[kernel] r22498 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Sun Apr 12 19:49:31 UTC 2015

Author: benh
Date: Sun Apr 12 19:49:30 2015
New Revision: 22498

Log:
ipv6: Don't reduce hop limit for an interface (CVE-2015-2922)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================

--- dists/squeeze-security/linux-2.6/debian/changelog	Sun Apr 12 17:08:27 2015	(r22497)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Sun Apr 12 19:49:30 2015	(r22498)
@@ -7,6 +7,7 @@
   * eCryptfs: Remove buggy and unnecessary write in file name decode routine
     (CVE-2014-9683)
   * HID: fix a couple of off-by-ones (CVE-2014-3184)
+  * ipv6: Don't reduce hop limit for an interface (CVE-2015-2922)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 12 Apr 2015 17:12:31 +0100
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch	Sun Apr 12 19:49:30 2015	(r22498)
@@ -0,0 +1,46 @@
+From: "D.S. Ljungmark" <ljungmark at modio.se>
+Date: Wed, 25 Mar 2015 09:28:15 +0100
+Subject: ipv6: Don't reduce hop limit for an interface
+Origin: https://git.kernel.org/linus/6fd99094de2b83d1d4c8457f2c83483b2828e75a
+
+A local route may have a lower hop_limit set than global routes do.
+
+RFC 3756, Section 4.2.7, "Parameter Spoofing"
+
+>   1.  The attacker includes a Current Hop Limit of one or another small
+>       number which the attacker knows will cause legitimate packets to
+>       be dropped before they reach their destination.
+
+>   As an example, one possible approach to mitigate this threat is to
+>   ignore very small hop limits.  The nodes could implement a
+>   configurable minimum hop limit, and ignore attempts to set it below
+>   said limit.
+
+Signed-off-by: D.S. Ljungmark <ljungmark at modio.se>
+Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 2.6.32: adjust ND_PRINTK() usage]
+---
+ net/ipv6/ndisc.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
+index 471ed24..14ecdaf 100644
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1244,7 +1244,14 @@ static void ndisc_router_discovery(struct sk_buff *skb)
+ 		rt->rt6i_expires = jiffies + (HZ * lifetime);
+ 
+ 	if (ra_msg->icmph.icmp6_hop_limit) {
+-		in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
++		/* Only set hop_limit on the interface if it is higher than
++		 * the current hop_limit.
++		 */
++		if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
++			in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
++		} else {
++			ND_PRINTK2(KERN_WARNING "RA: Got route advertisement with lower hop_limit than current\n");
++		}
+ 		if (rt)
+ 			rt->u.dst.metrics[RTAX_HOPLIMIT-1] = ra_msg->icmph.icmp6_hop_limit;
+ 	}

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12	Sun Apr 12 17:08:27 2015	(r22497)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12	Sun Apr 12 19:49:30 2015	(r22498)
@@ -3,3 +3,4 @@
 + bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch
 + bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-.patch
 + bugfix/all/hid-fix-a-couple-of-off-by-ones.patch
++ bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch

