Remove MAC-based loopback validation bypass

The IPv4 and IPv6 receive paths skipped all checksum validation when
the source MAC matched the device's own MAC address. Since MAC
addresses are spoofable on a local network, remove the bypass so that
checksums are always verified.

Author: archigup

source/FreeRTOS_IPv4.c

@@ -487,34 +487,28 @@ enum eFrameProcessingResult prvAllowIPPacketIPv4( const struct xIP_PACKET * cons
          * define, so that the checksum won't be checked again here */
         if( eReturn == eProcessBuffer )
         {
-            const NetworkEndPoint_t * pxEndPoint = FreeRTOS_FindEndPointOnMAC( &( pxIPPacket->xEthernetHeader.xSourceAddress ), NULL );
-
-            /* Do not check the checksum of loop-back messages. */
-            if( pxEndPoint == NULL )
+            /* Is the IP header checksum correct?
+             *
+             * NOTE: When the checksum of IP header is calculated while not omitting
+             * the checksum field, the resulting value of the checksum always is 0xffff
+             * which is denoted by ipCORRECT_CRC. See this wiki for more information:
+             * https://en.wikipedia.org/wiki/IPv4_header_checksum#Verifying_the_IPv4_header_checksum
+             * and this RFC: https://tools.ietf.org/html/rfc1624#page-4
+             */
+            if( usGenerateChecksum( 0U, ( const uint8_t * ) &( pxIPHeader->ucVersionHeaderLength ), ( size_t ) uxHeaderLength ) != ipCORRECT_CRC )
             {
-                /* Is the IP header checksum correct?
-                 *
-                 * NOTE: When the checksum of IP header is calculated while not omitting
-                 * the checksum field, the resulting value of the checksum always is 0xffff
-                 * which is denoted by ipCORRECT_CRC. See this wiki for more information:
-                 * https://en.wikipedia.org/wiki/IPv4_header_checksum#Verifying_the_IPv4_header_checksum
-                 * and this RFC: https://tools.ietf.org/html/rfc1624#page-4
-                 */
-                if( usGenerateChecksum( 0U, ( const uint8_t * ) &( pxIPHeader->ucVersionHeaderLength ), ( size_t ) uxHeaderLength ) != ipCORRECT_CRC )
-                {
-                    /* Check sum in IP-header not correct. */
-                    eReturn = eReleaseBuffer;
-                }
-                /* Is the upper-layer checksum (TCP/UDP/ICMP) correct? */
-                else if( usGenerateProtocolChecksum( ( uint8_t * ) ( pxNetworkBuffer->pucEthernetBuffer ), pxNetworkBuffer->xDataLength, pdFALSE ) != ipCORRECT_CRC )
-                {
-                    /* Protocol checksum not accepted. */
-                    eReturn = eReleaseBuffer;
-                }
-                else
-                {
-                    /* The checksum of the received packet is OK. */
-                }
+                /* Check sum in IP-header not correct. */
+                eReturn = eReleaseBuffer;
+            }
+            /* Is the upper-layer checksum (TCP/UDP/ICMP) correct? */
+            else if( usGenerateProtocolChecksum( ( uint8_t * ) ( pxNetworkBuffer->pucEthernetBuffer ), pxNetworkBuffer->xDataLength, pdFALSE ) != ipCORRECT_CRC )
+            {
+                /* Protocol checksum not accepted. */
+                eReturn = eReleaseBuffer;
+            }
+            else
+            {
+                /* The checksum of the received packet is OK. */
             }
         }
     }

source/FreeRTOS_IPv6.c

@@ -125,7 +125,7 @@ const struct xIPv6_Address FreeRTOS_in6addr_loopback = { { 0U, 0U, 0U, 0U, 0U, 0
             /* Check if the complete IPv6-header plus protocol data have been transferred: */
             usPayloadLength = FreeRTOS_ntohs( pxIPv6Packet->xIPHeader.usPayloadLength );
 
