Date: Sun, 30 Dec 2007 01:09:11 +0000 Subject: [PATCH] ip.c: Fix bug #21846 "LwIP doesn't appear to perform any IP Source Address Filtering" reported by Tom Evans. --- CHANGELOG | 4 ++++ src/core/ipv4/ip.c | 23 +++++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index 15f7dd21..714a27b4 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -19,6 +19,10 @@ HISTORY ++ New features: + 2007-12-31 Frédéric Bernon, Tom Evans + * ip.c: Fix bug #21846 "LwIP doesn't appear to perform any IP Source Address + Filtering" reported by Tom Evans. + 2007-12-21 Frédéric Bernon, Simon Goldschmidt, Jonathan Larmour * tcp.h, opt.h, api.h, api_msg.h, tcp.c, tcp_in.c, api_lib.c, api_msg.c, sockets.c, init.c: task #7252: Implement TCP listen backlog: Warning: raw API diff --git a/src/core/ipv4/ip.c b/src/core/ipv4/ip.c index e59a71f1..8165cd69 100644 --- a/src/core/ipv4/ip.c +++ b/src/core/ipv4/ip.c @@ -178,6 +178,9 @@ ip_input(struct pbuf *p, struct netif *inp) struct ip_hdr *iphdr; struct netif *netif; u16_t iphdrlen; +#if LWIP_DHCP + int ipsrcchecking=1; +#endif /* LWIP_DHCP */ IP_STATS_INC(ip.recv); snmp_inc_ipinreceives(); @@ -193,6 +196,7 @@ ip_input(struct pbuf *p, struct netif *inp) snmp_inc_ipinhdrerrors(); return ERR_OK; } + /* obtain IP header length in number of 32-bit words */ iphdrlen = IPH_HL(iphdr); /* calculate IP header length in bytes */ @@ -288,10 +292,29 @@ ip_input(struct pbuf *p, struct netif *inp) if (ntohs(((struct udp_hdr *)((u8_t *)iphdr + iphdrlen))->dest) == DHCP_CLIENT_PORT) { LWIP_DEBUGF(IP_DEBUG | LWIP_DBG_TRACE | 1, ("ip_input: DHCP packet accepted.\n")); netif = inp; + ipsrcchecking = 0; } } } #endif /* LWIP_DHCP */ + + /* broadcast or multicast packet source address? Compliant with RFC 1122: 3.2.1.3 */ +#if LWIP_DHCP + if (ipsrcchecking) +#endif /* LWIP_DHCP */ + { if ((ip_addr_isbroadcast(&(iphdr->src), inp)) || + (ip_addr_ismulticast(&(iphdr->src)))) { + /* packet source is not valid */ + LWIP_DEBUGF(IP_DEBUG | LWIP_DBG_TRACE | 1, ("ip_input: packet source is not valid.\n")); + /* free (drop) packet pbufs */ + pbuf_free(p); + IP_STATS_INC(ip.drop); + snmp_inc_ipinaddrerrors(); + snmp_inc_ipindiscards(); + return ERR_OK; + } + } + /* packet not for us? */ if (netif == NULL) { /* packet not for us, route or discard */