Commit 77751427 authored Feb 23, 2015 by Marcelo Leitner Committed by David S. Miller Feb 23, 2015

ipv6: addrconf: validate new MTU before applying it



Currently we don't check if the new MTU is valid or not and this allows
one to configure a smaller than minimum allowed by RFCs or even bigger
than interface own MTU, which is a problem as it may lead to packet
drops.

If you have a daemon like NetworkManager running, this may be exploited
by remote attackers by forging RA packets with an invalid MTU, possibly
leading to a DoS. (NetworkManager currently only validates for values
too small, but not for too big ones.)

The fix is just to make sure the new value is valid. That is, between
IPV6_MIN_MTU and interface's MTU.

Note that similar check is already performed at
ndisc_router_discovery(), for when kernel itself parses the RA.

Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 8d4ac39d

net/ipv6/addrconf.c

+16 −1

Original line number	Diff line number	Diff line
		@@ -4903,6 +4903,21 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write,
		return ret;
		}

		static
		int addrconf_sysctl_mtu(struct ctl_table *ctl, int write,
		void __user buffer, size_t lenp, loff_t *ppos)
		{
		struct inet6_dev *idev = ctl->extra1;
		int min_mtu = IPV6_MIN_MTU;
		struct ctl_table lctl;

		lctl = *ctl;
		lctl.extra1 = &min_mtu;
		lctl.extra2 = idev ? &idev->dev->mtu : NULL;

		return proc_dointvec_minmax(&lctl, write, buffer, lenp, ppos);
		}

		static void dev_disable_change(struct inet6_dev *idev)
		{
		struct netdev_notifier_info info;
		@@ -5054,7 +5069,7 @@ static struct addrconf_sysctl_table
		.data = &ipv6_devconf.mtu6,
		.maxlen = sizeof(int),
		.mode = 0644,
		.proc_handler = proc_dointvec,
		.proc_handler = addrconf_sysctl_mtu,
		},
		{
		.procname = "accept_ra",

Admin message