Commit 9ed973cc authored by Linus Lüssing's avatar Linus Lüssing Committed by David S. Miller
Browse files

bridge: multicast: add sanity check for general query destination 



General IGMP and MLD queries are supposed to have the multicast
link-local all-nodes address as their destination according to RFC2236
section 9, RFC3376 section 4.1.12/9.1, RFC2710 section 8 and RFC3810
section 5.1.15.

Without this check, such malformed IGMP/MLD queries can result in a
denial of service: The queries are ignored by most IGMP/MLD listeners
therefore they will not respond with an IGMP/MLD report. However,
without this patch these malformed MLD queries would enable the
snooping part in the bridge code, potentially shutting down the
according ports towards these hosts for multicast traffic as the
bridge did not learn about these listeners.

Reported-by: default avatarJan Stancek <jstancek@redhat.com>
Signed-off-by: default avatarLinus Lüssing <linus.luessing@web.de>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent c3f9b018

net/bridge/br_multicast.c

+19 −0
Original line number Diff line number Diff line
@@ -1181,6 +1181,14 @@ static int br_ip4_multicast_query(struct net_bridge *br, 
			    IGMPV3_MRC(ih3->code) * (HZ / IGMP_TIMER_SCALE) : 1;

	}



	/* RFC2236+RFC3376 (IGMPv2+IGMPv3) require the multicast link layer

	 * all-systems destination addresses (224.0.0.1) for general queries

	 */

	if (!group && iph->daddr != htonl(INADDR_ALLHOSTS_GROUP)) {

		err = -EINVAL;

		goto out;

	}



	br_multicast_query_received(br, port, &br->ip4_querier, !!iph->saddr,

				    max_delay);
@@ -1228,6 +1236,7 @@ static int br_ip6_multicast_query(struct net_bridge *br, 
	unsigned long max_delay;

	unsigned long now = jiffies;

	const struct in6_addr *group = NULL;

	bool is_general_query;

	int err = 0;



	spin_lock(&br->multicast_lock);
@@ -1262,6 +1271,16 @@ static int br_ip6_multicast_query(struct net_bridge *br, 
		max_delay = max(msecs_to_jiffies(mldv2_mrc(mld2q)), 1UL);

	}



	is_general_query = group && ipv6_addr_any(group);



	/* RFC2710+RFC3810 (MLDv1+MLDv2) require the multicast link layer

	 * all-nodes destination address (ff02::1) for general queries

	 */

	if (is_general_query && !ipv6_addr_is_ll_all_nodes(&ip6h->daddr)) {

		err = -EINVAL;

		goto out;

	}



	br_multicast_query_received(br, port, &br->ip6_querier,

				    !ipv6_addr_any(&ip6h->saddr), max_delay);

CRA Git | Maintained and supported by SUSTech CRA and CCSE