| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20120312.124859.1068600282113438294.davem@davemloft.net> Date: Mon, 12 Mar 2012 12:48:59 -0700 (PDT) From: David Miller <davem@...emloft.net> To: nick.jones@...work-box.com Cc: netdev@...r.kernel.org Subject: Re: [PATCH net-next] Allocate unique metrics for icmp6 packets to prevent tainting dst metrics From: Nick Jones <nick.jones@...work-box.com> Date: Mon, 12 Mar 2012 23:16:14 +0800 > The generation of an icmp6 packet, targeted to a specific desination > address, will cause the shared metrics of the ip6_dst and inetpeer > of that address to be tainted with the hoplimit value 255. > All packets, icmp6 or otherwise, will have this hoplimit value, and > if the destination is a router, not even advertisements specifying a > new hoplimit value will have any effect due to the way > ip6_dst_hoplimit works. > > By allocating a unique metrics array for the icmp6 packet, the shared > metrics will not be tainted. > > Signed-off-by: Nick Jones <nick.jones@...work-box.com> You can't just change the allocation side. You now have to make sure the free'ing side knows that these special routes use kmalloc()'d metrics. On ipv6 this is implemented in ip6_dst_destroy(). Unless DST_HOST will be clear on all of these icmp6 routes, the metrics will be leaked because ip6_dst_destroy() will not invoke dst_destroy_metrics_generic() which would do the kfree(). -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists