Commit 85967bb4 authored by Stephen Hemminger's avatar Stephen Hemminger Committed by David S. Miller

[BRIDGE]: prevent bad forwarding table updates

Avoid poisoning of the bridge forwarding table by frames that have been
dropped by filtering. This prevents spoofed source addresses on hostile
side of bridge from causing packet leakage, a small but possible security
risk.
Signed-off-by: default avatarStephen Hemminger <shemminger@osdl.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 81d35307
...@@ -54,6 +54,9 @@ int br_handle_frame_finish(struct sk_buff *skb) ...@@ -54,6 +54,9 @@ int br_handle_frame_finish(struct sk_buff *skb)
struct net_bridge_fdb_entry *dst; struct net_bridge_fdb_entry *dst;
int passedup = 0; int passedup = 0;
/* insert into forwarding database after filtering to avoid spoofing */
br_fdb_update(p->br, p, eth_hdr(skb)->h_source);
if (br->dev->flags & IFF_PROMISC) { if (br->dev->flags & IFF_PROMISC) {
struct sk_buff *skb2; struct sk_buff *skb2;
...@@ -108,8 +111,7 @@ int br_handle_frame(struct net_bridge_port *p, struct sk_buff **pskb) ...@@ -108,8 +111,7 @@ int br_handle_frame(struct net_bridge_port *p, struct sk_buff **pskb)
if (!is_valid_ether_addr(eth_hdr(skb)->h_source)) if (!is_valid_ether_addr(eth_hdr(skb)->h_source))
goto err; goto err;
if (p->state == BR_STATE_LEARNING || if (p->state == BR_STATE_LEARNING)
p->state == BR_STATE_FORWARDING)
br_fdb_update(p->br, p, eth_hdr(skb)->h_source); br_fdb_update(p->br, p, eth_hdr(skb)->h_source);
if (p->br->stp_enabled && if (p->br->stp_enabled &&
......
...@@ -140,6 +140,9 @@ int br_stp_handle_bpdu(struct sk_buff *skb) ...@@ -140,6 +140,9 @@ int br_stp_handle_bpdu(struct sk_buff *skb)
struct net_bridge *br = p->br; struct net_bridge *br = p->br;
unsigned char *buf; unsigned char *buf;
/* insert into forwarding database after filtering to avoid spoofing */
br_fdb_update(p->br, p, eth_hdr(skb)->h_source);
/* need at least the 802 and STP headers */ /* need at least the 802 and STP headers */
if (!pskb_may_pull(skb, sizeof(header)+1) || if (!pskb_may_pull(skb, sizeof(header)+1) ||
memcmp(skb->data, header, sizeof(header))) memcmp(skb->data, header, sizeof(header)))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment