diff options
| author | Marcelo Leitner <mleitner@redhat.com> | 2015-02-23 11:17:13 -0300 |
|---|---|---|
| committer | Willy Tarreau <w@1wt.eu> | 2015-12-06 00:49:02 +0100 |
| commit | 237dfc5b712719a8be1dd9d64726428981261759 (patch) | |
| tree | 53497143b5fd65f13466ea4575e8936bb4f758f7 | |
| parent | 37b602d262f971a3b4c88a2f8db087f173f4d179 (diff) | |
ipv6: addrconf: validate new MTU before applying it
commit 77751427a1ff25b27d47a4c36b12c3c8667855ac upstream.
Currently we don't check if the new MTU is valid or not and this allows
one to configure a smaller than minimum allowed by RFCs or even bigger
than interface own MTU, which is a problem as it may lead to packet
drops.
If you have a daemon like NetworkManager running, this may be exploited
by remote attackers by forging RA packets with an invalid MTU, possibly
leading to a DoS. (NetworkManager currently only validates for values
too small, but not for too big ones.)
The fix is just to make sure the new value is valid. That is, between
IPV6_MIN_MTU and interface's MTU.
Note that similar check is already performed at
ndisc_router_discovery(), for when kernel itself parses the RA.
Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 2.6.32:
- Add a strategy for the sysctl as we don't get a default strategy
- Adjust context, spacing]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Willy Tarreau <w@1wt.eu>
| -rw-r--r-- | net/ipv6/addrconf.c | 37 |
1 files changed, 36 insertions, 1 deletions
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index e8c4fd90cf34..34eed017ff4e 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -4036,6 +4036,40 @@ static int addrconf_sysctl_forward_strategy(ctl_table *table, return addrconf_fixup_forwarding(table, valp, val); } +static +struct ctl_table *addrconf_sysctl_mtu_init(struct ctl_table *newctl, + const struct ctl_table *ctl) +{ + struct inet6_dev *idev = ctl->extra1; + static int min_mtu = IPV6_MIN_MTU; + + *newctl = *ctl; + newctl->extra1 = &min_mtu; + newctl->extra2 = idev ? &idev->dev->mtu : NULL; + return newctl; +} + +static +int addrconf_sysctl_mtu(struct ctl_table *ctl, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) +{ + struct ctl_table lctl; + + return proc_dointvec_minmax(addrconf_sysctl_mtu_init(&lctl, ctl), + write, buffer, lenp, ppos); +} + +static int addrconf_sysctl_mtu_strategy(struct ctl_table *ctl, + void __user *oldval, + size_t __user *oldlenp, + void __user *newval, size_t newlen) +{ + struct ctl_table lctl; + + return sysctl_intvec(addrconf_sysctl_mtu_init(&lctl, ctl), + oldval, oldlenp, newval, newlen); +} + static void dev_disable_change(struct inet6_dev *idev) { if (!idev || !idev->dev) @@ -4142,7 +4176,8 @@ static struct addrconf_sysctl_table .data = &ipv6_devconf.mtu6, .maxlen = sizeof(int), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = addrconf_sysctl_mtu, + .strategy = addrconf_sysctl_mtu_strategy, }, { .ctl_name = NET_IPV6_ACCEPT_RA, |