[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-commits] [SCM] lwIP - A Lightweight TCPIP stack branch, master, up

From: Simon Goldschmidt
Subject: [lwip-commits] [SCM] lwIP - A Lightweight TCPIP stack branch, master, updated. 68ec20fffc2e98dd9b9fdc0d606fe5e718a16754
Date: Tue, 22 Nov 2016 19:52:44 +0000 (UTC)

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "lwIP - A Lightweight TCPIP stack".

The branch, master has been updated
       via  68ec20fffc2e98dd9b9fdc0d606fe5e718a16754 (commit)
      from  4076b12ee93e13fc60c59cf92068588489a96608 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 68ec20fffc2e98dd9b9fdc0d606fe5e718a16754
Author: David van Moolenbroek <address@hidden>
Date:   Tue Nov 22 18:36:51 2016 +0000

    ipv4/ipv6: restrict loopback-destined traffic
    Generally speaking, packets with a loopback destination address - for IPv4 and ::1 for IPv6 - should not be accepted on
    non-loopback interfaces.  For IPv4, this is implied by RFC 1122
    Sec.  For IPv6, it is mandated by RFC 4291 Sec. 2.5.3.
    Failure to perform this filtering may have security implications, as
    applications that bind sockets to loopback addresses may not expect
    that nodes on the local external network be able to produce traffic
    that will arrive at such sockets.
    With this patch, lwIP drops packets that are sent to a loopback
    address but do not originate from the interface that has the loopback
    address assigned to it.  This approach works regardless of whether it
    is lwIP or the system using it that implements a loopback netif.  The
    only exception that must be made is for configurations that enable
    netif packet loopback but disable the lwIP loopback netif: in that
    case, loopback packets are routed across non-loopback netifs and would
    thus be lost by the new filter as well.
    For IPv6, loopback-destined packets are also no longer forwarded; the
    IPv4 forwarding code already had a check for that.
    As a small performance improvement, the IPv6 link-local/loopback
    address check is now performed only once per packet rather than
    repeatedly for every candidate netif.


Summary of changes:
 src/core/ipv4/ip4.c |    9 +++++++++
 src/core/ipv6/ip6.c |   24 +++++++++++++++++-------
 2 files changed, 26 insertions(+), 7 deletions(-)

lwIP - A Lightweight TCPIP stack

reply via email to

[Prev in Thread] Current Thread [Next in Thread]