diff options
-rw-r--r-- | ipv6-Don-t-reduce-hop-limit-for-an-interface.patch | 46 | ||||
-rw-r--r-- | kernel.spec | 9 |
2 files changed, 55 insertions, 0 deletions
diff --git a/ipv6-Don-t-reduce-hop-limit-for-an-interface.patch b/ipv6-Don-t-reduce-hop-limit-for-an-interface.patch new file mode 100644 index 000000000..9b9448681 --- /dev/null +++ b/ipv6-Don-t-reduce-hop-limit-for-an-interface.patch @@ -0,0 +1,46 @@ +From: "D.S. Ljungmark" <ljungmark@modio.se> +Date: Wed, 25 Mar 2015 09:28:15 +0100 +Subject: [PATCH] ipv6: Don't reduce hop limit for an interface + +A local route may have a lower hop_limit set than global routes do. + +RFC 3756, Section 4.2.7, "Parameter Spoofing" + +> 1. The attacker includes a Current Hop Limit of one or another small +> number which the attacker knows will cause legitimate packets to +> be dropped before they reach their destination. + +> As an example, one possible approach to mitigate this threat is to +> ignore very small hop limits. The nodes could implement a +> configurable minimum hop limit, and ignore attempts to set it below +> said limit. + +Signed-off-by: D.S. Ljungmark <ljungmark@modio.se> +Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> +--- + net/ipv6/ndisc.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index 471ed24aabae..14ecdaf06bf7 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1218,7 +1218,14 @@ static void ndisc_router_discovery(struct sk_buff *skb) + if (rt) + rt6_set_expires(rt, jiffies + (HZ * lifetime)); + if (ra_msg->icmph.icmp6_hop_limit) { +- in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit; ++ /* Only set hop_limit on the interface if it is higher than ++ * the current hop_limit. ++ */ ++ if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) { ++ in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit; ++ } else { ++ ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n"); ++ } + if (rt) + dst_metric_set(&rt->dst, RTAX_HOPLIMIT, + ra_msg->icmph.icmp6_hop_limit); +-- +2.1.0 + diff --git a/kernel.spec b/kernel.spec index 41aee8838..8ef760032 100644 --- a/kernel.spec +++ b/kernel.spec @@ -634,6 +634,9 @@ Patch26174: Input-ALPS-fix-max-coordinates-for-v5-and-v7-protoco.patch #CVE-2015-2150 rhbz 1196266 1200397 Patch26175: xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch +#CVE-2015-XXXX rhbz 1203712 1208491 +Patch26177: ipv6-Don-t-reduce-hop-limit-for-an-interface.patch + # END OF PATCH DEFINITIONS %endif @@ -1379,6 +1382,9 @@ ApplyPatch Input-ALPS-fix-max-coordinates-for-v5-and-v7-protoco.patch #CVE-2015-2150 rhbz 1196266 1200397 ApplyPatch xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch +#CVE-2015-XXXX rhbz 1203712 1208491 +ApplyPatch ipv6-Don-t-reduce-hop-limit-for-an-interface.patch + # END OF PATCH APPLICATIONS %endif @@ -2229,6 +2235,9 @@ fi # # %changelog +* Thu Apr 02 2015 Josh Boyer <jwboyer@fedoraproject.org> +- DoS against IPv6 stacks due to improper handling of RA (rhbz 1203712 1208491) + * Wed Apr 01 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.0.0-0.rc6.git1.1 - Linux v4.0-rc6-31-gd4039314d0b1 - CVE-2015-2150 xen: NMIs triggerable by guests (rhbz 1196266 1200397) |