diff options
author | Stephen Hemminger <shemminger@osdl.org> | 2005-05-29 23:15:55 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2005-05-29 23:15:55 +0200 |
commit | 85967bb46dd1f8f2c49b85a313866c00ac0c9b59 (patch) | |
tree | 3de44cb857e648d57e74baa047a0c89a96a00893 /net/bridge/br_input.c | |
parent | [BRIDGE]: set features based on enslaved devices (diff) | |
download | linux-85967bb46dd1f8f2c49b85a313866c00ac0c9b59.tar.xz linux-85967bb46dd1f8f2c49b85a313866c00ac0c9b59.zip |
[BRIDGE]: prevent bad forwarding table updates
Avoid poisoning of the bridge forwarding table by frames that have been
dropped by filtering. This prevents spoofed source addresses on hostile
side of bridge from causing packet leakage, a small but possible security
risk.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/bridge/br_input.c')
-rw-r--r-- | net/bridge/br_input.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index 2b1cce46cab4..2aa5dda24a08 100644 --- a/net/bridge/br_input.c +++ b/net/bridge/br_input.c @@ -54,6 +54,9 @@ int br_handle_frame_finish(struct sk_buff *skb) struct net_bridge_fdb_entry *dst; int passedup = 0; + /* insert into forwarding database after filtering to avoid spoofing */ + br_fdb_update(p->br, p, eth_hdr(skb)->h_source); + if (br->dev->flags & IFF_PROMISC) { struct sk_buff *skb2; @@ -108,8 +111,7 @@ int br_handle_frame(struct net_bridge_port *p, struct sk_buff **pskb) if (!is_valid_ether_addr(eth_hdr(skb)->h_source)) goto err; - if (p->state == BR_STATE_LEARNING || - p->state == BR_STATE_FORWARDING) + if (p->state == BR_STATE_LEARNING) br_fdb_update(p->br, p, eth_hdr(skb)->h_source); if (p->br->stp_enabled && |