From traister@manta.mojozone.org  Fri Aug 22 19:05:00 1997
Received: from manta.mojozone.org (root@dfbfl1-6.gate.net [198.206.135.133])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA15389
          for <FreeBSD-gnats-submit@freebsd.org>; Fri, 22 Aug 1997 19:04:55 -0700 (PDT)
Received: (from traister@localhost)
	by manta.mojozone.org (8.8.7/8.8.7) id WAA00386;
	Fri, 22 Aug 1997 22:04:49 -0400 (EDT)
Message-Id: <199708230204.WAA00386@manta.mojozone.org>
Date: Fri, 22 Aug 1997 22:04:49 -0400 (EDT)
From: Joe Traister <traister@mojozone.org>
Reply-To: traister@mojozone.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: ICMP echo reply to broadcast cannot be turned off
X-Send-Pr-Version: 3.2

>Number:         4361
>Category:       kern
>Synopsis:       ICMP echo reply to broadcast cannot be turned off
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 22 19:10:01 PDT 1997
>Closed-Date:    Mon Aug 25 14:31:58 PDT 1997
>Last-Modified:  Mon Aug 25 14:32:19 PDT 1997
>Originator:     Joe Traister
>Release:        FreeBSD 2.2.2-RELEASE i386
>Organization:
None
>Environment:

	2.2.2-RELEASE

>Description:

	Due to a number of exploits becoming available to attack
	networks using ICMP echo requests to broadcast addresses,
	a simple way to defeat this is highly desirable.  The patch
	below adds a sysctl variable (net.inet.icmp.broadecho) that
	controls whether or not the IP stack responds to ICMP echo
	requests to broadcast addresses of directly-connected interfaces.
	To comply with IP spec, it defaults to 'yes'.

>How-To-Repeat:

	ping the broadcast address of a an ethernet with 2.2.2 boxes on it.

>Fix:

--- ip_icmp.c.dist	Fri Sep 20 04:23:54 1996
+++ ip_icmp.c	Fri Aug 22 21:17:48 1997
@@ -72,4 +72,8 @@
 	&icmpmaskrepl, 0, "");
 
+static int	icmpbroadecho = 1;
+SYSCTL_INT(_net_inet_icmp, ICMPCTL_BROADECHO, broadecho, CTLFLAG_RW,
+	&icmpbroadecho, 0, "");
+
 #ifdef ICMPPRINTFS
 int	icmpprintfs = 0;
@@ -373,4 +377,14 @@
 
 	case ICMP_ECHO:
+#define	satosin(sa)	((struct sockaddr_in *)(sa))
+		if (!icmpbroadecho) {
+			for (ia = in_ifaddr; ia; ia = ia->ia_next) {
+				if (ia->ia_ifp &&
+				    (ia->ia_ifp->if_flags & IFF_BROADCAST) &&
+				    ip->ip_dst.s_addr ==
+				satosin(&ia->ia_broadaddr)->sin_addr.s_addr)
+					goto freeit;
+			}
+		}
 		icp->icmp_type = ICMP_ECHOREPLY;
 		goto reflect;
@@ -387,5 +401,4 @@
 
 	case ICMP_MASKREQ:
-#define	satosin(sa)	((struct sockaddr_in *)(sa))
 		if (icmpmaskrepl == 0)
 			break;
--- icmp_var.h.dist	Fri Aug 22 20:36:39 1997
+++ icmp_var.h	Fri Aug 22 20:39:12 1997
@@ -62,5 +62,6 @@
 #define	ICMPCTL_MASKREPL	1	/* allow replies to netmask requests */
 #define	ICMPCTL_STATS		2	/* statistics (read-only) */
-#define ICMPCTL_MAXID		3
+#define ICMPCTL_BROADECHO	3
+#define ICMPCTL_MAXID		4
 
 #define ICMPCTL_NAMES { \
@@ -68,4 +69,5 @@
 	{ "maskrepl", CTLTYPE_INT }, \
 	{ "stats", CTLTYPE_STRUCT }, \
+	{ "broadecho", CTLTYPE_INT }, \
 }
 
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: wollman 
State-Changed-When: Mon Aug 25 14:31:58 PDT 1997 
State-Changed-Why:  
Fixed in rev. 1.28 of ip_icmp.c. 
>Unformatted:
