From: Thomas Graf <tgraf@redhat.com> Subject: [RHEL5.0 BZ238065]: CVE-2007-2242 IPv6 routing headers issue Date: Thu, 3 May 2007 20:55:36 +0200 Bugzilla: 238065 Message-Id: <20070503185536.GA4949@lsx.localdomain> Changelog: [net] disallow RH0 by default Backport of the fix to disallow RH0 by default. The original upstream patch introduces a configuration option which breaks kABI as it extends a struct which is embeded into another public structure and is thus not acceptable as-is. Therefore the decision has been made to disallow routing header type 0 in gernal for now, a configuration option to enable certain uses again can be added later when more time for testing is available without the pressure of a security issue. Also the code is kept close to the upstream version to ease a possible backporting of Mobile IPv6 which will require receiving routing header type 2. commit 0bcbc92629044b5403719f77fb015e9005b1f504 Author: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> [IPV6]: Disallow RH0 by default. A security issue is emerging. Disallow Routing Header Type 0 by default as we have been doing for IPv4. Note: We allow RH2 by default because it is harmless. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Index: linux-2.6.18.noarch/net/ipv6/exthdrs.c =================================================================== --- linux-2.6.18.noarch.orig/net/ipv6/exthdrs.c 2007-05-03 00:05:43.000000000 +0200 +++ linux-2.6.18.noarch/net/ipv6/exthdrs.c 2007-05-03 19:41:58.000000000 +0200 @@ -235,6 +235,20 @@ static int ipv6_rthdr_rcv(struct sk_buff hdr = (struct ipv6_rt_hdr *) skb->h.raw; + switch (hdr->type) { + case IPV6_SRCRT_TYPE_0: + /* Completely disallow routing header type 0 for now, it can be + * made conditional at a later point if needed. Even though the + * code is non functional at the moment, it is left intact to + * allow backporting Mobile IPv6 later on. */ + kfree_skb(skb); + return -1; + default: + IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS); + icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw); + return -1; + } + if (ipv6_addr_is_multicast(&skb->nh.ipv6h->daddr) || skb->pkt_type != PACKET_HOST) { IP6_INC_STATS_BH(IPSTATS_MIB_INADDRERRORS); @@ -253,12 +267,6 @@ looped_back: return 1; } - if (hdr->type != IPV6_SRCRT_TYPE_0) { - IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS); - icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw); - return -1; - } - if (hdr->hdrlen & 0x01) { IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS); icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->hdrlen) - skb->nh.raw);