[kernel] r22475 - in dists/sid/linux/debian: . patches patches/bugfix/all
Ben Hutchings
benh at moszumanska.debian.org
Mon Apr 6 17:45:04 UTC 2015
Author: benh
Date: Mon Apr 6 17:45:04 2015
New Revision: 22475
Log:
ipv6: Don't reduce hop limit for an interface (CVE-2015-2922)
Added:
dists/sid/linux/debian/patches/bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch
Modified:
dists/sid/linux/debian/changelog
dists/sid/linux/debian/patches/series
Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog Mon Apr 6 17:31:57 2015 (r22474)
+++ dists/sid/linux/debian/changelog Mon Apr 6 17:45:04 2015 (r22475)
@@ -186,6 +186,7 @@
* ext4: allocate entire range in zero range (CVE-2015-0275)
* [x86] microcode/intel: Guard against stack overflow in the loader
(CVE-2015-2666)
+ * ipv6: Don't reduce hop limit for an interface (CVE-2015-2922)
-- Ian Campbell <ijc at debian.org> Wed, 18 Mar 2015 21:07:15 +0000
Added: dists/sid/linux/debian/patches/bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch Mon Apr 6 17:45:04 2015 (r22475)
@@ -0,0 +1,43 @@
+From: "D.S. Ljungmark" <ljungmark at modio.se>
+Date: Wed, 25 Mar 2015 09:28:15 +0100
+Subject: ipv6: Don't reduce hop limit for an interface
+Origin: https://git.kernel.org/linus/6fd99094de2b83d1d4c8457f2c83483b2828e75a
+
+A local route may have a lower hop_limit set than global routes do.
+
+RFC 3756, Section 4.2.7, "Parameter Spoofing"
+
+> 1. The attacker includes a Current Hop Limit of one or another small
+> number which the attacker knows will cause legitimate packets to
+> be dropped before they reach their destination.
+
+> As an example, one possible approach to mitigate this threat is to
+> ignore very small hop limits. The nodes could implement a
+> configurable minimum hop limit, and ignore attempts to set it below
+> said limit.
+
+Signed-off-by: D.S. Ljungmark <ljungmark at modio.se>
+Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv6/ndisc.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1190,7 +1190,14 @@ static void ndisc_router_discovery(struc
+ if (rt)
+ rt6_set_expires(rt, jiffies + (HZ * lifetime));
+ if (ra_msg->icmph.icmp6_hop_limit) {
+- in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
++ /* Only set hop_limit on the interface if it is higher than
++ * the current hop_limit.
++ */
++ if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
++ in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
++ } else {
++ ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n");
++ }
+ if (rt)
+ dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
+ ra_msg->icmph.icmp6_hop_limit);
Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series Mon Apr 6 17:31:57 2015 (r22474)
+++ dists/sid/linux/debian/patches/series Mon Apr 6 17:45:04 2015 (r22475)
@@ -561,3 +561,4 @@
bugfix/all/ext4-fix-accidental-flag-aliasing-in-ext4_map_blocks.patch
bugfix/all/ext4-allocate-entire-range-in-zero-range.patch
bugfix/x86/x86-microcode-intel-guard-against-stack-overflow-in-.patch
+bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch
More information about the Kernel-svn-changes
mailing list