[BRIDGE]: prevent bad forwarding table updates

Avoid poisoning of the bridge forwarding table by frames that have been
dropped by filtering. This prevents spoofed source addresses on hostile
side of bridge from causing packet leakage, a small but possible security
risk.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 2b1cce46cab42f71faee654e91c9fdfc2a224551..2aa5dda24a08a1cdc1ea96bb8375f2602ef82d75 100644 (file)
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -54,6 +54,9 @@ int br_handle_frame_finish(struct sk_buff *skb)
        struct net_bridge_fdb_entry *dst;
        int passedup = 0;
 
+       /* insert into forwarding database after filtering to avoid spoofing */
+       br_fdb_update(p->br, p, eth_hdr(skb)->h_source);
+
        if (br->dev->flags & IFF_PROMISC) {
                struct sk_buff *skb2;
 
@@ -108,8 +111,7 @@ int br_handle_frame(struct net_bridge_port *p, struct sk_buff **pskb)
        if (!is_valid_ether_addr(eth_hdr(skb)->h_source))
                goto err;
 
-       if (p->state == BR_STATE_LEARNING ||
-           p->state == BR_STATE_FORWARDING)
+       if (p->state == BR_STATE_LEARNING)
                br_fdb_update(p->br, p, eth_hdr(skb)->h_source);
 
        if (p->br->stp_enabled &&

diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c
index b91a875aca01c23f0b37b7916cad225e0c5f9fe5..d071f1c9ad0b00076c18ce677ed1ccba0bc300ec 100644 (file)
--- a/net/bridge/br_stp_bpdu.c
+++ b/net/bridge/br_stp_bpdu.c
@@ -140,6 +140,9 @@ int br_stp_handle_bpdu(struct sk_buff *skb)
        struct net_bridge *br = p->br;
        unsigned char *buf;
 
+       /* insert into forwarding database after filtering to avoid spoofing */
+       br_fdb_update(p->br, p, eth_hdr(skb)->h_source);
+
        /* need at least the 802 and STP headers */
        if (!pskb_may_pull(skb, sizeof(header)+1) ||
            memcmp(skb->data, header, sizeof(header)))