Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Jan 2013 18:17:28 +0530 (IST)
From: P J P <ppandit@...hat.com>
To: oss-security@...ts.openwall.com
cc: kargig@...d.gr
Subject: Re: Linux kernel handling of IPv6 temporary
 addresses


   Hello George,

+-- On Wed, 16 Jan 2013, George Kargiotakis wrote --+
| You can reproduce the bug with a new option for flood_router26 that has been added to the thc-ipv6 toolkit v2.1.
| # ./flood_router26 -A eth0

  I tried this, it takes quite a while for other hosts to receive the 
generated traffic. On the receiving hosts kernel logs

==
...
...kernel: Neighbour table overflow.
==

no log message from ipv6_create_tempaddr() routine. 


| I've applied your patch to 3.5.7 and unless I've done something wrong, it doesn't seem to work. Actually I can't
| get any temporary address assignment with it. This is what I get upon booting with your patch:

  Ah, very sorry, I missed to say: ift = ipv6_add_addr(...) : in my last 
patch. It remains NULL all the time. Please try this fixed version

===
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 420e563..0aaaa63 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1046,12 +1046,19 @@ retry:
 	if (ifp->flags & IFA_F_OPTIMISTIC)
 		addr_flags |= IFA_F_OPTIMISTIC;
 
-	ift = !max_addresses ||
-	      ipv6_count_addresses(idev) < max_addresses ?
-		ipv6_add_addr(idev, &addr, tmp_plen,
-			      ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
-			      addr_flags) : NULL;
-	if (!ift || IS_ERR(ift)) {
+    ift = NULL;
+    if (!max_addresses || ipv6_count_addresses(idev) < max_addresses)
+        ift = ipv6_add_addr(idev, &addr, tmp_plen,
+                        ipv6_addr_type(&addr) & IPV6_ADDR_SCOPE_MASK,
+                        addr_flags);
+    if (!ift) {
+        in6_ifa_put(ifp);
+        in6_dev_put(idev);
+        pr_info("%s: ipv6 temporary address upper limit reached\n", __func__);
+        ret = -1;
+        goto out;
+    }
+    else if (IS_ERR(ift)) {
 		in6_ifa_put(ifp);
 		in6_dev_put(idev);
 		pr_info("%s: retry temporary address regeneration\n", __func__);
===


Thanks so much.
--
Prasad J Pandit / Red Hat Security Response Team
DB7A 84C5 D3F9 7CD1 B5EB  C939 D048 7860 3655 602B

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