| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20120412.160040.1086391259430365718.davem@davemloft.net> Date: Thu, 12 Apr 2012 16:00:40 -0400 (EDT) From: David Miller <davem@...emloft.net> To: eldad@...refinery.com Cc: kuznet@....inr.ac.ru, jmorris@...ei.org, yoshfuji@...ux-ipv6.org, kaber@...sh.net, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] net/ipv6/exthdrs.c et al: Optional strict PadN option checking From: Eldad Zack <eldad@...refinery.com> Date: Sat, 7 Apr 2012 17:16:14 +0200 > Added strict checking of PadN. PadN can be used to increase header > size and thus push the protocol header into the 2nd fragment. > > PadN is used to align the options within the Hop-by-Hop or > Destination Options header to 64-bit boundaries. The maximum valid > size is thus 7 bytes. > RFC 4942 recommends to actively check the "payload" itself and > ensure that it contains only zeroes. > > See also RFC 4942 section 2.1.9.5. > > Signed-off-by: Eldad Zack <eldad@...refinery.com> I think you should do away with the sysctl and always perform these checks. At the very leat, the optlen > 7 check should always be performed. And frankly the pad byte being zero check makes sense to do all the time as far as I can tell too. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists