From iedowse@maths.tcd.ie  Sun Jan 31 15:27:22 1999
Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA10222
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 31 Jan 1999 15:27:21 -0800 (PST)
          (envelope-from iedowse@maths.tcd.ie)
Received: from gosset.maths.tcd.ie by salmon.maths.tcd.ie with SMTP
          id <aa14969@salmon.maths.tcd.ie>; 31 Jan 99 23:27:20 +0000 (GMT)
Message-Id: <9901312327.aa23568@gosset.maths.tcd.ie>
Date: Sun, 31 Jan 99 23:27:20 +0000 (GMT)
From: iedowse@maths.tcd.ie
Sender: iedowse@maths.tcd.ie
Reply-To: iedowse@maths.tcd.ie
To: FreeBSD-gnats-submit@freebsd.org
Subject: ARP proxyall extra sanity check
X-Send-Pr-Version: 3.2

>Number:         9848
>Category:       kern
>Synopsis:       ARP proxyall extra sanity check
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    dwmalone
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 31 15:30:01 PST 1999
>Closed-Date:    Thu Jul 13 12:31:31 PDT 2000
>Last-Modified:  Thu Jul 13 12:34:56 PDT 2000
>Originator:     Ian Dowse
>Release:        FreeBSD 3.0-STABLE i386
>Organization:
	School of Mathematics
	Trinity College Dublin
>Environment:
	
	FreeBSD 3.0-STABLE i386, but applies to all versions
	net.link.ether.inet.proxyall=1

>Description:

	FreeBSD's ARP proxying, when enabled via sysctl, performs very few
	sanity checks before sending a proxy reply to an ARP request. It
	only checks that, according to the routing table, replies are not
	sent to the interface on which the target node is located.

	When ARP proxying is used on a router connecting two ethernet
	segments, accidentally connecting an interface to the wrong network
	is all too easy. In this case the routing table does not match the
	network topology so the interface check does no good; the network
	erupts quickly into an ARP battle :(

	The patch below provides an extra sanity check for ARP proxying. It
	checks that the request came in via the interface on which the sender
	is expected to be. In the case of a mismatch a warning is logged, and
	the ARP request is not proxied.

>How-To-Repeat:

>Fix:
	

--- if_ether.c.orig	Sun Jan 31 21:33:10 1999
+++ if_ether.c	Sun Jan 31 21:49:02 1999
@@ -582,6 +582,32 @@
 			(void)memcpy(ea->arp_tha, ea->arp_sha, sizeof(ea->arp_sha));
 			(void)memcpy(ea->arp_sha, ac->ac_enaddr, sizeof(ea->arp_sha));
 			rtfree(rt);
+
+			/*
+			 * Also check that the node which sent the ARP packet
+			 * is on the the interface we expect it to be on. This
+			 * avoids ARP chaos if an interface is connected to the
+			 * wrong network.
+			 */
+			sin.sin_addr = isaddr;
+
+			rt = rtalloc1((struct sockaddr *)&sin, 0, 0UL);
+			if (!rt) {
+				m_freem(m);
+				return;
+			}
+			if (rt->rt_ifp != &ac->ac_if) {
+				log(LOG_INFO, "arp_proxy: ignoring request"
+				    " from %s via %s%d, expecting %s%d\n",
+				    inet_ntoa(isaddr), ac->ac_if.if_name,
+				    ac->ac_if.if_unit, rt->rt_ifp->if_name,
+				    rt->rt_ifp->if_unit);
+				rtfree(rt);
+				m_freem(m);
+				return;
+			}
+			rtfree(rt);
+
 #ifdef DEBUG_PROXY
 			printf("arp: proxying for %s\n",
 			       inet_ntoa(itaddr));
>Release-Note:
>Audit-Trail:

From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
To: iedowse@maths.tcd.ie
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: kern/9848: ARP proxyall extra sanity check
Date: Mon, 1 Feb 1999 14:09:20 -0500 (EST)

 <<On Sun, 31 Jan 99 23:27:20 +0000 (GMT), iedowse@maths.tcd.ie said:
 
 > 	The patch below provides an extra sanity check for ARP proxying. It
 > 	checks that the request came in via the interface on which the sender
 > 	is expected to be. In the case of a mismatch a warning is logged, and
 > 	the ARP request is not proxied.
 
 I have no objection to this change.
 
 -GAWollman
 
 --
 Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
 wollman@lcs.mit.edu  | O Siem / The fires of freedom 
 Opinions not those of| Dance in the burning flame
 MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick
Responsible-Changed-From-To: freebsd-bugs->dwmalone 
Responsible-Changed-By: dwmalone 
Responsible-Changed-When: Tue Jul 11 04:35:10 PDT 2000 
Responsible-Changed-Why:  
Local PR. 
. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=9848 
State-Changed-From-To: open->closed 
State-Changed-By: dwmalone 
State-Changed-When: Thu Jul 13 12:31:31 PDT 2000 
State-Changed-Why:  
Committed in revision 1.72 of src/sys/netinet/if_ether.c 

http://www.freebsd.org/cgi/query-pr.cgi?pr=9848 
>Unformatted:
