lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 25 Mar 2015 16:28:44 +0100
From:	Hannes Frederic Sowa <hannes@...essinduktion.org>
To:	ljungmark@...io.se, netdev@...r.kernel.org
Subject: Re: [PATCH] ipv6: Don't reduce hop limit for an interface



On Wed, Mar 25, 2015, at 09:29, D. S. Ljungmark wrote:
> From 3ae93eb68a06ab2d9c984c6708dbc9e5f3bc8251 Mon Sep 17 00:00:00 2001
> From: "D.S. Ljungmark" <ljungmark@...io.se>
> Date: Wed, 25 Mar 2015 09:28:15 +0100
> Subject: [PATCH] ipv6: Don't reduce hop limit for an interface
> 
> A local route may have a lower hop_limit set than global routes do.
> 
> RFC 3756, Section 4.2.7, "Parameter Spoofing"
> 
> >   1.  The attacker includes a Current Hop Limit of one or another small
> >       number which the attacker knows will cause legitimate packets to
> >       be dropped before they reach their destination.
> 
> >   As an example, one possible approach to mitigate this threat is to
> >   ignore very small hop limits.  The nodes could implement a
> >   configurable minimum hop limit, and ignore attempts to set it below
> >   said limit.
> 
> Signed-off-by: D.S. Ljungmark <ljungmark@...io.se>
> ---
>  net/ipv6/ndisc.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
> index 471ed24..14ecdaf 100644
> --- a/net/ipv6/ndisc.c
> +++ b/net/ipv6/ndisc.c
> @@ -1218,7 +1218,14 @@ static void ndisc_router_discovery(struct sk_buff
> *skb)
>  	if (rt)
>  		rt6_set_expires(rt, jiffies + (HZ * lifetime));
>  	if (ra_msg->icmph.icmp6_hop_limit) {
> -               in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
> +               /* Only set hop_limit on the interface if it is higher
> than
> +                * the current hop_limit.
> +                */
> +               if (in6_dev->cnf.hop_limit <
> ra_msg->icmph.icmp6_hop_limit) {
> +                       in6_dev->cnf.hop_limit =
> ra_msg->icmph.icmp6_hop_limit;
> +               } else {
> +                       ND_PRINTK(2, warn, "RA: Got route advertisement
> with lower hop_limit than current\n");
> +               }

I think this is the simplest solution to this problem and solves the
problem by default, thanks!

Acked-by: Hannes Frederic Sowa <hannes@...essinduktion.org>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