[PATCH 1/3] decnet: Move to staging

[PATCH 1/3] decnet: Move to staging

[Ben Hutchings]

Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation.

The decnet protocol (PF_DECnet) is unmaintained.  Since 2.6.12-rc2 the
only changes appear to be adjustments for net API changes and fixes
for bugs found by inspection.

This protocol generally should not be enabled by distributions, since
the cost of a security flaw affecting all installed systems presumably
outweighs the benefit to the few (if any) legitimate users.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/Kconfig |    2 ++
 net/Kconfig             |    2 --
 net/decnet/Kconfig      |    3 +++
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/Kconfig b/drivers/staging/Kconfig
index 5eafdf4..dd94cb2 100644
--- a/drivers/staging/Kconfig
+++ b/drivers/staging/Kconfig
@@ -175,5 +175,7 @@ source "drivers/staging/intel_sst/Kconfig"
 
 source "drivers/staging/speakup/Kconfig"
 
+source "net/decnet/Kconfig"
+
 endif # !STAGING_EXCLUDE_BUILD
 endif # STAGING
diff --git a/net/Kconfig b/net/Kconfig
index 55fd82e..9e4fc29 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -186,7 +186,6 @@ config BRIDGE_NETFILTER
 source "net/netfilter/Kconfig"
 source "net/ipv4/netfilter/Kconfig"
 source "net/ipv6/netfilter/Kconfig"
-source "net/decnet/netfilter/Kconfig"
 source "net/bridge/netfilter/Kconfig"
 
 endif
@@ -201,7 +200,6 @@ source "net/802/Kconfig"
 source "net/bridge/Kconfig"
 source "net/dsa/Kconfig"
 source "net/8021q/Kconfig"
-source "net/decnet/Kconfig"
 source "net/llc/Kconfig"
 source "net/ipx/Kconfig"
 source "drivers/net/appletalk/Kconfig"
diff --git a/net/decnet/Kconfig b/net/decnet/Kconfig
index 7914fd6..9d17166 100644
--- a/net/decnet/Kconfig
+++ b/net/decnet/Kconfig
@@ -41,3 +41,6 @@ config DECNET_ROUTER
 
 	  See <file:Documentation/networking/decnet.txt> for more information.
 
+if NETFILTER
+source "net/decnet/netfilter/Kconfig"
+endif
-- 
1.7.2.3

Re: [PATCH 1/3] decnet: Move to staging

[Stephen Hemminger]

On Tue, 23 Nov 2010 03:51:53 +0000
Ben Hutchings <ben@decadent.org.uk> wrote:

> Recent review has revealed several bugs in obscure protocol
> implementations that can be exploited by local users for denial of
> service or privilege escalation.
> 
> The decnet protocol (PF_DECnet) is unmaintained.  Since 2.6.12-rc2 the
> only changes appear to be adjustments for net API changes and fixes
> for bugs found by inspection.
> 
> This protocol generally should not be enabled by distributions, since
> the cost of a security flaw affecting all installed systems presumably
> outweighs the benefit to the few (if any) legitimate users.
> 
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

NAK there are still users and stuff does get fixed.
If you don't like it then disable it from config.



-- 

Re: [PATCH 1/3] decnet: Move to staging

[David Miller]

From: Stephen Hemminger <shemminger@vyatta.com>
Date: Mon, 22 Nov 2010 20:31:31 -0800

> On Tue, 23 Nov 2010 03:51:53 +0000
> Ben Hutchings <ben@decadent.org.uk> wrote:
> 
>> Recent review has revealed several bugs in obscure protocol
>> implementations that can be exploited by local users for denial of
>> service or privilege escalation.
>> 
>> The decnet protocol (PF_DECnet) is unmaintained.  Since 2.6.12-rc2 the
>> only changes appear to be adjustments for net API changes and fixes
>> for bugs found by inspection.
>> 
>> This protocol generally should not be enabled by distributions, since
>> the cost of a security flaw affecting all installed systems presumably
>> outweighs the benefit to the few (if any) legitimate users.
>> 
>> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> 
> NAK there are still users and stuff does get fixed.
> If you don't like it then disable it from config.

Seriously, I can't even remember a bonifides security flaw in decnet
being found recently and in fact the decnet stack is very well written
code.