From: Willy Tarreau <w@1wt.eu>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Ding Tianhong <dingtianhong@huawei.com>,
George Kargiotakis <kargig@void.gr>, P J P <ppandit@redhat.com>,
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>,
Hannes Frederic Sowa <hannes@stressinduktion.org>,
"David S. Miller" <davem@davemloft.net>, Willy Tarreau <w@1wt.eu>
Subject: [ 068/143] ipv6: remove max_addresses check from ipv6_create_tempaddr
Date: Mon, 12 May 2014 02:33:08 +0200 [thread overview]
Message-ID: <20140512003203.463380974@1wt.eu> (raw)
In-Reply-To: <f07e5fe6d87f172fc73580b9c86ba9a2@local>
2.6.32-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
[ Upstream commit 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 ]
Because of the max_addresses check attackers were able to disable privacy
extensions on an interface by creating enough autoconfigured addresses:
<http://seclists.org/oss-sec/2012/q4/292>
But the check is not actually needed: max_addresses protects the
kernel to install too many ipv6 addresses on an interface and guards
addrconf_prefix_rcv to install further addresses as soon as this limit
is reached. We only generate temporary addresses in direct response of
a new address showing up. As soon as we filled up the maximum number of
addresses of an interface, we stop installing more addresses and thus
also stop generating more temp addresses.
Even if the attacker tries to generate a lot of temporary addresses
by announcing a prefix and removing it again (lifetime == 0) we won't
install more temp addresses, because the temporary addresses do count
to the maximum number of addresses, thus we would stop installing new
autoconfigured addresses when the limit is reached.
This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
possible).
Thanks to Ding Tianhong to bring this topic up again.
Cc: Ding Tianhong <dingtianhong@huawei.com>
Cc: George Kargiotakis <kargig@void.gr>
Cc: P J P <ppandit@redhat.com>
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Ding Tianhong <dingtianhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
net/ipv6/addrconf.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 8ac3d09..e8c4fd9 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -920,12 +920,10 @@ retry:
if (ifp->flags & IFA_F_OPTIMISTIC)
addr_flags |= IFA_F_OPTIMISTIC;
- ift = !max_addresses ||
- ipv6_count_addresses(idev) < max_addresses ?
- ipv6_add_addr(idev, &addr, tmp_plen,
- ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
- addr_flags) : NULL;
- if (!ift || IS_ERR(ift)) {
+ ift = ipv6_add_addr(idev, &addr, tmp_plen,
+ ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
+ addr_flags);
+ if (IS_ERR(ift)) {
in6_ifa_put(ifp);
in6_dev_put(idev);
printk(KERN_INFO
--
1.7.12.2.21.g234cd45.dirty
next prev parent reply other threads:[~2014-05-12 0:33 UTC|newest]
Thread overview: 172+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <f07e5fe6d87f172fc73580b9c86ba9a2@local>
2014-05-12 0:32 ` [ 000/143] 2.6.32.62-longterm review Willy Tarreau
2014-05-12 0:32 ` [ 001/143] scsi: fix missing include linux/types.h in scsi_netlink.h Willy Tarreau
2014-05-12 0:32 ` [ 002/143] Fix lockup related to stop_machine being stuck in __do_softirq Willy Tarreau
2014-05-12 0:32 ` [ 003/143] Revert "x86, ptrace: fix build breakage with gcc 4.7" Willy Tarreau
2014-05-12 0:32 ` [ 004/143] x86, ptrace: fix build breakage with gcc 4.7 (second try) Willy Tarreau
2014-05-12 0:32 ` [ 005/143] ipvs: fix CHECKSUM_PARTIAL for TCP, UDP Willy Tarreau
