| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251201185817.1003392-4-tom@herbertland.com> Date: Mon, 1 Dec 2025 10:55:32 -0800 From: Tom Herbert <tom@...bertland.com> To: tom@...bertland.com, davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org Subject: [PATCH net-next 3/5] ipv6: Set Hop-by-Hop options limit to 1 The Hop-by-Hop options limit was a default of 8 meaning that up to eight Hop-by-Hop options would be received in packet before the limit is exceeded and the packet is dropped. This limit is to high and makes the node susceptible to DoS attack. Note it's not just the options themselves, but a lot of padding can be used between options (.e.g. up to seven PAD1 options). It's pretty easy for an attacker to fabricate a packet with nothing but eight unknown option types and padding between the options to force over a hundred conditionals to be evaluated and at least eight cache misses per packet resulting in no productive work being done. The new limit is one. This is based on the fact that there are some hop-by-hop option in deployment like router aletrt option, however they tend to be singleton options and it's unlikely there is significant use of more than one option in a packet. From a protocol perspective, RFC9673 states: "A Source MAY, based on local configuration, allow only one Hop-by-Hop option to be included in a packet" We can infer that implies that at most one Hop-by-Hop option is sufficient. It should be noted that Hop-by-Hops are unusable in the general Internet hand packets with Hop-by-Hop Options are commonly dropped by routers. The only realistic use case for Hop-by-Hop options is limited dominas, and if a limited domain needs more than one HBH option in a packet it's easy enough to configure the sysctl to whatever limit they want. --- include/net/ipv6.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/ipv6.h b/include/net/ipv6.h index 723a254c0b90..62ed44894e96 100644 --- a/include/net/ipv6.h +++ b/include/net/ipv6.h @@ -91,7 +91,7 @@ struct ip_tunnel_info; * Denial of Service attacks (see sysctl documention) */ #define IP6_DEFAULT_MAX_DST_OPTS_CNT 0 -#define IP6_DEFAULT_MAX_HBH_OPTS_CNT 8 +#define IP6_DEFAULT_MAX_HBH_OPTS_CNT 1 #define IP6_DEFAULT_MAX_DST_OPTS_LEN INT_MAX /* No limit */ #define IP6_DEFAULT_MAX_HBH_OPTS_LEN INT_MAX /* No limit */ -- 2.43.0
Powered by blists - more mailing lists