diff options
Diffstat (limited to 'freed-ora/current/f18/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch')
| -rw-r--r-- | freed-ora/current/f18/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/freed-ora/current/f18/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch b/freed-ora/current/f18/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch new file mode 100644 index 000000000..0c4fc2484 --- /dev/null +++ b/freed-ora/current/f18/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch @@ -0,0 +1,63 @@ +From 2712c283acc085b5438fa1b22053423a0158468d Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa <hannes@stressinduktion.org> +Date: Fri, 16 Aug 2013 11:02:27 +0000 +Subject: [PATCH] ipv6: remove max_addresses check from ipv6_create_tempaddr + +Because of the max_addresses check attackers were able to disable privacy +extensions on an interface by creating enough autoconfigured addresses: + +<http://seclists.org/oss-sec/2012/q4/292> + +But the check is not actually needed: max_addresses protects the +kernel to install too many ipv6 addresses on an interface and guards +addrconf_prefix_rcv to install further addresses as soon as this limit +is reached. We only generate temporary addresses in direct response of +a new address showing up. As soon as we filled up the maximum number of +addresses of an interface, we stop installing more addresses and thus +also stop generating more temp addresses. + +Even if the attacker tries to generate a lot of temporary addresses +by announcing a prefix and removing it again (lifetime == 0) we won't +install more temp addresses, because the temporary addresses do count +to the maximum number of addresses, thus we would stop installing new +autoconfigured addresses when the limit is reached. + +This patch fixes CVE-2013-0343 (but other layer-2 attacks are still +possible). + +Thanks to Ding Tianhong to bring this topic up again. + +Cc: Ding Tianhong <dingtianhong@huawei.com> +Cc: George Kargiotakis <kargig@void.gr> +Cc: P J P <ppandit@redhat.com> +Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> +Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> +Acked-by: Ding Tianhong <dingtianhong@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv6/addrconf.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index fb8c94c..21b7a87 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1124,12 +1124,10 @@ retry: + if (ifp->flags & IFA_F_OPTIMISTIC) + addr_flags |= IFA_F_OPTIMISTIC; + +- ift = !max_addresses || +- ipv6_count_addresses(idev) < max_addresses ? +- ipv6_add_addr(idev, &addr, tmp_plen, ++ ift = ipv6_add_addr(idev, &addr, tmp_plen, + ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK, +- addr_flags) : NULL; +- if (IS_ERR_OR_NULL(ift)) { ++ addr_flags); ++ if (IS_ERR(ift)) { + in6_ifa_put(ifp); + in6_dev_put(idev); + pr_info("%s: retry temporary address regeneration\n", __func__); +-- +1.8.3.1 + |
