mirror/lwip
1
0
Fork 0
mirror of https://github.com/lwip-tcpip/lwip.git synced 2024-11-17 17:10:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

removed ETHARP_TRUST_IP_MAC since it is insecure and we don't need it any more after implementing unicast ARP renewal towards arp entry timeout

Browse Source
This commit is contained in:
goldsimon 2016-08-23 13:00:15 +02:00
parent fc54556d80
commit d99d91dae9
5 changed files with 4 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG
View File

@ -328,6 +328,10 @@ HISTORY
++ Bugfixes: ++ Bugfixes:
2016-08-23: Simon Goldschmidt
* etharp: removed ETHARP_TRUST_IP_MAC since it is insecure and we don't need
it any more after implementing unicast ARP renewal towards arp entry timeout
2016-07-20: Simon Goldschmidt 2016-07-20: Simon Goldschmidt
* memp.h/.c: fixed bug #48442 (memp stats don't work for MEMP_MEM_MALLOC) * memp.h/.c: fixed bug #48442 (memp stats don't work for MEMP_MEM_MALLOC)

50
src/core/ipv4/etharp.c
View File

@ -616,56 +616,6 @@ etharp_get_entry(u8_t i, ip4_addr_t **ipaddr, struct netif **netif, struct eth_a
} }
} }
#if ETHARP_TRUST_IP_MAC
/**
* Updates the ARP table using the given IP packet.
*
* Uses the incoming IP packet's source address to update the
* ARP cache for the local network. The function does not alter
* or free the packet. This function must be called before the
* packet p is passed to the IP layer.
*
* @param netif The lwIP network interface on which the IP packet pbuf arrived.
* @param p The IP packet that arrived on netif.
*
* @return NULL
*
* @see pbuf_free()
*/
void
etharp_ip_input(struct netif *netif, struct pbuf *p)
{
struct eth_hdr *ethhdr;
struct ip_hdr *iphdr;
ip4_addr_t iphdr_src;
LWIP_ERROR("netif != NULL", (netif != NULL), return;);
/* Only insert an entry if the source IP address of the
incoming IP packet comes from a host on the local network. */
ethhdr = (struct eth_hdr *)p->payload;
iphdr = (struct ip_hdr *)((u8_t*)ethhdr + SIZEOF_ETH_HDR);
#if ETHARP_SUPPORT_VLAN
if (ethhdr->type == PP_HTONS(ETHTYPE_VLAN)) {
iphdr = (struct ip_hdr *)((u8_t*)ethhdr + SIZEOF_ETH_HDR + SIZEOF_VLAN_HDR);
}
#endif /* ETHARP_SUPPORT_VLAN */
ip4_addr_copy(iphdr_src, iphdr->src);
/* source is not on the local network? */
if (!ip4_addr_netcmp(&iphdr_src, netif_ip4_addr(netif), netif_ip4_netmask(netif))) {
/* do nothing */
return;
}
LWIP_DEBUGF(ETHARP_DEBUG | LWIP_DBG_TRACE, ("etharp_ip_input: updating ETHARP table.\n"));
/* update the source IP address in the cache, if present */
/* @todo We could use ETHARP_FLAG_TRY_HARD if we think we are going to talk
* back soon (for example, if the destination IP address is ours. */
etharp_update_arp_entry(netif, &iphdr_src, &(ethhdr->src), ETHARP_FLAG_FIND_ONLY);
}
#endif /* ETHARP_TRUST_IP_MAC */
/** /**
* Responds to ARP requests to us. Upon ARP replies to us, add entry to cache * Responds to ARP requests to us. Upon ARP replies to us, add entry to cache
* send out queued IP packets. Updates cache with snooped address pairs. * send out queued IP packets. Updates cache with snooped address pairs.

1
src/include/lwip/etharp.h
View File

@ -94,7 +94,6 @@ err_t etharp_request(struct netif *netif, const ip4_addr_t *ipaddr);
* From RFC 3220 "IP Mobility Support for IPv4" section 4.6. */ * From RFC 3220 "IP Mobility Support for IPv4" section 4.6. */
#define etharp_gratuitous(netif) etharp_request((netif), netif_ip4_addr(netif)) #define etharp_gratuitous(netif) etharp_request((netif), netif_ip4_addr(netif))
void etharp_cleanup_netif(struct netif *netif); void etharp_cleanup_netif(struct netif *netif);
void etharp_ip_input(struct netif *netif, struct pbuf *p);
#if ETHARP_SUPPORT_STATIC_ENTRIES #if ETHARP_SUPPORT_STATIC_ENTRIES
err_t etharp_add_static_entry(const ip4_addr_t *ipaddr, struct eth_addr *ethaddr); err_t etharp_add_static_entry(const ip4_addr_t *ipaddr, struct eth_addr *ethaddr);

14
src/include/lwip/opt.h
View File

@ -576,20 +576,6 @@
#define ARP_QUEUE_LEN 3 #define ARP_QUEUE_LEN 3
#endif #endif
/**
* ETHARP_TRUST_IP_MAC==1: Incoming IP packets cause the ARP table to be
* updated with the source MAC and IP addresses supplied in the packet.
* You may want to disable this if you do not trust LAN peers to have the
* correct addresses, or as a limited approach to attempt to handle
* spoofing. If disabled, lwIP will need to make a new ARP request if
* the peer is not already in the ARP table, adding a little latency.
* The peer *is* in the ARP table if it requested our address before.
* Also notice that this slows down input processing of every IP packet!
*/
#if !defined ETHARP_TRUST_IP_MAC || defined __DOXYGEN__
#define ETHARP_TRUST_IP_MAC 0
#endif
/** /**
* ETHARP_SUPPORT_VLAN==1: support receiving and sending ethernet packets with * ETHARP_SUPPORT_VLAN==1: support receiving and sending ethernet packets with
* VLAN header. See the description of LWIP_HOOK_VLAN_CHECK and * VLAN header. See the description of LWIP_HOOK_VLAN_CHECK and

4
src/netif/ethernet.c
View File

@ -157,10 +157,6 @@ ethernet_input(struct pbuf *p, struct netif *netif)
if (!(netif->flags & NETIF_FLAG_ETHARP)) { if (!(netif->flags & NETIF_FLAG_ETHARP)) {
goto free_and_return; goto free_and_return;
} }
#if ETHARP_TRUST_IP_MAC
/* update ARP table */
etharp_ip_input(netif, p);
#endif /* ETHARP_TRUST_IP_MAC */
/* skip Ethernet header */ /* skip Ethernet header */
if ((p->len < ip_hdr_offset) || pbuf_header(p, (s16_t)-ip_hdr_offset)) { if ((p->len < ip_hdr_offset) || pbuf_header(p, (s16_t)-ip_hdr_offset)) {
LWIP_DEBUGF(ETHARP_DEBUG | LWIP_DBG_TRACE | LWIP_DBG_LEVEL_WARNING, LWIP_DEBUGF(ETHARP_DEBUG | LWIP_DBG_TRACE | LWIP_DBG_LEVEL_WARNING,