jwboyer pushed to kernel (f22). "DoS against IPv6 stacks due to improper handling of RA (rhbz 1203712 1208491)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu Apr 2 12:27:57 UTC 2015
>From d97032bf4d8394e4edbf252732a57ad107ca2706 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer at fedoraproject.org>
Date: Thu, 2 Apr 2015 08:23:52 -0400
Subject: DoS against IPv6 stacks due to improper handling of RA (rhbz 1203712
1208491)
diff --git a/ipv6-Don-t-reduce-hop-limit-for-an-interface.patch b/ipv6-Don-t-reduce-hop-limit-for-an-interface.patch
new file mode 100644
index 0000000..9b94486
--- /dev/null
+++ b/ipv6-Don-t-reduce-hop-limit-for-an-interface.patch
@@ -0,0 +1,46 @@
+From: "D.S. Ljungmark" <ljungmark at modio.se>
+Date: Wed, 25 Mar 2015 09:28:15 +0100
+Subject: [PATCH] ipv6: Don't reduce hop limit for an interface
+
+A local route may have a lower hop_limit set than global routes do.
+
+RFC 3756, Section 4.2.7, "Parameter Spoofing"
+
+> 1. The attacker includes a Current Hop Limit of one or another small
+> number which the attacker knows will cause legitimate packets to
+> be dropped before they reach their destination.
+
+> As an example, one possible approach to mitigate this threat is to
+> ignore very small hop limits. The nodes could implement a
+> configurable minimum hop limit, and ignore attempts to set it below
+> said limit.
+
+Signed-off-by: D.S. Ljungmark <ljungmark at modio.se>
+Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+---
+ net/ipv6/ndisc.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
+index 471ed24aabae..14ecdaf06bf7 100644
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1218,7 +1218,14 @@ static void ndisc_router_discovery(struct sk_buff *skb)
+ if (rt)
+ rt6_set_expires(rt, jiffies + (HZ * lifetime));
+ if (ra_msg->icmph.icmp6_hop_limit) {
+- in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
++ /* Only set hop_limit on the interface if it is higher than
++ * the current hop_limit.
++ */
++ if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
++ in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
++ } else {
++ ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n");
++ }
+ if (rt)
+ dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
+ ra_msg->icmph.icmp6_hop_limit);
+--
+2.1.0
+
diff --git a/kernel.spec b/kernel.spec
index 41aee88..8ef7600 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -634,6 +634,9 @@ Patch26174: Input-ALPS-fix-max-coordinates-for-v5-and-v7-protoco.patch
#CVE-2015-2150 rhbz 1196266 1200397
Patch26175: xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
+#CVE-2015-XXXX rhbz 1203712 1208491
+Patch26177: ipv6-Don-t-reduce-hop-limit-for-an-interface.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1379,6 +1382,9 @@ ApplyPatch Input-ALPS-fix-max-coordinates-for-v5-and-v7-protoco.patch
#CVE-2015-2150 rhbz 1196266 1200397
ApplyPatch xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
+#CVE-2015-XXXX rhbz 1203712 1208491
+ApplyPatch ipv6-Don-t-reduce-hop-limit-for-an-interface.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2229,6 +2235,9 @@ fi
#
#
%changelog
+* Thu Apr 02 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- DoS against IPv6 stacks due to improper handling of RA (rhbz 1203712 1208491)
+
* Wed Apr 01 2015 Josh Boyer <jwboyer at fedoraproject.org> - 4.0.0-0.rc6.git1.1
- Linux v4.0-rc6-31-gd4039314d0b1
- CVE-2015-2150 xen: NMIs triggerable by guests (rhbz 1196266 1200397)
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?h=f22&id=d97032bf4d8394e4edbf252732a57ad107ca2706
More information about the scm-commits
mailing list