103 lines
3.3 KiB
Diff
103 lines
3.3 KiB
Diff
From d195edb95a543f7eebbd0a164e8ff3bef599370a Mon Sep 17 00:00:00 2001
|
|
From: Thomas Haller <thaller@redhat.com>
|
|
Date: Wed, 8 Apr 2015 15:54:30 +0200
|
|
Subject: [PATCH] platform: don't accept lowering IPv6 hop-limit from RA
|
|
(CVE-2015-2924)
|
|
|
|
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6fd99094de2b83d1d4c8457f2c83483b2828e75a
|
|
http://seclists.org/oss-sec/2015/q2/46
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=1209902
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=1209903
|
|
(cherry picked from commit bdaaf9849b0cacf131b71fa2ae168f5db796874f)
|
|
|
|
Conflicts:
|
|
src/devices/nm-device.c
|
|
src/nm-iface-helper.c
|
|
src/platform/nm-platform.h
|
|
---
|
|
src/devices/nm-device.c | 10 ++--------
|
|
src/platform/nm-platform.c | 32 ++++++++++++++++++++++++++++++++
|
|
src/platform/nm-platform.h | 2 ++
|
|
3 files changed, 36 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
|
|
index 7ab51e4..8cdf01b 100644
|
|
--- a/src/devices/nm-device.c
|
|
+++ b/src/devices/nm-device.c
|
|
@@ -3716,14 +3716,8 @@ rdisc_config_changed (NMRDisc *rdisc, NMRDiscConfigMap changed, NMDevice *device
|
|
}
|
|
}
|
|
|
|
- /* hop_limit == 0 is a special value "unspecified", so do not touch
|
|
- * in this case */
|
|
- if (changed & NM_RDISC_CONFIG_HOP_LIMIT && rdisc->hop_limit > 0) {
|
|
- char val[16];
|
|
-
|
|
- g_snprintf (val, sizeof (val), "%d", rdisc->hop_limit);
|
|
- nm_device_ipv6_sysctl_set (device, "hop_limit", val);
|
|
- }
|
|
+ if (changed & NM_RDISC_CONFIG_HOP_LIMIT)
|
|
+ nm_platform_sysctl_set_ip6_hop_limit_safe (nm_device_get_ip_iface (device), rdisc->hop_limit);
|
|
|
|
nm_device_activate_schedule_ip6_config_result (device);
|
|
}
|
|
diff --git a/src/platform/nm-platform.c b/src/platform/nm-platform.c
|
|
index e95d6af..9629d9d 100644
|
|
--- a/src/platform/nm-platform.c
|
|
+++ b/src/platform/nm-platform.c
|
|
@@ -240,6 +240,38 @@ nm_platform_sysctl_set (const char *path, const char *value)
|
|
return klass->sysctl_set (platform, path, value);
|
|
}
|
|
|
|
+gboolean
|
|
+nm_platform_sysctl_set_ip6_hop_limit_safe (const char *iface, int value)
|
|
+{
|
|
+ const char *path;
|
|
+ gint64 cur;
|
|
+
|
|
+ /* the hop-limit provided via RA is uint8. */
|
|
+ if (value > 0xFF)
|
|
+ return FALSE;
|
|
+
|
|
+ /* don't allow unreasonable small values */
|
|
+ if (value < 10)
|
|
+ return FALSE;
|
|
+
|
|
+ path = nm_utils_ip6_property_path (iface, "hop_limit");
|
|
+ cur = nm_platform_sysctl_get_int_checked (path, 10, 1, G_MAXINT32, -1);
|
|
+
|
|
+ /* only allow increasing the hop-limit to avoid DOS by an attacker
|
|
+ * setting a low hop-limit (CVE-2015-2924, rh#1209902) */
|
|
+
|
|
+ if (value < cur)
|
|
+ return FALSE;
|
|
+ if (value != cur) {
|
|
+ char svalue[20];
|
|
+
|
|
+ sprintf (svalue, "%d", value);
|
|
+ nm_platform_sysctl_set (path, svalue);
|
|
+ }
|
|
+
|
|
+ return TRUE;
|
|
+}
|
|
+
|
|
/**
|
|
* nm_platform_sysctl_get:
|
|
* @path: Absolute path to sysctl
|
|
diff --git a/src/platform/nm-platform.h b/src/platform/nm-platform.h
|
|
index 275557c..6a1e503 100644
|
|
--- a/src/platform/nm-platform.h
|
|
+++ b/src/platform/nm-platform.h
|
|
@@ -504,6 +504,8 @@ char *nm_platform_sysctl_get (const char *path);
|
|
gint32 nm_platform_sysctl_get_int32 (const char *path, gint32 fallback);
|
|
gint64 nm_platform_sysctl_get_int_checked (const char *path, guint base, gint64 min, gint64 max, gint64 fallback);
|
|
|
|
+gboolean nm_platform_sysctl_set_ip6_hop_limit_safe (const char *iface, int value);
|
|
+
|
|
gboolean nm_platform_link_get (int ifindex, NMPlatformLink *link);
|
|
GArray *nm_platform_link_get_all (void);
|
|
gboolean nm_platform_dummy_add (const char *name);
|
|
--
|
|
2.4.0
|
|
|