net: ipv4: Check localhost for incoming packet

If we receive a packet from non localhost interface, then drop it if either source or destination address is a localhost address. Signed-off-by: Jukka Rissanen <[email protected]> (cherry picked from commit 6d41e68)
zephyrproject-rtos · Dec 22, 2023 · 05867dc · 05867dc
1 parent ce4c30f
commit 05867dc
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 9 deletions.
diff --git a/subsys/net/ip/ipv4.c b/subsys/net/ip/ipv4.c
@@ -210,7 +210,7 @@ int net_ipv4_parse_hdr_options(struct net_pkt *pkt,
 }
 #endif
 
-enum net_verdict net_ipv4_input(struct net_pkt *pkt)
+enum net_verdict net_ipv4_input(struct net_pkt *pkt, bool is_loopback)
 {
 	NET_PKT_DATA_ACCESS_CONTIGUOUS_DEFINE(ipv4_access, struct net_ipv4_hdr);
 	NET_PKT_DATA_ACCESS_DEFINE(udp_access, struct net_udp_hdr);
@@ -266,6 +266,14 @@ enum net_verdict net_ipv4_input(struct net_pkt *pkt)
 		net_pkt_update_length(pkt, pkt_len);
 	}
 
+	if (!is_loopback) {
+		if (net_ipv4_is_addr_loopback(&hdr->dst) ||
+		    net_ipv4_is_addr_loopback(&hdr->src)) {
+			NET_DBG("DROP: localhost packet");
+			goto drop;
+		}
+	}
+
 	if (net_ipv4_is_addr_mcast(&hdr->src)) {
 		NET_DBG("DROP: src addr is %s", "mcast");
 		goto drop;

diff --git a/subsys/net/ip/net_core.c b/subsys/net/ip/net_core.c
@@ -123,7 +123,7 @@ static inline enum net_verdict process_data(struct net_pkt *pkt,
 #endif
 #if defined(CONFIG_NET_IPV4)
 	case 0x40:
-		return net_ipv4_input(pkt);
+		return net_ipv4_input(pkt, is_loopback);
 #endif
 	}
 

diff --git a/subsys/net/ip/net_private.h b/subsys/net/ip/net_private.h
@@ -69,12 +69,14 @@ static inline const char *net_context_state(struct net_context *context)
 #endif
 
 #if defined(CONFIG_NET_NATIVE)
-enum net_verdict net_ipv4_input(struct net_pkt *pkt);
+enum net_verdict net_ipv4_input(struct net_pkt *pkt, bool is_loopback);
 enum net_verdict net_ipv6_input(struct net_pkt *pkt, bool is_loopback);
 #else
-static inline enum net_verdict net_ipv4_input(struct net_pkt *pkt)
+static inline enum net_verdict net_ipv4_input(struct net_pkt *pkt,
+					      bool is_loopback)
 {
 	ARG_UNUSED(pkt);
+	ARG_UNUSED(is_loopback);
 
 	return NET_CONTINUE;
 }

diff --git a/tests/net/icmpv4/src/main.c b/tests/net/icmpv4/src/main.c
@@ -440,7 +440,7 @@ static void test_icmpv4_send_echo_req(void)
 		zassert_true(false, "EchoRequest packet prep failed");
 	}
 
-	if (net_ipv4_input(pkt)) {
+	if (net_ipv4_input(pkt, false)) {
 		net_pkt_unref(pkt);
 		zassert_true(false, "Failed to send");
 	}
@@ -457,7 +457,7 @@ static void test_icmpv4_send_echo_rep(void)
 		zassert_true(false, "EchoReply packet prep failed");
 	}
 
-	if (net_ipv4_input(pkt)) {
+	if (net_ipv4_input(pkt, false)) {
 		net_pkt_unref(pkt);
 		zassert_true(false, "Failed to send");
 	}
@@ -476,7 +476,7 @@ static void test_icmpv4_send_echo_req_opt(void)
 		zassert_true(false, "EchoRequest with opts packet prep failed");
 	}
 
-	if (net_ipv4_input(pkt)) {
+	if (net_ipv4_input(pkt, false)) {
 		net_pkt_unref(pkt);
 		zassert_true(false, "Failed to send");
 	}
@@ -492,7 +492,7 @@ static void test_icmpv4_send_echo_req_bad_opt(void)
 			     "EchoRequest with bad opts packet prep failed");
 	}
 
-	if (!net_ipv4_input(pkt)) {
+	if (!net_ipv4_input(pkt, false)) {
 		net_pkt_unref(pkt);
 		zassert_true(false, "Failed to send");
 	}

diff --git a/tests/net/virtual/src/main.c b/tests/net/virtual/src/main.c
@@ -976,7 +976,7 @@ static void test_virtual_recv_data_from_tunnel(int remote_ip,
 	net_pkt_cursor_init(outer);
 
 	if (peer_addr.sa_family == AF_INET) {
-		verdict = net_ipv4_input(outer);
+		verdict = net_ipv4_input(outer, false);
 	} else {
 		verdict = net_ipv6_input(outer, false);
 	}