diff options
| author | YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> | 2007-04-24 17:58:30 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2007-04-24 17:58:30 -0400 |
| commit | 0bcbc92629044b5403719f77fb015e9005b1f504 (patch) | |
| tree | ac9635a8ac7b14edcaa0e5ad42a5bc70f778ec33 /net/ipv6/addrconf.c | |
| parent | 05d224468a273a9ee773a0e9d34227ee7f2c0840 (diff) | |
[IPV6]: Disallow RH0 by default.
A security issue is emerging. Disallow Routing Header Type 0 by default
as we have been doing for IPv4.
Note: We allow RH2 by default because it is harmless.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/addrconf.c')
| -rw-r--r-- | net/ipv6/addrconf.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 7552663aa125..452a82ce4796 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c | |||
| @@ -172,6 +172,7 @@ struct ipv6_devconf ipv6_devconf __read_mostly = { | |||
| 172 | #endif | 172 | #endif |
| 173 | #endif | 173 | #endif |
| 174 | .proxy_ndp = 0, | 174 | .proxy_ndp = 0, |
| 175 | .accept_source_route = 0, /* we do not accept RH0 by default. */ | ||
| 175 | }; | 176 | }; |
| 176 | 177 | ||
| 177 | static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = { | 178 | static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = { |
| @@ -203,6 +204,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = { | |||
| 203 | #endif | 204 | #endif |
| 204 | #endif | 205 | #endif |
| 205 | .proxy_ndp = 0, | 206 | .proxy_ndp = 0, |
| 207 | .accept_source_route = 0, /* we do not accept RH0 by default. */ | ||
| 206 | }; | 208 | }; |
| 207 | 209 | ||
| 208 | /* IPv6 Wildcard Address and Loopback Address defined by RFC2553 */ | 210 | /* IPv6 Wildcard Address and Loopback Address defined by RFC2553 */ |
| @@ -3356,6 +3358,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf, | |||
| 3356 | #endif | 3358 | #endif |
| 3357 | #endif | 3359 | #endif |
| 3358 | array[DEVCONF_PROXY_NDP] = cnf->proxy_ndp; | 3360 | array[DEVCONF_PROXY_NDP] = cnf->proxy_ndp; |
| 3361 | array[DEVCONF_ACCEPT_SOURCE_ROUTE] = cnf->accept_source_route; | ||
| 3359 | } | 3362 | } |
| 3360 | 3363 | ||
| 3361 | static inline size_t inet6_if_nlmsg_size(void) | 3364 | static inline size_t inet6_if_nlmsg_size(void) |
| @@ -3884,6 +3887,14 @@ static struct addrconf_sysctl_table | |||
| 3884 | .proc_handler = &proc_dointvec, | 3887 | .proc_handler = &proc_dointvec, |
| 3885 | }, | 3888 | }, |
| 3886 | { | 3889 | { |
| 3890 | .ctl_name = NET_IPV6_ACCEPT_SOURCE_ROUTE, | ||
| 3891 | .procname = "accept_source_route", | ||
| 3892 | .data = &ipv6_devconf.accept_source_route, | ||
| 3893 | .maxlen = sizeof(int), | ||
| 3894 | .mode = 0644, | ||
| 3895 | .proc_handler = &proc_dointvec, | ||
| 3896 | }, | ||
| 3897 | { | ||
| 3887 | .ctl_name = 0, /* sentinel */ | 3898 | .ctl_name = 0, /* sentinel */ |
| 3888 | } | 3899 | } |
| 3889 | }, | 3900 | }, |