From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753528AbbK2WHv (ORCPT ); Sun, 29 Nov 2015 17:07:51 -0500 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:56462 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753249AbbK2WBM (ORCPT ); Sun, 29 Nov 2015 17:01:12 -0500 Message-Id: <20151129214703.043245347@1wt.eu> User-Agent: quilt/0.63-1 Date: Sun, 29 Nov 2015 22:47:06 +0100 From: Willy Tarreau To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Marcelo Ricardo Leitner , Sabrina Dubroca , "David S. Miller" , Ben Hutchings , Willy Tarreau Subject: [PATCH 2.6.32 04/38] [PATCH 04/38] ipv6: addrconf: validate new MTU before applying it MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 In-Reply-To: <8acf8256ccc72771a80b7851061027bc@local> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 2.6.32-longterm review patch. If anyone has any objections, please let me know. ------------------ commit 77751427a1ff25b27d47a4c36b12c3c8667855ac upstream. Currently we don't check if the new MTU is valid or not and this allows one to configure a smaller than minimum allowed by RFCs or even bigger than interface own MTU, which is a problem as it may lead to packet drops. If you have a daemon like NetworkManager running, this may be exploited by remote attackers by forging RA packets with an invalid MTU, possibly leading to a DoS. (NetworkManager currently only validates for values too small, but not for too big ones.) The fix is just to make sure the new value is valid. That is, between IPV6_MIN_MTU and interface's MTU. Note that similar check is already performed at ndisc_router_discovery(), for when kernel itself parses the RA. Signed-off-by: Marcelo Ricardo Leitner Signed-off-by: Sabrina Dubroca Signed-off-by: David S. Miller [bwh: Backported to 2.6.32: - Add a strategy for the sysctl as we don't get a default strategy - Adjust context, spacing] Signed-off-by: Ben Hutchings Signed-off-by: Willy Tarreau --- net/ipv6/addrconf.c | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index e8c4fd9..34eed01 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -4036,6 +4036,40 @@ static int addrconf_sysctl_forward_strategy(ctl_table *table, return addrconf_fixup_forwarding(table, valp, val); } +static +struct ctl_table *addrconf_sysctl_mtu_init(struct ctl_table *newctl, + const struct ctl_table *ctl) +{ + struct inet6_dev *idev = ctl->extra1; + static int min_mtu = IPV6_MIN_MTU; + + *newctl = *ctl; + newctl->extra1 = &min_mtu; + newctl->extra2 = idev ? &idev->dev->mtu : NULL; + return newctl; +} + +static +int addrconf_sysctl_mtu(struct ctl_table *ctl, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) +{ + struct ctl_table lctl; + + return proc_dointvec_minmax(addrconf_sysctl_mtu_init(&lctl, ctl), + write, buffer, lenp, ppos); +} + +static int addrconf_sysctl_mtu_strategy(struct ctl_table *ctl, + void __user *oldval, + size_t __user *oldlenp, + void __user *newval, size_t newlen) +{ + struct ctl_table lctl; + + return sysctl_intvec(addrconf_sysctl_mtu_init(&lctl, ctl), + oldval, oldlenp, newval, newlen); +} + static void dev_disable_change(struct inet6_dev *idev) { if (!idev || !idev->dev) @@ -4142,7 +4176,8 @@ static struct addrconf_sysctl_table .data = &ipv6_devconf.mtu6, .maxlen = sizeof(int), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = addrconf_sysctl_mtu, + .strategy = addrconf_sysctl_mtu_strategy, }, { .ctl_name = NET_IPV6_ACCEPT_RA, -- 1.7.12.2.21.g234cd45.dirty