2014-05-12 0:32 ` [ 006/143] intel-iommu: Flush unmaps at domain_exit Willy Tarreau
2014-05-12 0:32 ` [ 007/143] staging: comedi: ni_65xx: (bug fix) confine insn_bits to one Willy Tarreau
2014-05-12 0:32 ` [ 008/143] kernel/kmod.c: check for NULL in call_usermodehelper_exec() Willy Tarreau
2014-05-12 0:32 ` [ 009/143] cciss: fix info leak in cciss_ioctl32_passthru() Willy Tarreau
2014-05-12 0:32 ` [ 010/143] cpqarray: fix info leak in ida_locked_ioctl() Willy Tarreau
2014-05-12 0:32 ` [ 011/143] drivers/cdrom/cdrom.c: use kzalloc() for failing hardware Willy Tarreau
2014-05-12 0:32 ` [ 012/143] sctp: deal with multiple COOKIE_ECHO chunks Willy Tarreau
2014-05-12 0:32 ` [ 013/143] sctp: Use correct sideffect command in duplicate cookie handling Willy Tarreau
2014-05-12 0:32 ` [ 014/143] ipv6: ip6_sk_dst_check() must not assume ipv6 dst Willy Tarreau
2014-05-12 0:32 ` [ 015/143] af_key: fix info leaks in notify messages Willy Tarreau
2014-05-12 0:32 ` [ 016/143] af_key: initialize satype in key_notify_policy_flush() Willy Tarreau
2014-05-12 0:32 ` [ 017/143] block: do not pass disk names as format strings Willy Tarreau
2014-05-12 0:32 ` [ 018/143] b43: stop format string leaking into error msgs Willy Tarreau
2014-05-12 0:32 ` [ 019/143] HID: validate HID report id size Willy Tarreau
2014-05-12 0:32 ` [ 020/143] HID: zeroplus: validate output report details Willy Tarreau
2014-05-12 0:32 ` [ 021/143] HID: pantherlord: " Willy Tarreau
2014-05-12 0:32 ` [ 022/143] HID: LG: validate HID " Willy Tarreau
2014-05-12 0:32 ` [ 023/143] HID: check for NULL field when setting values Willy Tarreau
2014-05-12 0:32 ` [ 024/143] HID: provide a helper for validating hid reports Willy Tarreau
2014-05-12 0:32 ` [ 025/143] crypto: api - Fix race condition in larval lookup Willy Tarreau
2014-05-12 0:32 ` [ 026/143] ipv6: tcp: fix panic in SYN processing Willy Tarreau
2014-05-12 0:32 ` [ 027/143] tcp: must unclone packets before mangling them Willy Tarreau
2014-05-12 0:32 ` [ 028/143] net: do not call sock_put() on TIMEWAIT sockets Willy Tarreau
2014-05-12 0:32 ` [ 029/143] net: heap overflow in __audit_sockaddr() Willy Tarreau
2014-05-12 0:32 ` [ 030/143] proc connector: fix info leaks Willy Tarreau
2014-05-12 8:41 ` Christoph Biedl
2014-05-12 8:51 ` Mathias Krause
2014-05-12 8:57 ` Willy Tarreau
2014-05-12 11:43 ` Willy Tarreau
2014-05-12 14:42 ` David Miller
2014-05-12 0:32 ` [ 031/143] can: dev: fix nlmsg size calculation in can_get_size() Willy Tarreau
2014-05-12 0:32 ` [ 032/143] net: vlan: fix nlmsg size calculation in vlan_get_size() Willy Tarreau
2014-05-12 0:32 ` [ 033/143] farsync: fix info leak in ioctl Willy Tarreau
2014-05-12 0:32 ` [ 034/143] connector: use nlmsg_len() to check message length Willy Tarreau
2014-05-12 0:32 ` [ 035/143] net: dst: provide accessor function to dst->xfrm Willy Tarreau
2014-05-12 0:32 ` [ 036/143] sctp: Use software crc32 checksum when xfrm transform will happen Willy Tarreau
2014-05-12 0:32 ` [ 037/143] sctp: Perform software checksum if packet has to be fragmented Willy Tarreau
2014-05-12 0:32 ` [ 038/143] wanxl: fix info leak in ioctl Willy Tarreau
2014-05-12 0:32 ` [ 039/143] davinci_emac.c: Fix IFF_ALLMULTI setup Willy Tarreau
2014-05-12 0:32 ` [ 040/143] resubmit bridge: fix message_age_timer calculation Willy Tarreau
2014-05-12 0:32 ` [ 041/143] ipv6 mcast: use in6_dev_put in timer handlers instead of Willy Tarreau
2014-05-12 0:32 ` [ 042/143] ipv4 igmp: use in_dev_put in timer handlers instead of __in_dev_put Willy Tarreau
