| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20080618161142.GD25004@pingi.kke.suse.de>
Date: Wed, 18 Jun 2008 18:11:42 +0200
From: Karsten Keil <kkeil@...e.de>
To: YOSHIFUJI Hideaki / 吉藤英明
<yoshfuji@...ux-ipv6.org>
Cc: davem@...emloft.net, netdev@...r.kernel.org,
Mironov_Sergey@....com, akpm@...ux-foundation.org,
torvalds@...ux-foundation.org
Subject: Re: [PATCH] [IPv6] Do not use loopback as source address on other interfaces
On Wed, Jun 18, 2008 at 11:36:07PM +0900, YOSHIFUJI Hideaki / 吉藤英明 wrote:
> In article <20080618140558.GB25004@...gi.kke.suse.de> (at Wed, 18 Jun 2008 16:05:58 +0200), Karsten Keil <kkeil@...e.de> says:
>
> > On Wed, Jun 18, 2008 at 10:36:00PM +0900, YOSHIFUJI Hideaki / 吉藤英明 wrote:
> > > In article <20080618132312.GA25004@...gi.kke.suse.de> (at Wed, 18 Jun 2008 15:23:12 +0200), Karsten Keil <kkeil@...e.de> says:
> > >
> > > > RFC 4291 forbit the use of the loopback address as source outside a node
> > > > (paragraph 2.5.3).
> > > >
> > > > The latest TAHI test release 4.0.1 does have a check for this (ICMPv6 test
> > > > v6LC.5.1.2 Part F), so it fails currently on Linux.
> > > >
> > > > Signed-off-by: Sergey Mironov <Mironov_Sergey@....com>
> > > > Signed-off-by: Karsten Keil <kkeil@...e.de>
> > >
> > > I disagree this approach - too ad-hoc fix just to pass the tests.
> > >
> >
> > So you would prefer a more general test in some common place (like
> > __ip6_local_out() ) to avoid any packets with ::1 on other devices as
> > loopback ?
>
> No, we should not even accept packets for ::1 from outside of the box.
> Something like this.
>
Yes I was thinking about nearly the same patch now :-)
> ---
> ipv6: Drop packets for loopback address from outside of the box.
>
> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org>
>
> --
> diff --git a/include/net/ipv6.h b/include/net/ipv6.h
> index e0a612b..f422f72 100644
> --- a/include/net/ipv6.h
> +++ b/include/net/ipv6.h
> @@ -367,6 +367,12 @@ static inline int ipv6_addr_any(const struct in6_addr *a)
> a->s6_addr32[2] | a->s6_addr32[3] ) == 0);
> }
>
> +static inline int ipv6_addr_loopback(const struct in6_addr *a)
> +{
> + return ((a->s6_addr32[0] | a->s6_addr32[1] |
> + a->s6_addr32[2] | (a->s6_addr32[3] ^ htonl(1))) == 0);
> +}
> +
> static inline int ipv6_addr_v4mapped(const struct in6_addr *a)
> {
> return ((a->s6_addr32[0] | a->s6_addr32[1] |
> diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
> index 4e5c861..17eb48b 100644
> --- a/net/ipv6/ip6_input.c
> +++ b/net/ipv6/ip6_input.c
> @@ -102,6 +102,15 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
> if (hdr->version != 6)
> goto err;
>
> + /*
> + * RFC4291 2.5.3
> + * A packet received on an interface with a destination address
> + * of loopback must be dropped.
> + */
> + if (!(dev->flags & IFF_LOOPBACK) &&
> + ipv6_addr_loopback(&hdr->daddr))
> + goto err;
> +
> skb->transport_header = skb->network_header + sizeof(*hdr);
> IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
>
>
>
> --yoshfuji
--
Karsten Keil
SuSE Labs
ISDN and VOIP development
SUSE LINUX Products GmbH, Maxfeldstr.5 90409 Nuernberg, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists