DoS against IPv6 stacks due to improper handling of RA (rhbz 1203712 1208491)
This commit is contained in:
Josh Boyer
parent
25858fdbdc
commit
25030b1ea2
|
|
@ -0,0 +1,46 @@
|
|||
From: "D.S. Ljungmark" <ljungmark@modio.se>
|
||||
Date: Wed, 25 Mar 2015 09:28:15 +0100
|
||||
Subject: [PATCH] ipv6: Don't reduce hop limit for an interface
|
||||
|
||||
A local route may have a lower hop_limit set than global routes do.
|
||||
|
||||
RFC 3756, Section 4.2.7, "Parameter Spoofing"
|
||||
|
||||
> 1. The attacker includes a Current Hop Limit of one or another small
|
||||
> number which the attacker knows will cause legitimate packets to
|
||||
> be dropped before they reach their destination.
|
||||
|
||||
> As an example, one possible approach to mitigate this threat is to
|
||||
> ignore very small hop limits. The nodes could implement a
|
||||
> configurable minimum hop limit, and ignore attempts to set it below
|
||||
> said limit.
|
||||
|
||||
Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>
|
||||
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
---
|
||||
net/ipv6/ndisc.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
|
||||
index 682866777d53..d375ce60463e 100644
|
||||
--- a/net/ipv6/ndisc.c
|
||||
+++ b/net/ipv6/ndisc.c
|
||||
@@ -1216,7 +1216,14 @@ static void ndisc_router_discovery(struct sk_buff *skb)
|
||||
if (rt)
|
||||
rt6_set_expires(rt, jiffies + (HZ * lifetime));
|
||||
if (ra_msg->icmph.icmp6_hop_limit) {
|
||||
- in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
|
||||
+ /* Only set hop_limit on the interface if it is higher than
|
||||
+ * the current hop_limit.
|
||||
+ */
|
||||
+ if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
|
||||
+ in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
|
||||
+ } else {
|
||||
+ ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n");
|
||||
+ }
|
||||
if (rt)
|
||||
dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
|
||||
ra_msg->icmph.icmp6_hop_limit);
|
||||
--
|
||||
2.1.0
|
||||
|
||||
|
|
@ -667,6 +667,9 @@ Patch26176: sunrpc-make-debugfs-file-creation-failure-non-fatal.patch
|
|||
#rhbz 1207789
|
||||
Patch26177: tg3-Hold-tp-lock-before-calling-tg3_halt-from-tg3_in.patch
|
||||
|
||||
#CVE-2015-XXXX rhbz 1203712 1208491
|
||||
Patch26178: ipv6-Don-t-reduce-hop-limit-for-an-interface.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1442,6 +1445,9 @@ ApplyPatch sunrpc-make-debugfs-file-creation-failure-non-fatal.patch
|
|||
#rhbz 1207789
|
||||
ApplyPatch tg3-Hold-tp-lock-before-calling-tg3_halt-from-tg3_in.patch
|
||||
|
||||
#CVE-2015-XXXX rhbz 1203712 1208491
|
||||
ApplyPatch ipv6-Don-t-reduce-hop-limit-for-an-interface.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2301,6 +2307,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Thu Apr 02 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- DoS against IPv6 stacks due to improper handling of RA (rhbz 1203712 1208491)
|
||||
|
||||
* Wed Apr 01 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Backport patch to fix tg3 deadlock (rhbz 1207789)
|
||||
- Fix gssproxy (rhbz 1203913)
|
||||
|
|
|
|||
Loading…
Reference in New Issue