Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > by-pkgid > 27922b4260f65d317aabda37e42bbbff > files > 2556

kernel-2.6.18-238.el5.src.rpm

From: Thomas Graf <tgraf@redhat.com>
Subject: [RHEL5.0 BZ238065]: CVE-2007-2242 IPv6 routing headers issue
Date: Thu, 3 May 2007 20:55:36 +0200
Bugzilla: 238065
Message-Id: <20070503185536.GA4949@lsx.localdomain>
Changelog: [net] disallow RH0 by default


Backport of the fix to disallow RH0 by default. The original
upstream patch introduces a configuration option which breaks
kABI as it extends a struct which is embeded into another
public structure and is thus not acceptable as-is. Therefore
the decision has been made to disallow routing header type 0
in gernal for now, a configuration option to enable certain
uses again can be added later when more time for testing is
available without the pressure of a security issue. Also the
code is kept close to the upstream version to ease a possible
backporting of Mobile IPv6 which will require receiving routing
header type 2.

commit 0bcbc92629044b5403719f77fb015e9005b1f504
Author: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>

    [IPV6]: Disallow RH0 by default.
    
    A security issue is emerging.  Disallow Routing Header Type 0 by default
    as we have been doing for IPv4.
    Note: We allow RH2 by default because it is harmless.
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

Index: linux-2.6.18.noarch/net/ipv6/exthdrs.c
===================================================================
--- linux-2.6.18.noarch.orig/net/ipv6/exthdrs.c	2007-05-03 00:05:43.000000000 +0200
+++ linux-2.6.18.noarch/net/ipv6/exthdrs.c	2007-05-03 19:41:58.000000000 +0200
@@ -235,6 +235,20 @@ static int ipv6_rthdr_rcv(struct sk_buff
 
 	hdr = (struct ipv6_rt_hdr *) skb->h.raw;
 
+	switch (hdr->type) {
+	case IPV6_SRCRT_TYPE_0:
+		/* Completely disallow routing header type 0 for now, it can be
+		 * made conditional at a later point if needed. Even though the
+		 * code is non functional at the moment, it is left intact to
+		 * allow backporting Mobile IPv6 later on. */
+		kfree_skb(skb);
+		return -1;
+	default:
+		IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
+		icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw);
+		return -1;
+	}
+
 	if (ipv6_addr_is_multicast(&skb->nh.ipv6h->daddr) ||
 	    skb->pkt_type != PACKET_HOST) {
 		IP6_INC_STATS_BH(IPSTATS_MIB_INADDRERRORS);
@@ -253,12 +267,6 @@ looped_back:
 		return 1;
 	}
 
-	if (hdr->type != IPV6_SRCRT_TYPE_0) {
-		IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
-		icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw);
-		return -1;
-	}
-	
 	if (hdr->hdrlen & 0x01) {
 		IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
 		icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->hdrlen) - skb->nh.raw);