[IGMP]: workaround for IGMP v1/v2 bug

From: David Stevens <dlstevens@us.ibm.com>

As explained at:

	http://www.cs.ucsb.edu/~krishna/igmp_dos/

With IGMP version 1 and 2 it is possible to inject a unicast
report to a client which will make it ignore multicast
reports sent later by the router.

The fix is to only accept the report if is was sent to a
multicast or unicast address.

Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index c04607b49212ec538499eee7340374427b25379b..4a195c724f012df7b4c1e036a310b71747f34362 100644 (file)
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -897,7 +897,10 @@ int igmp_rcv(struct sk_buff *skb)
                /* Is it our report looped back? */
                if (((struct rtable*)skb->dst)->fl.iif == 0)
                        break;
-               igmp_heard_report(in_dev, ih->group);
+               /* don't rely on MC router hearing unicast reports */
+               if (skb->pkt_type == PACKET_MULTICAST ||
+                   skb->pkt_type == PACKET_BROADCAST)
+                       igmp_heard_report(in_dev, ih->group);
                break;
        case IGMP_PIM:
 #ifdef CONFIG_IP_PIMSM_V1

diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index f15e04ad026effec3f907f6eb2db1eb140e54c3b..fd939da090c451f848102667eecfcb60995f8a7d 100644 (file)
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -1231,6 +1231,11 @@ int igmp6_event_report(struct sk_buff *skb)
        if (skb->pkt_type == PACKET_LOOPBACK)
                return 0;
 
+       /* send our report if the MC router may not have heard this report */
+       if (skb->pkt_type != PACKET_MULTICAST &&
+           skb->pkt_type != PACKET_BROADCAST)
+               return 0;
+
        if (!pskb_may_pull(skb, sizeof(struct in6_addr)))
                return -EINVAL;