diff options
| author | Marcelo Leitner <mleitner@redhat.com> | 2015-02-23 11:17:13 -0300 |
|---|---|---|
| committer | Luis Henriques <luis.henriques@canonical.com> | 2015-09-11 17:22:59 +0100 |
| commit | fd0ad1be8dfb877e31f07f11c120badce12ba09f (patch) | |
| tree | 0686d804c8dfa612c11a6e26c8258021b84e484d /net | |
| parent | 76aee4f56fe6a10b449327f83989474be1d8224c (diff) | |
| download | linux-stable-fd0ad1be8dfb877e31f07f11c120badce12ba09f.tar.gz linux-stable-fd0ad1be8dfb877e31f07f11c120badce12ba09f.tar.bz2 linux-stable-fd0ad1be8dfb877e31f07f11c120badce12ba09f.zip | |
ipv6: addrconf: validate new MTU before applying it
commit 77751427a1ff25b27d47a4c36b12c3c8667855ac upstream.
Currently we don't check if the new MTU is valid or not and this allows
one to configure a smaller than minimum allowed by RFCs or even bigger
than interface own MTU, which is a problem as it may lead to packet
drops.
If you have a daemon like NetworkManager running, this may be exploited
by remote attackers by forging RA packets with an invalid MTU, possibly
leading to a DoS. (NetworkManager currently only validates for values
too small, but not for too big ones.)
The fix is just to make sure the new value is valid. That is, between
IPV6_MIN_MTU and interface's MTU.
Note that similar check is already performed at
ndisc_router_discovery(), for when kernel itself parses the RA.
Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Moritz Muehlenhoff <jmm@debian.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv6/addrconf.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 4a9a34954923..75630e173adf 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -4789,6 +4789,21 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write, return ret; } +static +int addrconf_sysctl_mtu(struct ctl_table *ctl, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) +{ + struct inet6_dev *idev = ctl->extra1; + int min_mtu = IPV6_MIN_MTU; + struct ctl_table lctl; + + lctl = *ctl; + lctl.extra1 = &min_mtu; + lctl.extra2 = idev ? &idev->dev->mtu : NULL; + + return proc_dointvec_minmax(&lctl, write, buffer, lenp, ppos); +} + static void dev_disable_change(struct inet6_dev *idev) { struct netdev_notifier_info info; @@ -4940,7 +4955,7 @@ static struct addrconf_sysctl_table .data = &ipv6_devconf.mtu6, .maxlen = sizeof(int), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = addrconf_sysctl_mtu, }, { .procname = "accept_ra", |