lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 16 Jul 2018 13:45:38 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     sd@...asysnail.net
Cc:     netdev@...r.kernel.org, nordmark@...sta.com, gilligan@...sta.com,
        hannes@...essinduktion.org, sbrivio@...hat.com
Subject: Re: [PATCH net] ipv6: make DAD fail with enhanced DAD when nonce
 length differs

From: Sabrina Dubroca <sd@...asysnail.net>
Date: Fri, 13 Jul 2018 17:21:42 +0200

> Commit adc176c54722 ("ipv6 addrconf: Implemented enhanced DAD (RFC7527)")
> added enhanced DAD with a nonce length of 6 bytes. However, RFC7527
> doesn't specify the length of the nonce, other than being 6 + 8*k bytes,
> with integer k >= 0 (RFC3971 5.3.2). The current implementation simply
> assumes that the nonce will always be 6 bytes, but others systems are
> free to choose different sizes.
> 
> If another system sends a nonce of different length but with the same 6
> bytes prefix, it shouldn't be considered as the same nonce. Thus, check
> that the length of the received nonce is the same as the length we sent.
> 
> Ugly scapy test script running on veth0:
> 
> def loop():
>     pkt=sniff(iface="veth0", filter="icmp6", count=1)
>     pkt = pkt[0]
>     b = bytearray(pkt[Raw].load)
>     b[1] += 1
>     b += b'\xde\xad\xbe\xef\xde\xad\xbe\xef'
>     pkt[Raw].load = bytes(b)
>     pkt[IPv6].plen += 8
>     # fixup checksum after modifying the payload
>     pkt[IPv6].payload.cksum -= 0x3b44
>     if pkt[IPv6].payload.cksum < 0:
>         pkt[IPv6].payload.cksum += 0xffff
>     sendp(pkt, iface="veth0")
> 
> This should result in DAD failure for any address added to veth0's peer,
> but is currently ignored.
> 
> Fixes: adc176c54722 ("ipv6 addrconf: Implemented enhanced DAD (RFC7527)")
> Signed-off-by: Sabrina Dubroca <sd@...asysnail.net>
> Reviewed-by: Stefano Brivio <sbrivio@...hat.com>

Applied and queued up for -stable, thank you!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