2014-05-12 0:32 ` [ 043/143] dm9601: fix IFF_ALLMULTI handling Willy Tarreau
2014-05-12 0:32 ` [ 044/143] bonding: Fix broken promiscuity reference counting issue Willy Tarreau
2014-05-12 0:32 ` [ 045/143] ll_temac: Reset dma descriptors indexes on ndo_open Willy Tarreau
2014-05-12 0:32 ` [ 046/143] tcp: fix tcp_md5_hash_skb_data() Willy Tarreau
2014-05-12 0:32 ` [ 047/143] ipv6: fix possible crashes in ip6_cork_release() Willy Tarreau
2014-05-12 0:32 ` [ 048/143] ip_tunnel: fix kernel panic with icmp_dest_unreach Willy Tarreau
2014-05-12 0:32 ` [ 049/143] net: sctp: fix NULL pointer dereference in socket destruction Willy Tarreau
2014-05-12 0:32 ` [ 050/143] packet: packet_getname_spkt: make sure string is always 0-terminated Willy Tarreau
2014-05-12 0:32 ` [ 051/143] neighbour: fix a race in neigh_destroy() Willy Tarreau
2014-05-12 0:32 ` [ 052/143] net: Swap ver and type in pppoe_hdr Willy Tarreau
2014-05-12 0:32 ` [ 053/143] sunvnet: vnet_port_remove must call unregister_netdev Willy Tarreau
2014-05-12 0:32 ` [ 054/143] ifb: fix rcu_sched self-detected stalls Willy Tarreau
2014-05-12 0:32 ` [ 055/143] dummy: fix oops when loading the dummy failed Willy Tarreau
2014-05-12 0:32 ` [ 056/143] ifb: fix oops when loading the ifb failed Willy Tarreau
2014-05-12 0:32 ` [ 057/143] vlan: fix a race in egress prio management Willy Tarreau
2014-05-12 0:32 ` [ 058/143] arcnet: cleanup sizeof parameter Willy Tarreau
2014-05-12 0:32 ` [ 059/143] sysctl net: Keep tcp_syn_retries inside the boundary Willy Tarreau
2014-06-11 18:46 ` Luis Henriques
2014-06-11 19:46 ` Willy Tarreau
2014-06-12 12:55 ` Luis Henriques
2014-06-12 13:02 ` Willy Tarreau
2014-06-14 17:50 ` Willy Tarreau
2014-06-20 22:16 ` Eric W. Biederman
2014-06-20 22:58 ` Willy Tarreau
2014-06-21 0:19 ` Eric W. Biederman
2014-05-12 0:33 ` [ 060/143] sctp: fully initialize sctp_outq in sctp_outq_init Willy Tarreau
2014-05-12 0:33 ` [ 061/143] net_sched: Fix stack info leak in cbq_dump_wrr() Willy Tarreau
2014-05-12 0:33 ` [ 062/143] af_key: more info leaks in pfkey messages Willy Tarreau
2014-05-12 0:33 ` [ 063/143] net_sched: info leak in atm_tc_dump_class() Willy Tarreau
2014-05-12 0:33 ` [ 064/143] htb: fix sign extension bug Willy Tarreau
2014-05-12 0:33 ` [ 065/143] net: check net.core.somaxconn sysctl values Willy Tarreau
2014-05-12 0:33 ` [ 066/143] tcp: cubic: fix bug in bictcp_acked() Willy Tarreau
2014-05-12 0:33 ` [ 067/143] ipv6: dont stop backtracking in fib6_lookup_1 if subtree does not Willy Tarreau
2014-05-12 0:33 ` Willy Tarreau [this message]
2014-05-12 0:33 ` [ 069/143] ipv6: drop packets with multiple fragmentation headers Willy Tarreau
2014-05-12 0:33 ` [ 070/143] ipv6: Dont depend on per socket memory for neighbour discovery Willy Tarreau
2014-05-12 0:33 ` [ 071/143] ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO Willy Tarreau
2014-05-12 0:33 ` [ 072/143] tipc: fix lockdep warning during bearer initialization Willy Tarreau
2014-05-12 16:04 ` Jon Maloy
2014-05-12 16:16 ` Willy Tarreau
2014-05-12 16:41 ` Jon Maloy
2014-05-12 17:12 ` Willy Tarreau
2014-05-12 17:19 ` Jon Maloy
2014-05-12 18:11 ` Willy Tarreau
2014-05-12 0:33 ` [ 073/143] net: Fix "ip rule delete table 256" Willy Tarreau
2014-05-12 0:33 ` [ 074/143] ipv6: use rt6_get_dflt_router to get default router in rt6_route_rcv Willy Tarreau
2014-05-12 0:33 ` [ 075/143] random32: fix off-by-one in seeding requirement Willy Tarreau
2014-05-12 0:33 ` [ 076/143] bonding: fix two race conditions in bond_store_updelay/downdelay Willy Tarreau
