lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Jan 2013 00:44:11 +0900 From: YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org> To: netdev@...r.kernel.org, hannes@...essinduktion.org CC: YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org> Subject: Re: [PATCH] ipv6: add anti-spoofing checks for 6to4 and 6rd Hannes Frederic Sowa wrote: > This patch adds anti-spoofing checks in sit.c as specified in RFC3964 > section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the > checks which could easily be implemented with netfilter. > > Signed-off-by: Hannes Frederic Sowa <hannes@...essinduktion.org> > --- > net/ipv6/sit.c | 27 +++++++++++++++++++++++++-- > 1 file changed, 25 insertions(+), 2 deletions(-) > > diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c > index cfba99b..2b4c15a 100644 > --- a/net/ipv6/sit.c > +++ b/net/ipv6/sit.c > @@ -590,6 +590,22 @@ out: > return err; > } > > +static int sit_chksrc(struct ip_tunnel *tunnel, const __be32 *addr, > + const struct in6_addr *addr6) > +{ > +#ifdef CONFIG_IPV6_SIT_6RD > + if (ipv6_prefix_equal(addr6, &tunnel->ip6rd.prefix, > + tunnel->ip6rd.prefixlen) && > + memcmp(addr, &addr6->s6_addr16[1], 4)) > + return 0; > +#else > + if (addr6->s6_addr16[0] == htons(0x2002) && > + memcmp(addr, &addr6->s6_addr16[1], 4)) > + return 0; > +#endif > + return 1; > It seems wrong. Check should be done for - inner source prefix - embedded source with relay_prefix. - inner destination prefix. Note: embedded destination is not being checked. --yoshfuji -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists