From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
To: Ding Tianhong <dingtianhong@huawei.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
James Morris <jmorris@namei.org>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Netdev <netdev@vger.kernel.org>,
Patrick McHardy <kaber@trash.net>
Subject: Re: [PATCH 1/2] ipv6: do not disable temp_address when reaching max_address
Date: Tue, 13 Aug 2013 18:31:11 +0400 [thread overview]
Message-ID: <520A432F.4000308@cogentembedded.com> (raw)
In-Reply-To: <5209CEE2.70908@huawei.com>
Hello.
On 08/13/2013 10:14 AM, Ding Tianhong wrote:
> A LAN user can remotely disable temporary address which may lead
> to privacy violatins and information disclosure.
> The reason is that the linux kernel uses the 'ipv6.max_addresses'
> option to specify how many ipv6 addresses and interface may have.
> The 'ipv6.regen_max_retry' (default value 3) option specifies
> how many times the kernel will try to create a new address.
> But the kernel is not distinguish between the event of reaching
> max_addresses for an interface and failing to generate a new address.
> the kernel disable the temporary address after regenerate a new
> address 'regen_max_retry' times.
> According RFC4941 3.3.7:
> ---------------------------------------
> If DAD indicates the address is already in use,
> the node must generate a new randomized interface
> identifier as described in section 3.2 above, and
> repeat the previous steps as appropriate up to
> TEMP_IDGEN_RETRIES times.
> If after TEMP_IDGEN_RETRIES consecutive attempts no
> non-unique address was generated, the node must log
> a system error and must not attempt to generate
> temporary address for that interface.
> ------------------------------------------
> RFC4941 3.3.7 specifies that disabling the temp_address must happen
> upon the address is already in use, not reach the max_address,
> So we have to check the return err and distinguish the correct retry path.
> This fixes CVE-2013-0343
> Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
> Tested-by: Wang Weidong <wangweidong1@huawei.com>
> Cc: David S. Miller <davem@davemloft.net>
> ---
> net/ipv6/addrconf.c | 25 +++++++++++++++++++++----
> 1 file changed, 21 insertions(+), 4 deletions(-)
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index da4241c..99f9fd5 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -1134,10 +1134,27 @@ retry:
[...]
> + if (PTR_ERR(ift) == -EEXIST) {
> + pr_info("%s: retry temporary address regeneration\n", __func__);
> + tmpaddr = &addr;
> + write_lock(&idev->lock);
> + goto retry;
> + } else
> + goto out;
According to CodingStyle, both arms of the *if* statement should have {}
if one has it.
WBR, Sergei
next prev parent reply other threads:[~2013-08-13 14:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-13 6:14 [PATCH 1/2] ipv6: do not disable temp_address when reaching max_address Ding Tianhong
2013-08-13 14:31 ` Sergei Shtylyov [this message]
2013-08-14 1:41 ` Ding Tianhong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=520A432F.4000308@cogentembedded.com \
--to=sergei.shtylyov@cogentembedded.com \
--cc=davem@davemloft.net \
--cc=dingtianhong@huawei.com \
--cc=jmorris@namei.org \
--cc=kaber@trash.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=netdev@vger.kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.