2014-05-12 0:33 ` [ 077/143] isdnloop: use strlcpy() instead of strcpy() Willy Tarreau
2014-05-12 0:33 ` [ 078/143] ipv4: fix possible seqlock deadlock Willy Tarreau
2014-05-12 0:33 ` [ 079/143] inet: prevent leakage of uninitialized memory to user in recv Willy Tarreau
2014-05-12 0:33 ` [ 080/143] net: rework recvmsg handler msg_name and msg_namelen logic Willy Tarreau
2014-05-13 12:44 ` Luis Henriques
2014-05-13 12:49 ` Willy Tarreau
2014-05-14 5:45 ` Willy Tarreau
2014-05-12 0:33 ` [ 081/143] net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct Willy Tarreau
2014-05-12 0:33 ` [ 082/143] inet: fix addr_len/msg->msg_namelen assignment in recv_error and Willy Tarreau
2014-05-12 0:33 ` [ 083/143] net: clamp ->msg_namelen instead of returning an error Willy Tarreau
2014-05-14 10:02 ` Dan Carpenter
2014-05-14 12:27 ` Willy Tarreau
2014-05-12 0:33 ` [ 084/143] ipv6: fix leaking uninitialized port number of offender sockaddr Willy Tarreau
2014-05-12 0:33 ` [ 085/143] atm: idt77252: fix dev refcnt leak Willy Tarreau
2014-05-12 0:33 ` [ 086/143] net: core: Always propagate flag changes to interfaces Willy Tarreau
2014-05-12 0:33 ` [ 087/143] bridge: flush brs address entry in fdb when remove the bridge dev Willy Tarreau
2014-05-12 0:33 ` [ 088/143] inet: fix possible seqlock deadlocks Willy Tarreau
2014-05-12 0:33 ` [ 089/143] ipv6: fix possible seqlock deadlock in ip6_finish_output2 Willy Tarreau
2014-05-12 0:33 ` [ 090/143] {pktgen, xfrm} Update IPv4 header total len and checksum after Willy Tarreau
2014-05-12 0:33 ` [ 091/143] net: drop_monitor: fix the value of maxattr Willy Tarreau
2014-05-12 0:33 ` [ 092/143] net: unix: allow bind to fail on mutex lock Willy Tarreau
2014-05-12 0:33 ` [ 093/143] drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl() Willy Tarreau
2014-05-12 0:33 ` [ 094/143] hamradio/yam: fix info leak in ioctl Willy Tarreau
2014-05-12 0:33 ` [ 095/143] rds: prevent dereference of a NULL device Willy Tarreau
2014-05-12 0:33 ` [ 096/143] net: rose: restore old recvmsg behavior Willy Tarreau
2014-05-12 0:33 ` [ 097/143] net: llc: fix use after free in llc_ui_recvmsg Willy Tarreau
2014-05-12 0:33 ` [ 098/143] inet_diag: fix inet_diag_dump_icsk() timewait socket state logic Willy Tarreau
2014-05-12 0:33 ` [ 099/143] net: fix ip rule iif/oif device rename Willy Tarreau
2014-05-12 0:33 ` [ 100/143] tg3: Fix deadlock in tg3_change_mtu() Willy Tarreau
2014-05-12 0:33 ` [ 101/143] bonding: 802.3ad: make aggregator_identifier bond-private Willy Tarreau
2014-05-12 0:33 ` [ 102/143] net: sctp: fix sctp_connectx abi for ia32 emulation/compat mode Willy Tarreau
2014-05-12 0:33 ` [ 103/143] virtio-net: alloc big buffers also when guest can receive UFO Willy Tarreau
2014-05-12 0:33 ` [ 104/143] tg3: Dont check undefined error bits in RXBD Willy Tarreau
2014-05-12 0:33 ` [ 105/143] net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH Willy Tarreau
2014-05-12 0:33 ` [ 106/143] net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk Willy Tarreau
2014-05-12 0:33 ` [ 107/143] net: socket: error on a negative msg_namelen Willy Tarreau
2014-05-12 0:33 ` [ 108/143] netlink: dont compare the nul-termination in nla_strcmp Willy Tarreau
2014-05-12 0:33 ` [ 109/143] isdnloop: several buffer overflows Willy Tarreau
2014-05-12 0:33 ` [ 110/143] rds: prevent dereference of a NULL device in rds_iw_laddr_check Willy Tarreau
2014-05-12 0:33 ` [ 111/143] isdnloop: Validate NUL-terminated strings from user Willy Tarreau
