Module Name: src Committed By: martin Date: Sat May 2 18:23:26 UTC 2015
Modified Files: src/sys/netinet6 [netbsd-7]: nd6_rtr.c Log Message: Pull up following revision(s) (requested by roy in ticket #731): sys/netinet6/nd6_rtr.c: revision 1.99 Mitigate Local Denial of Service with IPv6 Router Advertisements and log attack attempts. Fixes CVE-2015-2923, taken from FreeBSD. To generate a diff of this commit: cvs rdiff -u -r1.93.2.2 -r1.93.2.3 src/sys/netinet6/nd6_rtr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet6/nd6_rtr.c diff -u src/sys/netinet6/nd6_rtr.c:1.93.2.2 src/sys/netinet6/nd6_rtr.c:1.93.2.3 --- src/sys/netinet6/nd6_rtr.c:1.93.2.2 Mon Apr 6 01:32:33 2015 +++ src/sys/netinet6/nd6_rtr.c Sat May 2 18:23:25 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: nd6_rtr.c,v 1.93.2.2 2015/04/06 01:32:33 snj Exp $ */ +/* $NetBSD: nd6_rtr.c,v 1.93.2.3 2015/05/02 18:23:25 martin Exp $ */ /* $KAME: nd6_rtr.c,v 1.95 2001/02/07 08:09:47 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: nd6_rtr.c,v 1.93.2.2 2015/04/06 01:32:33 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nd6_rtr.c,v 1.93.2.3 2015/05/02 18:23:25 martin Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -272,8 +272,15 @@ nd6_ra_input(struct mbuf *m, int off, in } if (nd_ra->nd_ra_retransmit) ndi->retrans = ntohl(nd_ra->nd_ra_retransmit); - if (nd_ra->nd_ra_curhoplimit) - ndi->chlim = nd_ra->nd_ra_curhoplimit; + if (nd_ra->nd_ra_curhoplimit) { + if (ndi->chlim < nd_ra->nd_ra_curhoplimit) + ndi->chlim = nd_ra->nd_ra_curhoplimit; + else if (ndi->chlim != nd_ra->nd_ra_curhoplimit) + log(LOG_ERR, "nd_ra_input: lower CurHopLimit sent from " + "%s on %s (current=%d, received=%d), ignored\n", + ip6_sprintf(&ip6->ip6_src), + if_name(ifp), ndi->chlim, nd_ra->nd_ra_curhoplimit); + } dr = defrtrlist_update(&drtr); }