-            if( uxBufferLength != ( size_t ) ( ipSIZE_OF_ETH_HEADER + ipSIZE_OF_IPv6_HEADER + ( size_t ) usPayloadLength ) )
+            if( uxBufferLength < ( size_t ) ( ipSIZE_OF_ETH_HEADER + ipSIZE_OF_IPv6_HEADER + ( size_t ) usPayloadLength ) )
             {
                 DEBUG_SET_TRACE_VARIABLE( xLocation, 4 );
                 break;
@@ -542,22 +542,12 @@ eFrameProcessingResult_t prvAllowIPPacketIPv6( const IPHeader_IPv6_t * const pxI
          * define, so that the checksum won't be checked again here */
         if( eReturn == eProcessBuffer )
         {
-            /* MISRA Ref 11.3.1 [Misaligned access] */
-            /* More details at: https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/blob/main/MISRA.md#rule-113 */
-            /* coverity[misra_c_2012_rule_11_3_violation] */
-            const IPPacket_t * pxIPPacket = ( ( const IPPacket_t * ) pxNetworkBuffer->pucEthernetBuffer );
-            const NetworkEndPoint_t * pxEndPoint = FreeRTOS_FindEndPointOnMAC( &( pxIPPacket->xEthernetHeader.xSourceAddress ), NULL );
-
             /* IPv6 does not have a separate checksum in the IP-header */
             /* Is the upper-layer checksum (TCP/UDP/ICMP) correct? */
-            /* Do not check the checksum of loop-back messages. */
-            if( pxEndPoint == NULL )
+            if( usGenerateProtocolChecksum( ( uint8_t * ) ( pxNetworkBuffer->pucEthernetBuffer ), pxNetworkBuffer->xDataLength, pdFALSE ) != ipCORRECT_CRC )
             {
-                if( usGenerateProtocolChecksum( ( uint8_t * ) ( pxNetworkBuffer->pucEthernetBuffer ), pxNetworkBuffer->xDataLength, pdFALSE ) != ipCORRECT_CRC )
-                {
-                    /* Protocol checksum not accepted. */
-                    eReturn = eReleaseBuffer;
-                }
+                /* Protocol checksum not accepted. */
+                eReturn = eReleaseBuffer;
             }
         }
     }

test/unit-test/FreeRTOS_IPv4/FreeRTOS_IPv4_utest.c

@@ -623,7 +623,6 @@ void test_prvAllowIPPacketIPv4_EndpointDown_HappyPath( void )
     memcpy( pxIPPacket->xEthernetHeader.xDestinationAddress.ucBytes, xEndpoint.xMACAddress.ucBytes, sizeof( MACAddress_t ) );
 
     FreeRTOS_IsEndPointUp_ExpectAndReturn( &xEndpoint, pdFALSE );
-    FreeRTOS_FindEndPointOnMAC_ExpectAnyArgsAndReturn( NULL );
 
     usGenerateChecksum_ExpectAndReturn( 0U, ( uint8_t * ) &( pxIPHeader->ucVersionHeaderLength ), ( size_t ) uxHeaderLength, ipCORRECT_CRC );
 
@@ -704,7 +703,6 @@ void test_prvAllowIPPacketIPv4_EndpointDown_UnHappyPathBroadcast( void )
     memset( xEndpoint.xMACAddress.ucBytes, 0xCD, sizeof( MACAddress_t ) );
 
     FreeRTOS_IsEndPointUp_ExpectAndReturn( &xEndpoint, pdFALSE );
-    FreeRTOS_FindEndPointOnMAC_ExpectAnyArgsAndReturn( NULL );
 
     usGenerateChecksum_ExpectAndReturn( 0U, ( uint8_t * ) &( pxIPHeader->ucVersionHeaderLength ), ( size_t ) uxHeaderLength, ipCORRECT_CRC );
 
@@ -786,7 +784,6 @@ void test_prvAllowIPPacketIPv4_DestMACBrdCast_DestIPBroadcastAndIncorrectChkSum(
     memcpy( pxIPPacket->xEthernetHeader.xDestinationAddress.ucBytes, xBroadcastMACAddress.ucBytes, sizeof( MACAddress_t ) );
     FreeRTOS_IsEndPointUp_ExpectAndReturn( &xEndpoint, pdTRUE );
 
-    FreeRTOS_FindEndPointOnMAC_ExpectAnyArgsAndReturn( NULL );
 
     usGenerateChecksum_ExpectAndReturn( 0U, ( uint8_t * ) &( pxIPHeader->ucVersionHeaderLength ), ( size_t ) uxHeaderLength, ipCORRECT_CRC - 1 );
 
@@ -942,7 +939,6 @@ void test_prvAllowIPPacketIPv4_IncorrectChecksum( void )
     pxIPHeader->ulSourceIPAddress = 0xC0C00101;
 
     FreeRTOS_IsEndPointUp_ExpectAndReturn( &xEndpoint, pdTRUE );
-    FreeRTOS_FindEndPointOnMAC_ExpectAnyArgsAndReturn( NULL );
 
     usGenerateChecksum_ExpectAndReturn( 0U, ( uint8_t * ) &( pxIPHeader->ucVersionHeaderLength ), ( size_t ) uxHeaderLength, ipCORRECT_CRC - 1 );
 
@@ -986,7 +982,6 @@ void test_prvAllowIPPacketIPv4_IncorrectProtocolChecksum( void )
     pxIPHeader->ulSourceIPAddress = 0xC0C00101;
 
