diff options
| author | gVisor bot <gvisor-bot@google.com> | 2020-07-09 22:33:53 -0700 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2020-07-09 22:35:42 -0700 |
| commit | 5df3a8fedef7e54550d4c6b7172e25216600ee9f (patch) | |
| tree | aa2cf2c00315018049f4f09b0e966678b3804337 /pkg/sentry/socket/netstack | |
| parent | 5946f111827fa4e342a2e6e9c043c198d2e5cb03 (diff) | |
Discard multicast UDP source address.
RFC-1122 (and others) specify that UDP should not receive
datagrams that have a source address that is a multicast address.
Packets should never be received FROM a multicast address.
See also, RFC 768: 'User Datagram Protocol'
J. Postel, ISI, 28 August 1980
A UDP datagram received with an invalid IP source address
(e.g., a broadcast or multicast address) must be discarded
by UDP or by the IP layer (see rfc 1122 Section 3.2.1.3).
This CL does not address TCP or broadcast which is more complicated.
Also adds a test for both ipv6 and ipv4 UDP.
Fixes #3154
PiperOrigin-RevId: 320547674
Diffstat (limited to 'pkg/sentry/socket/netstack')
| -rw-r--r-- | pkg/sentry/socket/netstack/netstack.go | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/pkg/sentry/socket/netstack/netstack.go b/pkg/sentry/socket/netstack/netstack.go index 3b248a953..5a3cedd7c 100644 --- a/pkg/sentry/socket/netstack/netstack.go +++ b/pkg/sentry/socket/netstack/netstack.go @@ -192,6 +192,7 @@ var Metrics = tcpip.Stats{ PacketsSent: mustCreateMetric("/netstack/udp/packets_sent", "Number of UDP datagrams sent."), PacketSendErrors: mustCreateMetric("/netstack/udp/packet_send_errors", "Number of UDP datagrams failed to be sent."), ChecksumErrors: mustCreateMetric("/netstack/udp/checksum_errors", "Number of UDP datagrams dropped due to bad checksums."), + InvalidSourceAddress: mustCreateMetric("/netstack/udp/invalid_source", "Number of UDP datagrams dropped due to invalid source address."), }, } |