CoCalc -- multicast.patch

GitHub Repository: freebsd/freebsd-doc
Path: blob/main/website/static/security/patches/EN-10:01/multicast.patch
¹⁸⁰⁹⁶ views
1
Index: sys/netinet/raw_ip.c
2
===================================================================
3
--- sys/netinet/raw_ip.c	(revision 200583)
4
+++ sys/netinet/raw_ip.c	(working copy)
5
@@ -343,17 +343,35 @@ rip_input(struct mbuf *m, int off)
6
 		 */
7
 		if (inp->inp_moptions != NULL &&
8
 		    IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
9
-			struct sockaddr_in group;
10
+			/*
11
+			 * If the incoming datagram is for IGMP, allow it
12
+			 * through unconditionally to the raw socket.
13
+			 *
14
+			 * In the case of IGMPv2, we may not have explicitly
15
+			 * joined the group, and may have set IFF_ALLMULTI
16
+			 * on the interface. imo_multi_filter() may discard
17
+			 * control traffic we actually need to see.
18
+			 *
19
+			 * Userland multicast routing daemons should continue
20
+			 * filter the control traffic appropriately.
21
+			 */
22
 			int blocked;
23
 
24
-			bzero(&group, sizeof(struct sockaddr_in));
25
-			group.sin_len = sizeof(struct sockaddr_in);
26
-			group.sin_family = AF_INET;
27
-			group.sin_addr = ip->ip_dst;
28
+			blocked = MCAST_PASS;
29
+			if (proto != IPPROTO_IGMP) {
30
+				struct sockaddr_in group;
31
 
32
-			blocked = imo_multi_filter(inp->inp_moptions, ifp,
33
-			    (struct sockaddr *)&group,
34
-			    (struct sockaddr *)&ripsrc);
35
+				bzero(&group, sizeof(struct sockaddr_in));
36
+				group.sin_len = sizeof(struct sockaddr_in);
37
+				group.sin_family = AF_INET;
38
+				group.sin_addr = ip->ip_dst;
39
+
40
+				blocked = imo_multi_filter(inp->inp_moptions,
41
+				    ifp,
42
+				    (struct sockaddr *)&group,
43
+				    (struct sockaddr *)&ripsrc);
44
+			}
45
+
46
 			if (blocked != MCAST_PASS) {
47
 				IPSTAT_INC(ips_notmember);
48
 				continue;
49
Index: sys/netinet6/raw_ip6.c
50
===================================================================
51
--- sys/netinet6/raw_ip6.c	(revision 200583)
52
+++ sys/netinet6/raw_ip6.c	(working copy)
53
@@ -213,17 +213,39 @@ rip6_input(struct mbuf **mp, int *offp, int proto)
54
 		 */
55
 		if (in6p->in6p_moptions &&
56
 		    IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
57
-			struct sockaddr_in6 mcaddr;
58
+			/*
59
+			 * If the incoming datagram is for MLD, allow it
60
+			 * through unconditionally to the raw socket.
61
+			 *
62
+			 * Use the M_RTALERT_MLD flag to check for MLD
63
+			 * traffic without having to inspect the mbuf chain
64
+			 * more deeply, as all MLDv1/v2 host messages MUST
65
+			 * contain the Router Alert option.
66
+			 *
67
+			 * In the case of MLDv1, we may not have explicitly
68
+			 * joined the group, and may have set IFF_ALLMULTI
69
+			 * on the interface. im6o_mc_filter() may discard
70
+			 * control traffic we actually need to see.
71
+			 *
72
+			 * Userland multicast routing daemons should continue
73
+			 * filter the control traffic appropriately.
74
+			 */
75
 			int blocked;
76
 
77
-			bzero(&mcaddr, sizeof(struct sockaddr_in6));
78
-			mcaddr.sin6_len = sizeof(struct sockaddr_in6);
79
-			mcaddr.sin6_family = AF_INET6;
80
-			mcaddr.sin6_addr = ip6->ip6_dst;
81
+			blocked = MCAST_PASS;
82
+			if ((m->m_flags & M_RTALERT_MLD) == 0) {
83
+				struct sockaddr_in6 mcaddr;
84
 
85
-			blocked = im6o_mc_filter(in6p->in6p_moptions, ifp,
86
-			    (struct sockaddr *)&mcaddr,
87
-			    (struct sockaddr *)&fromsa);
88
+				bzero(&mcaddr, sizeof(struct sockaddr_in6));
89
+				mcaddr.sin6_len = sizeof(struct sockaddr_in6);
90
+				mcaddr.sin6_family = AF_INET6;
91
+				mcaddr.sin6_addr = ip6->ip6_dst;
92
+
93
+				blocked = im6o_mc_filter(in6p->in6p_moptions,
94
+				    ifp,
95
+				    (struct sockaddr *)&mcaddr,
96
+				    (struct sockaddr *)&fromsa);
97
+			}
98
 			if (blocked != MCAST_PASS) {
99
 				IP6STAT_INC(ip6s_notmember);
100
 				continue;
101

102
Product

Resources

Company
