| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 May 2019 08:38:44 +0200
From: Michal Kubecek <mkubecek@...e.cz>
To: netdev@...r.kernel.org
Cc: Weilong Chen <chenweilong@...wei.com>, davem@...emloft.net,
kuznet@....inr.ac.ru, yoshfuji@...ux-ipv6.org
Subject: Re: [PATCH net-next v2] ipv4: Add support to disable icmp timestamp
On Tue, May 14, 2019 at 10:56:54AM +0800, Weilong Chen wrote:
> The remote host answers to an ICMP timestamp request.
> This allows an attacker to know the time and date on your host.
>
> This path is an another way contrast to iptables rules:
> iptables -A input -p icmp --icmp-type timestamp-request -j DROP
> iptables -A output -p icmp --icmp-type timestamp-reply -j DROP
>
> Default is enabled.
>
> enable:
> sysctl -w net.ipv4.icmp_timestamp_enable=1
> disable
> sysctl -w net.ipv4.icmp_timestamp_enable=0
> testing:
> hping3 --icmp --icmp-ts -V $IPADDR
>
> Signed-off-by: Weilong Chen <chenweilong@...wei.com>
> ---
I'm not sure what you are trying to do but this looks like a process
violation:
- it's exactly the same as the patch rejected yesterday
- it's marked as "v2" again
- net-next is closed until the end of merge window anyway
Michal Kubecek
> include/net/ip.h | 2 ++
> net/ipv4/icmp.c | 5 +++++
> net/ipv4/sysctl_net_ipv4.c | 8 ++++++++
> 3 files changed, 15 insertions(+)
>
> diff --git a/include/net/ip.h b/include/net/ip.h
> index 2d3cce7..71840e4 100644
> --- a/include/net/ip.h
> +++ b/include/net/ip.h
> @@ -718,6 +718,8 @@ bool icmp_global_allow(void);
> extern int sysctl_icmp_msgs_per_sec;
> extern int sysctl_icmp_msgs_burst;
>
> +extern int sysctl_icmp_timestamp_enable;
> +
> #ifdef CONFIG_PROC_FS
> int ip_misc_proc_init(void);
> #endif
> diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
> index f3a5893..5010541 100644
> --- a/net/ipv4/icmp.c
> +++ b/net/ipv4/icmp.c
> @@ -232,6 +232,7 @@ static inline void icmp_xmit_unlock(struct sock *sk)
>
> int sysctl_icmp_msgs_per_sec __read_mostly = 1000;
> int sysctl_icmp_msgs_burst __read_mostly = 50;
> +int sysctl_icmp_timestamp_enable __read_mostly = 1;
>
> static struct {
> spinlock_t lock;
> @@ -953,6 +954,10 @@ static bool icmp_echo(struct sk_buff *skb)
> static bool icmp_timestamp(struct sk_buff *skb)
> {
> struct icmp_bxm icmp_param;
> +
> + if (!sysctl_icmp_timestamp_enable)
> + goto out_err;
> +
> /*
> * Too short.
> */
> diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
> index 875867b..1fe467e 100644
> --- a/net/ipv4/sysctl_net_ipv4.c
> +++ b/net/ipv4/sysctl_net_ipv4.c
> @@ -544,6 +544,14 @@ static struct ctl_table ipv4_table[] = {
> .extra1 = &zero,
> },
> {
> + .procname = "icmp_timestamp_enable",
> + .data = &sysctl_icmp_timestamp_enable,
> + .maxlen = sizeof(int),
> + .mode = 0644,
> + .proc_handler = proc_dointvec_minmax,
> + .extra1 = &zero,
> + },
> + {
> .procname = "udp_mem",
> .data = &sysctl_udp_mem,
> .maxlen = sizeof(sysctl_udp_mem),
> --
> 2.7.4
>
Powered by blists - more mailing lists