| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180124090944.217c14b7@xeon-e3>
Date: Wed, 24 Jan 2018 09:09:44 -0800
From: Stephen Hemminger <stephen@...workplumber.org>
To: David Ahern <dsahern@...il.com>
Cc: netdev@...r.kernel.org, yoshfuji@...ux-ipv6.org,
idosch@...lanox.com, roopa@...ulusnetworks.com
Subject: Re: [PATCH v2 net-next] net/ipv6: Do not allow route add with a
device that is down
On Wed, 24 Jan 2018 08:29:24 -0800
David Ahern <dsahern@...il.com> wrote:
> IPv6 allows routes to be installed when the device is not up (admin up).
> Worse, it does not mark it as LINKDOWN. IPv4 does not allow it and really
> there is no reason for IPv6 to allow it, so check the flags and deny if
> device is admin down.
>
> Signed-off-by: David Ahern <dsahern@...il.com>
> ---
> v2
> - missed setting err to -ENETDOWN (thanks for catching that Roopa)
>
> net/ipv6/route.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> index f85da2f1e729..4e8fab766018 100644
> --- a/net/ipv6/route.c
> +++ b/net/ipv6/route.c
> @@ -2734,6 +2734,12 @@ static struct rt6_info *ip6_route_info_create(struct fib6_config *cfg,
> if (!dev)
> goto out;
>
> + err = -ENETDOWN;
> + if (!(dev->flags & IFF_UP)) {
> + NL_SET_ERR_MSG(extack, "Nexthop device is not up");
> + goto out;
> + }
> +
> if (!ipv6_addr_any(&cfg->fc_prefsrc)) {
> if (!ipv6_chk_addr(net, &cfg->fc_prefsrc, dev, 0)) {
> NL_SET_ERR_MSG(extack, "Invalid source address");
This looks like a good idea.
There are two equal ways to check for admin up. Either the dev flags or
look at link state via netif_running(). Maybe the latter would
be better.
Powered by blists - more mailing lists