     FreeRTOS_IsEndPointUp_ExpectAndReturn( &xEndpoint, pdTRUE );
-    FreeRTOS_FindEndPointOnMAC_ExpectAnyArgsAndReturn( NULL );
 
     usGenerateChecksum_ExpectAndReturn( 0U, ( uint8_t * ) &( pxIPHeader->ucVersionHeaderLength ), ( size_t ) uxHeaderLength, ipCORRECT_CRC );
 
@@ -1031,7 +1026,6 @@ void test_prvAllowIPPacketIPv4_HappyPath( void )
     pxIPHeader->ulSourceIPAddress = 0xC0C00101;
 
     FreeRTOS_IsEndPointUp_ExpectAndReturn( &xEndpoint, pdTRUE );
-    FreeRTOS_FindEndPointOnMAC_ExpectAnyArgsAndReturn( NULL );
 
     usGenerateChecksum_ExpectAndReturn( 0U, ( uint8_t * ) &( pxIPHeader->ucVersionHeaderLength ), ( size_t ) uxHeaderLength, ipCORRECT_CRC );
 
@@ -1073,7 +1067,8 @@ void test_prvAllowIPPacketIPv4_LoopbackHappyPath( void )
 
     memcpy( pxIPPacket->xEthernetHeader.xDestinationAddress.ucBytes, xMACAddress.ucBytes, sizeof( MACAddress_t ) );
 
-    FreeRTOS_FindEndPointOnMAC_ExpectAnyArgsAndReturn( pxEndpoint );
+    usGenerateChecksum_ExpectAndReturn( 0U, ( uint8_t * ) &( pxIPHeader->ucVersionHeaderLength ), ( size_t ) uxHeaderLength, ipCORRECT_CRC );
+    usGenerateProtocolChecksum_ExpectAndReturn( ( uint8_t * ) ( pxNetworkBuffer->pucEthernetBuffer ), pxNetworkBuffer->xDataLength, pdFALSE, ipCORRECT_CRC );
 
     eResult = prvAllowIPPacketIPv4( pxIPPacket, pxNetworkBuffer, uxHeaderLength );
 
@@ -1226,8 +1221,6 @@ static void xRunBadIPv4Loopback( uint32_t ulSource,
 
     if( eExpected != eReleaseBuffer )
     {
-        FreeRTOS_FindEndPointOnMAC_ExpectAnyArgsAndReturn( NULL );
-
         usGenerateChecksum_ExpectAndReturn( 0U, ( uint8_t * ) &( pxIPHeader->ucVersionHeaderLength ), ( size_t ) uxHeaderLength, ipCORRECT_CRC );
 
         usGenerateProtocolChecksum_ExpectAndReturn( ( uint8_t * ) ( pxNetworkBuffer->pucEthernetBuffer ), pxNetworkBuffer->xDataLength, pdFALSE, ipCORRECT_CRC );
@@ -1283,7 +1276,6 @@ void test_xBadIPv4Loopback_0_test( void )
 
     FreeRTOS_IsEndPointUp_ExpectAndReturn( &xEndpoint, pdTRUE );
 
-    FreeRTOS_FindEndPointOnMAC_ExpectAnyArgsAndReturn( NULL );
 
     usGenerateChecksum_ExpectAndReturn( 0U, ( uint8_t * ) &( pxIPHeader->ucVersionHeaderLength ), ( size_t ) uxHeaderLength, ipCORRECT_CRC );
 

test/unit-test/FreeRTOS_IPv6/FreeRTOS_IPv6_utest.c

@@ -104,7 +104,6 @@ void test_prvAllowIPPacketIPv6_HappyPath()
 
     pxTCPPacket->xIPHeader.ucVersionTrafficClass = 0x60U;
 
-    FreeRTOS_FindEndPointOnMAC_ExpectAndReturn( &pxTCPPacket->xEthernetHeader.xSourceAddress, NULL, NULL );
     usGenerateProtocolChecksum_ExpectAndReturn( pxNetworkBuffer->pucEthernetBuffer, pxNetworkBuffer->xDataLength, pdFALSE, ipCORRECT_CRC );
 
     eResult = prvAllowIPPacketIPv6( &pxTCPPacket->xIPHeader, pxNetworkBuffer, 0U );
@@ -126,7 +125,6 @@ void test_prvAllowIPPacketIPv6_MulticastAddress()
     memcpy( pxTCPPacket->xIPHeader.xDestinationAddress.ucBytes, xMCIPAddress.ucBytes, ipSIZE_OF_IPv6_ADDRESS );
 
