lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20111108043546.GA2581@kumar>
Date:	Tue, 8 Nov 2011 10:05:47 +0530
From:	Kumar Sanghvi <divinekumar@...il.com>
To:	Brian Haley <brian.haley@...com>
Cc:	netdev@...r.kernel.org
Subject: Re: Query on usage of multicast as source IPv6 address

Hi Brian,

On Mon, Nov 07, 2011 at 21:11:24 -0500, Brian Haley wrote:
> On 11/07/2011 03:45 PM, Kumar Sanghvi wrote:
> > Hi,
> > 
> > I am trying to understand IPv6 behavior in Linux.
> > And I have a doubt related to use of multicast address
> > as source address.
> > 
> > RFC 4291 in Section 2.7 states that:
> > "Multicast addresses must not be used as source addresses
> >  in IPv6 packets or appear in any Routing header."
> > 
> > However, what should be the behavior if a host receives a
> > packet (probably from a malicious host with pktgen abilities)
> > having a multicast address in source address field:
> > 1) Should the receiving host discard the packet?
> 
> I believe other *nixes silently drop it, can you try this patch?
> 
> -Brian
> 
> diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
> index 027c7ff..a46c64e 100644
> --- a/net/ipv6/ip6_input.c
> +++ b/net/ipv6/ip6_input.c
> @@ -111,6 +111,14 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev,
> struct packet_type *pt
>  	    ipv6_addr_loopback(&hdr->daddr))
>  		goto err;
> 
> +	/*
> +	 * RFC4291 2.7
> +	 * Multicast addresses must not be used as source addresses in IPv6
> +	 * packets or appear in any Routing header.
> +	 */
> +	if (ipv6_addr_is_multicast(&hdr->saddr))
> +		goto err;
> +
>  	skb->transport_header = skb->network_header + sizeof(*hdr);
>  	IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
>

Tested this patch on 3.1 kernel.
The patch works fine and now, Linux no longer sends a response
to multicast address.
Thanks Brian for the patch!

Reported-and-Tested-by: Kumar Sanghvi <divinekumar@...il.com>


Thanks,
Kumar. 
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