1 files changed, 10 insertions, 0 deletions
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index 7e5df23cbe7b..3d71c7d6102c 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -223,6 +223,16 @@ static struct sk_buff *ip6_rcv_core(struct sk_buff *skb, struct net_device *dev,
        if (ipv6_addr_is_multicast(&hdr->saddr))
                goto err;
+        /* While RFC4291 is not explicit about v4mapped addresses
+         * in IPv6 headers, it seems clear linux dual-stack
+         * model can not deal properly with these.
+         * Security models could be fooled by ::ffff:127.0.0.1 for example.
+         *
+         * https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02
+         */
+        if (ipv6_addr_v4mapped(&hdr->saddr))
+                goto err;
        skb->transport_header = skb->network_header + sizeof(*hdr);
        IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);

diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c index 7e5df23cbe7b..3d71c7d6102c 100644 --- a/net/ipv6/ip6_input.c +++ b/net/ipv6/ip6_input.c
@@ -223,6 +223,16 @@ static struct sk_buff ip6_rcv_core(struct sk_buff skb, struct net_device *dev,
223	if (ipv6_addr_is_multicast(&hdr->saddr))	223	if (ipv6_addr_is_multicast(&hdr->saddr))
224	goto err;	224	goto err;
225		225
		226	/* While RFC4291 is not explicit about v4mapped addresses
		227	* in IPv6 headers, it seems clear linux dual-stack
		228	* model can not deal properly with these.
		229	* Security models could be fooled by ::ffff:127.0.0.1 for example.
		230	*
		231	* https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02
		232	*/
		233	if (ipv6_addr_v4mapped(&hdr->saddr))
		234	goto err;
		235
226	skb->transport_header = skb->network_header + sizeof(*hdr);	236	skb->transport_header = skb->network_header + sizeof(*hdr);
227	IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);	237	IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
228		238