Hi Yoshifuji-san
YOSHIFUJI Hideaki / 吉藤英明 wrote:
> The "fix" for emerging security threats was overkill and it broke
> basic semantic of IPv6 routing header processing. We should assume
> RT0 (or even RT2, depends on configuration) as "unknown" RH type so
> that we
> - silently ignore the routing header if segleft == 0,
> - or, send ICMPv6 Parameter Problem message back to the sender,
> otherwise.
Aren't we jumping the gun a little here...
Things still are not exactly clear in the IPv6 working group.
Especially the whole segleft == 0 thing is another item that
we might have to fix eventually.
-vlad
>
> Signed-off-by: YOSHIFUJI Hideaki <[EMAIL PROTECTED]>
> ---
> net/ipv6/exthdrs.c | 47 ++++++++++++++++-------------------------------
> 1 files changed, 16 insertions(+), 31 deletions(-)
>
> diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
> index 14be0b9..05e9bb5 100644
> --- a/net/ipv6/exthdrs.c
> +++ b/net/ipv6/exthdrs.c
> @@ -371,22 +371,13 @@ static int ipv6_rthdr_rcv(struct sk_buff **skbp)
> struct rt0_hdr *rthdr;
> int accept_source_route = ipv6_devconf.accept_source_route;
>
> - if (accept_source_route < 0 ||
> - ((idev = in6_dev_get(skb->dev)) == NULL)) {
> - kfree_skb(skb);
> - return -1;
> - }
> - if (idev->cnf.accept_source_route < 0) {
> + idev = in6_dev_get(skb->dev);
> + if (idev) {
> + if (accept_source_route > idev->cnf.accept_source_route)
> + accept_source_route = idev->cnf.accept_source_route;
> in6_dev_put(idev);
> - kfree_skb(skb);
> - return -1;
> }
>
> - if (accept_source_route > idev->cnf.accept_source_route)
> - accept_source_route = idev->cnf.accept_source_route;
> -
> - in6_dev_put(idev);
> -
> if (!pskb_may_pull(skb, skb_transport_offset(skb) + 8) ||
> !pskb_may_pull(skb, (skb_transport_offset(skb) +
> ((skb_transport_header(skb)[1] + 1) << 3)))) {
> @@ -398,24 +389,6 @@ static int ipv6_rthdr_rcv(struct sk_buff **skbp)
>
> hdr = (struct ipv6_rt_hdr *)skb_transport_header(skb);
>
> - switch (hdr->type) {
> -#ifdef CONFIG_IPV6_MIP6
> - case IPV6_SRCRT_TYPE_2:
> - break;
> -#endif
> - case IPV6_SRCRT_TYPE_0:
> - if (accept_source_route > 0)
> - break;
> - kfree_skb(skb);
> - return -1;
> - default:
> - IP6_INC_STATS_BH(ip6_dst_idev(skb->dst),
> - IPSTATS_MIB_INHDRERRORS);
> - icmpv6_param_prob(skb, ICMPV6_HDR_FIELD,
> - (&hdr->type) - skb_network_header(skb));
> - return -1;
> - }
> -
> if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr) ||
> skb->pkt_type != PACKET_HOST) {
> IP6_INC_STATS_BH(ip6_dst_idev(skb->dst),
> @@ -454,6 +427,8 @@ looped_back:
>
> switch (hdr->type) {
> case IPV6_SRCRT_TYPE_0:
> + if (accept_source_route <= 0)
> + goto unknown_rh;
> if (hdr->hdrlen & 0x01) {
> IP6_INC_STATS_BH(ip6_dst_idev(skb->dst),
> IPSTATS_MIB_INHDRERRORS);
> @@ -465,6 +440,8 @@ looped_back:
> break;
> #ifdef CONFIG_IPV6_MIP6
> case IPV6_SRCRT_TYPE_2:
> + if (accept_source_route < 0)
> + goto unknown_rh;
> /* Silently discard invalid RTH type 2 */
> if (hdr->hdrlen != 2 || hdr->segments_left != 1) {
> IP6_INC_STATS_BH(ip6_dst_idev(skb->dst),
> @@ -474,6 +451,8 @@ looped_back:
> }
> break;
> #endif
> + default:
> + goto unknown_rh;
> }
>
> /*
> @@ -577,6 +556,12 @@ looped_back:
> skb_push(skb, skb->data - skb_network_header(skb));
> dst_input(skb);
> return -1;
> +
> +unknown_rh:
> + IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), IPSTATS_MIB_INHDRERRORS);
> + icmpv6_param_prob(skb, ICMPV6_HDR_FIELD,
> + (&hdr->type) - skb_network_header(skb));
> + return -1;
> }
>
> static struct inet6_protocol rthdr_protocol = {
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
