diff options
| author | Marcelo Leitner <mleitner@redhat.com> | 2015-02-23 09:17:13 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-02-23 18:16:12 -0500 |
| commit | 77751427a1ff25b27d47a4c36b12c3c8667855ac (patch) | |
| tree | aecd97232dd3fe3977adcef402ea3be1b60eeef9 /net | |
| parent | 8d4ac39df09c6f8078af60cd0ddd7b2435728e72 (diff) | |
ipv6: addrconf: validate new MTU before applying it
Currently we don't check if the new MTU is valid or not and this allows
one to configure a smaller than minimum allowed by RFCs or even bigger
than interface own MTU, which is a problem as it may lead to packet
drops.
If you have a daemon like NetworkManager running, this may be exploited
by remote attackers by forging RA packets with an invalid MTU, possibly
leading to a DoS. (NetworkManager currently only validates for values
too small, but not for too big ones.)
The fix is just to make sure the new value is valid. That is, between
IPV6_MIN_MTU and interface's MTU.
Note that similar check is already performed at
ndisc_router_discovery(), for when kernel itself parses the RA.
Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv6/addrconf.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 98e4a63d72bb..b6030025f411 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c | |||
| @@ -4903,6 +4903,21 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write, | |||
| 4903 | return ret; | 4903 | return ret; |
| 4904 | } | 4904 | } |
| 4905 | 4905 | ||
| 4906 | static | ||
| 4907 | int addrconf_sysctl_mtu(struct ctl_table *ctl, int write, | ||
| 4908 | void __user *buffer, size_t *lenp, loff_t *ppos) | ||
| 4909 | { | ||
| 4910 | struct inet6_dev *idev = ctl->extra1; | ||
| 4911 | int min_mtu = IPV6_MIN_MTU; | ||
| 4912 | struct ctl_table lctl; | ||
| 4913 | |||
| 4914 | lctl = *ctl; | ||
| 4915 | lctl.extra1 = &min_mtu; | ||
| 4916 | lctl.extra2 = idev ? &idev->dev->mtu : NULL; | ||
| 4917 | |||
| 4918 | return proc_dointvec_minmax(&lctl, write, buffer, lenp, ppos); | ||
| 4919 | } | ||
| 4920 | |||
| 4906 | static void dev_disable_change(struct inet6_dev *idev) | 4921 | static void dev_disable_change(struct inet6_dev *idev) |
| 4907 | { | 4922 | { |
| 4908 | struct netdev_notifier_info info; | 4923 | struct netdev_notifier_info info; |
| @@ -5054,7 +5069,7 @@ static struct addrconf_sysctl_table | |||
| 5054 | .data = &ipv6_devconf.mtu6, | 5069 | .data = &ipv6_devconf.mtu6, |
| 5055 | .maxlen = sizeof(int), | 5070 | .maxlen = sizeof(int), |
| 5056 | .mode = 0644, | 5071 | .mode = 0644, |
| 5057 | .proc_handler = proc_dointvec, | 5072 | .proc_handler = addrconf_sysctl_mtu, |
| 5058 | }, | 5073 | }, |
| 5059 | { | 5074 | { |
| 5060 | .procname = "accept_ra", | 5075 | .procname = "accept_ra", |