Fwd: Re: CVS commit: src/sys/netinet
Le 10/02/2018 à 23:49, David H. Gutteridge a écrit : On Mon, 05 Feb 2018, at 13:23:11 +, Maxime Villard wrote: Module Name:src Committed By: maxv Date: Mon Feb 5 13:23:11 UTC 2018 Modified Files: src/sys/netinet: ip_input.c Log Message: Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a completely dumb idea, because they have security implications. By sending an IPv4 packet containing an LSRR option, an attacker will cause the system to forward the packet to another IPv4 address - and this way he white-washes the source of the packet. It is also possible for an attacker to reach hidden networks: if a server has a public address, and a private one on an internal network (network which has several internal machines connected), the attacker can send a packet with: source = 0.0.0.0 destination = public address of the server LSRR first address = address of a machine on the internal network And the packet will be forwarded, by the server, to the internal machine, in some cases even with the internal IP address of the server as a source. Hello, This particular fix has been pulled up to the various 6.x and 7.x branches, but not to 8.0_BETA. Is that still pending because it's part of a larger planned change set? Yes. Maxime
Re: CVS commit: src/sys/netinet
On Mon, 05 Feb 2018, at 13:23:11 +, Maxime Villard wrote: >Module Name:src >Committed By: maxv >Date: Mon Feb 5 13:23:11 UTC 2018 > >Modified Files: >src/sys/netinet: ip_input.c > >Log Message: >Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a >completely dumb idea, because they have security implications. > >By sending an IPv4 packet containing an LSRR option, an attacker will >cause the system to forward the packet to another IPv4 address - and >this way he white-washes the source of the packet. > >It is also possible for an attacker to reach hidden networks: if a server >has a public address, and a private one on an internal network (network >which has several internal machines connected), the attacker can send a >packet with: > >source = 0.0.0.0 >destination = public address of the server >LSRR first address = address of a machine on the internal network > >And the packet will be forwarded, by the server, to the internal machine, >in some cases even with the internal IP address of the server as a source. Hello, This particular fix has been pulled up to the various 6.x and 7.x branches, but not to 8.0_BETA. Is that still pending because it's part of a larger planned change set? Thanks for all the improvements you've been making! Regards, Dave
re: CVS commit: src/include
Christos Zoulas writes: > In article <20180207130259.ga21...@britannica.bec.de>, > Joerg Sonnenbergerwrote: > >On Tue, Feb 06, 2018 at 03:21:21PM -0500, Christos Zoulas wrote: > >> Module Name: src > >> Committed By: christos > >> Date: Tue Feb 6 20:21:21 UTC 2018 > >> > >> Modified Files: > >>src/include: unistd.h > >> > >> Log Message: > >> detect duplicate declaration of pthread_atfork() in pthread.h > > > >Is this for some new broken GCC warning? > > > > This is what the compiler said, and we have prior art for this (macro > protect to avoid dup declarations -- grep for _DECLARED). why is it a problem to declare the functino twice? what was the context of the compiler? .mrg.