lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 27 Apr 2007 02:08:05 -0700 (PDT)
From:	David Miller <davem@...emloft.net>
To:	cebbert@...hat.com
Cc:	yoshfuji@...ux-ipv6.org, netdev@...r.kernel.org, vsu@...linux.ru
Subject: Re: IPV6 source routing patch is still broken?

From: Chuck Ebbert <cebbert@...hat.com>
Date: Thu, 26 Apr 2007 18:57:06 -0400

> David Miller wrote:
> >> +       case IPV6_SRCRT_TYPE_2:
> >> +               if (accept_source_route >= 0)
> >> +                       break;
> >> +               kfree_skb(skb);
> >> +               return -1;
> >> +       case IPV6_SRCRT_TYPE_0:
> >> +               if (accept_source_route > 0)
> >> +                       break;
> >> +               kfree_skb(skb);
> >> +               return -1;
> > 
> > Yes, that looks like it matches the sysctl documentation more closely:
> > 
> > accept_source_route - INTEGER
> > 	Accept source routing (routing extension header).
> > 
> > 	> 0: Accept routing header.
> > 	= 0: Accept only routing header type 2.
> > 	< 0: Do not accept routing header.
> > 
> > Type 2 packets should get through as long as the value of the sysctl
> > is not negative.
> 
> It was Sergey Vlasov who first found this. I had tried to find his original
> message but I was searching the wrong place.

Actually, earlier in the function accept_source_route is
verified, and if it is negative ipv6_rthdr_rcv() returns
immediately.  This is done by the initial code which reads:

	if (accept_source_route < 0 ||
	    ((idev = in6_dev_get(skb->dev)) == NULL)) {
		kfree_skb(skb);
		return -1;
	}
	if (idev->cnf.accept_source_route < 0) {
		in6_dev_put(idev);
		kfree_skb(skb);
		return -1;
	}

then the function proceeds to use the largest of
'accept_source_route' and 'idev->cnf.accept_source_route'
for further checks.

So when we get to the switch statement in question, we know
it will be a positive value, so none of the purely negative
cases need to be considered.

So with Yoshifuji-sans small fix, the switch statement
covers all the cases properly:

	switch (hdr->type) {
#ifdef CONFIG_IPV6_MIP6
	case IPV6_SRCRT_TYPE_2:
		break;
#endif
	case IPV6_SRCRT_TYPE_0:
		if (accept_source_route > 0)
			break;
		kfree_skb(skb);
		return -1;
	default:
		IP6_INC_STATS_BH(ip6_dst_idev(skb->dst),
				 IPSTATS_MIB_INHDRERRORS);
		icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw);
		return -1;
	}
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists