ipv6: Don't reduce hop limit for an interface (CVE-2015-2922)
svn path=/dists/sid/linux/; revision=22475
This commit is contained in:
parent
6bc904578f
commit
ab89a645d4
|
@ -186,6 +186,7 @@ linux (3.16.7-ckt9-1) UNRELEASED; urgency=medium
|
|||
* ext4: allocate entire range in zero range (CVE-2015-0275)
|
||||
* [x86] microcode/intel: Guard against stack overflow in the loader
|
||||
(CVE-2015-2666)
|
||||
* ipv6: Don't reduce hop limit for an interface (CVE-2015-2922)
|
||||
|
||||
-- Ian Campbell <ijc@debian.org> Wed, 18 Mar 2015 21:07:15 +0000
|
||||
|
||||
|
|
43
debian/patches/bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch
vendored
Normal file
43
debian/patches/bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch
vendored
Normal file
|
@ -0,0 +1,43 @@
|
|||
From: "D.S. Ljungmark" <ljungmark@modio.se>
|
||||
Date: Wed, 25 Mar 2015 09:28:15 +0100
|
||||
Subject: ipv6: Don't reduce hop limit for an interface
|
||||
Origin: https://git.kernel.org/linus/6fd99094de2b83d1d4c8457f2c83483b2828e75a
|
||||
|
||||
A local route may have a lower hop_limit set than global routes do.
|
||||
|
||||
RFC 3756, Section 4.2.7, "Parameter Spoofing"
|
||||
|
||||
> 1. The attacker includes a Current Hop Limit of one or another small
|
||||
> number which the attacker knows will cause legitimate packets to
|
||||
> be dropped before they reach their destination.
|
||||
|
||||
> As an example, one possible approach to mitigate this threat is to
|
||||
> ignore very small hop limits. The nodes could implement a
|
||||
> configurable minimum hop limit, and ignore attempts to set it below
|
||||
> said limit.
|
||||
|
||||
Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>
|
||||
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/ndisc.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/net/ipv6/ndisc.c
|
||||
+++ b/net/ipv6/ndisc.c
|
||||
@@ -1190,7 +1190,14 @@ static void ndisc_router_discovery(struc
|
||||
if (rt)
|
||||
rt6_set_expires(rt, jiffies + (HZ * lifetime));
|
||||
if (ra_msg->icmph.icmp6_hop_limit) {
|
||||
- in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
|
||||
+ /* Only set hop_limit on the interface if it is higher than
|
||||
+ * the current hop_limit.
|
||||
+ */
|
||||
+ if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
|
||||
+ in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
|
||||
+ } else {
|
||||
+ ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n");
|
||||
+ }
|
||||
if (rt)
|
||||
dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
|
||||
ra_msg->icmph.icmp6_hop_limit);
|
|
@ -561,3 +561,4 @@ bugfix/all/ext4-fix-zero_range-bug-hidden-by-flag-aliasing.patch
|
|||
bugfix/all/ext4-fix-accidental-flag-aliasing-in-ext4_map_blocks.patch
|
||||
bugfix/all/ext4-allocate-entire-range-in-zero-range.patch
|
||||
bugfix/x86/x86-microcode-intel-guard-against-stack-overflow-in-.patch
|
||||
bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch
|
||||
|
|
Loading…
Reference in New Issue