lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Tue, 14 May 2019 08:38:44 +0200
From:   Michal Kubecek <mkubecek@...e.cz>
To:     netdev@...r.kernel.org
Cc:     Weilong Chen <chenweilong@...wei.com>, davem@...emloft.net,
        kuznet@....inr.ac.ru, yoshfuji@...ux-ipv6.org
Subject: Re: [PATCH net-next v2] ipv4: Add support to disable icmp timestamp

On Tue, May 14, 2019 at 10:56:54AM +0800, Weilong Chen wrote:
> The remote host answers to an ICMP timestamp request.
> This allows an attacker to know the time and date on your host.
> 
> This path is an another way contrast to iptables rules:
> iptables -A input -p icmp --icmp-type timestamp-request -j DROP
> iptables -A output -p icmp --icmp-type timestamp-reply -j DROP
> 
> Default is enabled.
> 
> enable:
> 	sysctl -w net.ipv4.icmp_timestamp_enable=1
> disable
> 	sysctl -w net.ipv4.icmp_timestamp_enable=0
> testing:
> 	hping3 --icmp --icmp-ts -V $IPADDR
> 
> Signed-off-by: Weilong Chen <chenweilong@...wei.com>
> ---

I'm not sure what you are trying to do but this looks like a process
violation:

  - it's exactly the same as the patch rejected yesterday
  - it's marked as "v2" again
  - net-next is closed until the end of merge window anyway

Michal Kubecek

>  include/net/ip.h           | 2 ++
>  net/ipv4/icmp.c            | 5 +++++
>  net/ipv4/sysctl_net_ipv4.c | 8 ++++++++
>  3 files changed, 15 insertions(+)
> 
> diff --git a/include/net/ip.h b/include/net/ip.h
> index 2d3cce7..71840e4 100644
> --- a/include/net/ip.h
> +++ b/include/net/ip.h
> @@ -718,6 +718,8 @@ bool icmp_global_allow(void);
>  extern int sysctl_icmp_msgs_per_sec;
>  extern int sysctl_icmp_msgs_burst;
>  
> +extern int sysctl_icmp_timestamp_enable;
> +
>  #ifdef CONFIG_PROC_FS
>  int ip_misc_proc_init(void);
>  #endif
> diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
> index f3a5893..5010541 100644
> --- a/net/ipv4/icmp.c
> +++ b/net/ipv4/icmp.c
> @@ -232,6 +232,7 @@ static inline void icmp_xmit_unlock(struct sock *sk)
>  
>  int sysctl_icmp_msgs_per_sec __read_mostly = 1000;
>  int sysctl_icmp_msgs_burst __read_mostly = 50;
> +int sysctl_icmp_timestamp_enable __read_mostly = 1;
>  
>  static struct {
>  	spinlock_t	lock;
> @@ -953,6 +954,10 @@ static bool icmp_echo(struct sk_buff *skb)
>  static bool icmp_timestamp(struct sk_buff *skb)
>  {
>  	struct icmp_bxm icmp_param;
> +
> +	if (!sysctl_icmp_timestamp_enable)
> +		goto out_err;
> +
>  	/*
>  	 *	Too short.
>  	 */
> diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
> index 875867b..1fe467e 100644
> --- a/net/ipv4/sysctl_net_ipv4.c
> +++ b/net/ipv4/sysctl_net_ipv4.c
> @@ -544,6 +544,14 @@ static struct ctl_table ipv4_table[] = {
>  		.extra1		= &zero,
>  	},
>  	{
> +		.procname	= "icmp_timestamp_enable",
> +		.data		= &sysctl_icmp_timestamp_enable,
> +		.maxlen		= sizeof(int),
> +		.mode		= 0644,
> +		.proc_handler	= proc_dointvec_minmax,
> +		.extra1		= &zero,
> +	},
> +	{
>  		.procname	= "udp_mem",
>  		.data		= &sysctl_udp_mem,
>  		.maxlen		= sizeof(sysctl_udp_mem),
> -- 
> 2.7.4
> 

Powered by blists - more mailing lists