DoS against IPv6 stacks due to improper handling of RA (rhbz 1203712 1208491)
This commit is contained in:
Josh Boyer
parent
c0c5b9742f
commit
92f85ec311
|
|
@ -0,0 +1,46 @@
|
|||
From: "D.S. Ljungmark" <ljungmark@modio.se>
|
||||
Date: Wed, 25 Mar 2015 09:28:15 +0100
|
||||
Subject: [PATCH] ipv6: Don't reduce hop limit for an interface
|
||||
|
||||
A local route may have a lower hop_limit set than global routes do.
|
||||
|
||||
RFC 3756, Section 4.2.7, "Parameter Spoofing"
|
||||
|
||||
> 1. The attacker includes a Current Hop Limit of one or another small
|
||||
> number which the attacker knows will cause legitimate packets to
|
||||
> be dropped before they reach their destination.
|
||||
|
||||
> As an example, one possible approach to mitigate this threat is to
|
||||
> ignore very small hop limits. The nodes could implement a
|
||||
> configurable minimum hop limit, and ignore attempts to set it below
|
||||
> said limit.
|
||||
|
||||
Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>
|
||||
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
---
|
||||
net/ipv6/ndisc.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
|
||||
index 471ed24aabae..14ecdaf06bf7 100644
|
||||
--- a/net/ipv6/ndisc.c
|
||||
+++ b/net/ipv6/ndisc.c
|
||||
@@ -1218,7 +1218,14 @@ static void ndisc_router_discovery(struct sk_buff *skb)
|
||||
if (rt)
|
||||
rt6_set_expires(rt, jiffies + (HZ * lifetime));
|
||||
if (ra_msg->icmph.icmp6_hop_limit) {
|
||||
- in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
|
||||
+ /* Only set hop_limit on the interface if it is higher than
|
||||
+ * the current hop_limit.
|
||||
+ */
|
||||
+ if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
|
||||
+ in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
|
||||
+ } else {
|
||||
+ ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n");
|
||||
+ }
|
||||
if (rt)
|
||||
dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
|
||||
ra_msg->icmph.icmp6_hop_limit);
|
||||
--
|
||||
2.1.0
|
||||
|
||||
|
|
@ -634,6 +634,9 @@ Patch26174: Input-ALPS-fix-max-coordinates-for-v5-and-v7-protoco.patch
|
|||
#CVE-2015-2150 rhbz 1196266 1200397
|
||||
Patch26175: xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
|
||||
|
||||
#CVE-2015-XXXX rhbz 1203712 1208491
|
||||
Patch26177: ipv6-Don-t-reduce-hop-limit-for-an-interface.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1379,6 +1382,9 @@ ApplyPatch Input-ALPS-fix-max-coordinates-for-v5-and-v7-protoco.patch
|
|||
#CVE-2015-2150 rhbz 1196266 1200397
|
||||
ApplyPatch xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
|
||||
|
||||
#CVE-2015-XXXX rhbz 1203712 1208491
|
||||
ApplyPatch ipv6-Don-t-reduce-hop-limit-for-an-interface.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2229,6 +2235,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu Apr 02 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- DoS against IPv6 stacks due to improper handling of RA (rhbz 1203712 1208491)
|
||||
|
||||
* Wed Apr 01 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.0.0-0.rc6.git1.1
|
||||
- Linux v4.0-rc6-31-gd4039314d0b1
|
||||
- CVE-2015-2150 xen: NMIs triggerable by guests (rhbz 1196266 1200397)
|
||||
|
|
|
|||
Loading…
Reference in New Issue