lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 07 Feb 2013 01:49:09 +0900
From:	YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org>
To:	Erik Hugne <erik.hugne@...csson.com>, netdev@...r.kernel.org,
	YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org>
Subject: Re: [IPv6] interface-local multicast escapes the local node

(2013年02月07日 01:04), Hannes Frederic Sowa wrote:
> On Thu, Feb 07, 2013 at 12:32:17AM +0900, YOSHIFUJI Hideaki wrote:
>> Hannes Frederic Sowa wrote:
>>> On Wed, Feb 06, 2013 at 02:07:39PM +0100, Erik Hugne wrote:
>>>> On Wed, Feb 06, 2013 at 01:12:48PM +0100, Hannes Frederic Sowa wrote:
>>>>> Fixing the output path should be relatively straightforward, please test
>>>>> the following patch.
>>>>
>>>> Tested OK.
>>>>
>>>>> Looking at the input path, I think there is also no input protection
>>>>> for ff01::/16 addresses from the wire if you bind such an address.
>>>>
>>>> Yes, this needs to be filtered on the input side aswell.
>>>
>>> This patch should do the trick. Perhaps you could also take it for a test
>>> drive? Thanks!
>>>
>>> [PATCH net-next] ipv6: don't accept node local multicast traffic from the wire
>>>
>>> Cc: Erik Hugne <erik.hugne@...csson.com>
>>> Cc: YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org>
>>> Signed-off-by: Hannes Frederic Sowa <hannes@...essinduktion.org>
>>> ---
>>>  net/ipv6/ip6_input.c | 10 ++++++++++
>>>  1 file changed, 10 insertions(+)
>>>
>>> diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
>>> index 4ac5bf3..a2f71d2 100644
>>> --- a/net/ipv6/ip6_input.c
>>> +++ b/net/ipv6/ip6_input.c
>>> @@ -126,6 +126,16 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
>>>  	if (ipv6_addr_is_multicast(&hdr->saddr))
>>>  		goto err;
>>>  
>>> +	/*
>>> +	 * RFC4291 2.7
>>> +	 * Interface-Local scope spans only a single interface on a node
>>> +         * and is useful only for loopback transmission of multicast.
>>> +	 */
>>> +	if (ipv6_addr_is_multicast(&hdr->daddr) &&
>>> +	    IPV6_ADDR_MC_SCOPE(&hdr->daddr) <= IPV6_ADDR_SCOPE_NODELOCAL &&
>>> +	    skb->pkt_type != PACKET_LOOPBACK)
>>> +		goto err;
>>> +
>>>  	skb->transport_header = skb->network_header + sizeof(*hdr);
>>>  	IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
>>
>> NAK.
>>
>> Well, do you have relevant RFC?
>> RFC4291 says that we should drop ff00::/16, but not ff01::/16.
> 
> I know what you mean, the RFC does not state it directly. Hm, the BSDs seem to
> drop such destination addresses, too, if they don't originate from a loopback
> interface. Or did you mean that there is a flaw in the skb->pkt_type !=
> PACKET_LOOPBACK condition?

We do not drop ff01::/16, because RFC is silent about it.

--yoshfuji

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