2014-05-12 0:33 ` [ 112/143] sctp: unbalanced rcu lock in ip_queue_xmit() Willy Tarreau
2014-05-12 0:33 ` [ 113/143] aacraid: prevent invalid pointer dereference Willy Tarreau
2014-05-12 0:33 ` [ 114/143] ipv6: udp packets following an UFO enqueued packet need also be Willy Tarreau
2014-05-12 0:33 ` [ 115/143] inet: fix possible memory corruption with UDP_CORK and UFO Willy Tarreau
2014-05-12 0:33 ` [ 116/143] vm: add vm_iomap_memory() helper function Willy Tarreau
2014-05-12 0:33 ` [ 117/143] Fix a few incorrectly checked [io_]remap_pfn_range() calls Willy Tarreau
2014-05-12 0:33 ` [ 118/143] libertas: potential oops in debugfs Willy Tarreau
2014-05-12 0:33 ` [ 119/143] x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround Willy Tarreau
2014-05-12 0:34 ` [ 120/143] gianfar: disable TX vlan based on kernel 2.6.x Willy Tarreau
2014-05-12 0:34 ` [ 121/143] [CPUFREQ] powernow-k6: set transition latency value so ondemand Willy Tarreau
2014-05-12 0:34 ` [ 122/143] powernow-k6: disable cache when changing frequency Willy Tarreau
2014-05-12 0:34 ` [ 123/143] powernow-k6: correctly initialize default parameters Willy Tarreau
2014-05-12 0:34 ` [ 124/143] powernow-k6: reorder frequencies Willy Tarreau
2014-05-12 0:34 ` [ 125/143] tcp: fix tcp_trim_head() to adjust segment count with skb MSS Willy Tarreau
2014-05-12 0:34 ` [ 126/143] tcp_cubic: limit delayed_ack ratio to prevent divide error Willy Tarreau
2014-05-12 0:34 ` [ 127/143] tcp_cubic: fix the range of delayed_ack Willy Tarreau
2014-05-12 0:34 ` [ 128/143] n_tty: Fix n_tty_write crash when echoing in raw mode Willy Tarreau
2014-05-12 0:34 ` [ 129/143] exec/ptrace: fix get_dumpable() incorrect tests Willy Tarreau
2014-05-12 0:34 ` [ 130/143] ipv6: call udp_push_pending_frames when uncorking a socket with Willy Tarreau
2014-05-12 0:34 ` [ 131/143] dm snapshot: fix data corruption Willy Tarreau
2014-05-12 0:34 ` [ 132/143] crypto: ansi_cprng - Fix off by one error in non-block size request Willy Tarreau
2014-05-12 0:34 ` [ 133/143] uml: check length in exitcode_proc_write() Willy Tarreau
2014-05-12 0:34 ` [ 134/143] KVM: Improve create VCPU parameter (CVE-2013-4587) Willy Tarreau
2014-05-12 0:34 ` [ 135/143] KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) Willy Tarreau
2014-05-12 0:34 ` [ 136/143] qeth: avoid buffer overflow in snmp ioctl Willy Tarreau
2014-05-12 0:34 ` [ 137/143] xfs: underflow bug in xfs_attrlist_by_handle() Willy Tarreau
2014-05-13 11:08 ` Luis Henriques
2014-05-13 11:18 ` Willy Tarreau
2014-05-14 9:50 ` Dan Carpenter
2014-05-22 8:19 ` Dan Carpenter
2014-05-12 0:34 ` [ 138/143] aacraid: missing capable() check in compat ioctl Willy Tarreau
2014-05-12 0:34 ` [ 139/143] SELinux: Fix kernel BUG on empty security contexts Willy Tarreau
2014-05-12 0:34 ` [ 140/143] s390: fix kernel crash due to linkage stack instructions Willy Tarreau
2014-05-12 0:34 ` [ 141/143] netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages Willy Tarreau
2014-05-12 0:34 ` [ 142/143] floppy: ignore kernel-only members in FDRAWCMD ioctl input Willy Tarreau
2014-05-12 0:34 ` [ 143/143] floppy: dont write kernel-only members to FDRAWCMD ioctl output Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140512003203.463380974@1wt.eu \
--to=w@1wt.eu \
--cc=davem@davemloft.net \
--cc=dingtianhong@huawei.com \
--cc=hannes@stressinduktion.org \
--cc=kargig@void.gr \
--cc=linux-kernel@vger.kernel.org \
--cc=ppandit@redhat.com \
--cc=stable@vger.kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).