     FreeRTOS_FindEndPointOnIP_IPv6_ExpectAndReturn( &( pxTCPPacket->xIPHeader.xSourceAddress ), pxNetworkBuffer->pxEndPoint );
-    FreeRTOS_FindEndPointOnMAC_ExpectAndReturn( &pxTCPPacket->xEthernetHeader.xSourceAddress, NULL, NULL );
     usGenerateProtocolChecksum_ExpectAndReturn( pxNetworkBuffer->pucEthernetBuffer, pxNetworkBuffer->xDataLength, pdFALSE, ipCORRECT_CRC );
 
     eResult = prvAllowIPPacketIPv6( &pxTCPPacket->xIPHeader, pxNetworkBuffer, 0U );
@@ -152,7 +150,6 @@ void test_prvAllowIPPacketIPv6_LoopbackAddress()
 
     FreeRTOS_IsNetworkUp_IgnoreAndReturn( 0 );
 
-    FreeRTOS_FindEndPointOnMAC_ExpectAndReturn( &pxTCPPacket->xEthernetHeader.xSourceAddress, NULL, NULL );
     usGenerateProtocolChecksum_ExpectAndReturn( pxNetworkBuffer->pucEthernetBuffer, pxNetworkBuffer->xDataLength, pdFALSE, ipCORRECT_CRC );
 
     eResult = prvAllowIPPacketIPv6( &pxTCPPacket->xIPHeader, pxNetworkBuffer, 0U );
@@ -174,7 +171,6 @@ void test_prvAllowIPPacketIPv6_LoopbackNotMatchDest()
 
     FreeRTOS_FindEndPointOnIP_IPv6_ExpectAndReturn( &pxTCPPacket->xIPHeader.xSourceAddress, pxNetworkBuffer->pxEndPoint );
     FreeRTOS_IsNetworkUp_IgnoreAndReturn( 0 );
-    FreeRTOS_FindEndPointOnMAC_ExpectAndReturn( &pxTCPPacket->xEthernetHeader.xSourceAddress, NULL, NULL );
     usGenerateProtocolChecksum_ExpectAndReturn( pxNetworkBuffer->pucEthernetBuffer, pxNetworkBuffer->xDataLength, pdFALSE, ipCORRECT_CRC );
 
     eResult = prvAllowIPPacketIPv6( &pxTCPPacket->xIPHeader, pxNetworkBuffer, 0U );
@@ -218,7 +214,6 @@ void test_prvAllowIPPacketIPv6_NetworkDown()
 
     FreeRTOS_FindEndPointOnIP_IPv6_ExpectAndReturn( &pxTCPPacket->xIPHeader.xSourceAddress, NULL );
     FreeRTOS_IsNetworkUp_IgnoreAndReturn( 0 );
-    FreeRTOS_FindEndPointOnMAC_ExpectAndReturn( &pxTCPPacket->xEthernetHeader.xSourceAddress, NULL, NULL );
     usGenerateProtocolChecksum_ExpectAndReturn( pxNetworkBuffer->pucEthernetBuffer, pxNetworkBuffer->xDataLength, pdFALSE, ipCORRECT_CRC );
 
     eResult = prvAllowIPPacketIPv6( &pxTCPPacket->xIPHeader, pxNetworkBuffer, 0U );
@@ -237,7 +232,7 @@ void test_prvAllowIPPacketIPv6_SelfSend()
 
     pxTCPPacket->xIPHeader.ucVersionTrafficClass = 0x60U;
 
-    FreeRTOS_FindEndPointOnMAC_ExpectAndReturn( &pxTCPPacket->xEthernetHeader.xSourceAddress, NULL, pxNetworkBuffer->pxEndPoint );
+    usGenerateProtocolChecksum_ExpectAndReturn( pxNetworkBuffer->pucEthernetBuffer, pxNetworkBuffer->xDataLength, pdFALSE, ipCORRECT_CRC );
 
     eResult = prvAllowIPPacketIPv6( &pxTCPPacket->xIPHeader, pxNetworkBuffer, 0U );
     TEST_ASSERT_EQUAL( eProcessBuffer, eResult );
@@ -255,7 +250,6 @@ void test_prvAllowIPPacketIPv6_ChecksumError()
 
     pxTCPPacket->xIPHeader.ucVersionTrafficClass = 0x60U;
 
-    FreeRTOS_FindEndPointOnMAC_ExpectAndReturn( &pxTCPPacket->xEthernetHeader.xSourceAddress, NULL, NULL );
     usGenerateProtocolChecksum_ExpectAndReturn( pxNetworkBuffer->pucEthernetBuffer, pxNetworkBuffer->xDataLength, pdFALSE, ipWRONG_CRC );
 
     eResult = prvAllowIPPacketIPv6( &pxTCPPacket->xIPHeader, pxNetworkBuffer, 0U );