summaryrefslogtreecommitdiffstats
path: root/net/ipv6/sit.c
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-11-05 09:03:48 +0100
committerAdrian Bunk <bunk@stusta.de>2006-11-05 09:03:48 +0100
commit6ac62be885810e1f8390f0c3b9d3ee451d3d3f19 (patch)
treee2acfd140a132f805ebb4d8a61186a20a9d48dac /net/ipv6/sit.c
parent0ac0a20823b92bf2bd39aa83c59c247b41ba3e44 (diff)
downloadlinux-stable-6ac62be885810e1f8390f0c3b9d3ee451d3d3f19.tar.gz
linux-stable-6ac62be885810e1f8390f0c3b9d3ee451d3d3f19.tar.bz2
linux-stable-6ac62be885810e1f8390f0c3b9d3ee451d3d3f19.zip
[NETFILTER]: Fix ip6_tables protocol bypass bug (CVE-2006-4572)
As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible to a fragmentation attack causing false negatives on protocol matches. When the protocol header doesn't follow the fragment header immediately, the fragment header contains the protocol number of the next extension header. When the extension header and the protocol header are sent in a second fragment a rule like "ip6tables .. -p udp -j DROP" will never match. Drop fragments that are at offset 0 and don't contain the final protocol header regardless of the ruleset, since this should not happen normally. With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Diffstat (limited to 'net/ipv6/sit.c')
0 files changed, 0 insertions, 0 deletions