aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorColin Percival <cperciva@FreeBSD.org>2007-04-26 23:42:23 +0000
committerColin Percival <cperciva@FreeBSD.org>2007-04-26 23:42:23 +0000
commitf64f1bc808da2132080f9440a01098352c860dfb (patch)
treeaae30517a28c0c173e92423739727daf98857cb6
parent1872069d5fc7db3bf2335cfb43301ef3d98b0c31 (diff)
downloadsrc-f64f1bc808da2132080f9440a01098352c860dfb.tar.gz
src-f64f1bc808da2132080f9440a01098352c860dfb.zip
Disable processing of IPv6 type 0 Routing Headers. This behaviour
can be changed via the (newly added) net.inet6.ip6.rthdr0_allowed sysctl. Security: FreeBSD-SA-07:03.ipv6 Approved by: so (cperciva)
Notes
Notes: svn path=/releng/5.5/; revision=169063
-rw-r--r--UPDATING7
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/netinet6/in6.h3
-rw-r--r--sys/netinet6/in6_proto.c5
-rw-r--r--sys/netinet6/route6.c4
5 files changed, 18 insertions, 3 deletions
diff --git a/UPDATING b/UPDATING
index 519b1e58e27f..86162ce54174 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,7 +8,12 @@ Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running
portupgrade.
-20070209 p11 FreeBSD-SA-07:02.bind
+20070426: p12 FreeBSD-SA-07:03.ipv6
+ Disable processing of IPv6 type 0 Routing Headers. This behaviour
+ can be changed via the (newly added) net.inet6.ip6.rthdr0_allowed
+ sysctl.
+
+20070209: p11 FreeBSD-SA-07:02.bind
Correct two remote denials of service in BIND involving DNSSEC and
recursive DNS queries respectively.
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 80c900c5f58d..2c6df5fc2dd6 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="5.5"
-BRANCH="RELEASE-p11"
+BRANCH="RELEASE-p12"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"
diff --git a/sys/netinet6/in6.h b/sys/netinet6/in6.h
index deba10fab232..594498026133 100644
--- a/sys/netinet6/in6.h
+++ b/sys/netinet6/in6.h
@@ -597,7 +597,8 @@ struct ip6_mtuinfo {
/* to define items, should talk with KAME guys first, for *BSD compatibility */
/* 42-44 is already used in KAME */
#define IPV6CTL_STEALTH 45
-#define IPV6CTL_MAXID 46
+#define IPV6CTL_RTHDR0_ALLOWED 46
+#define IPV6CTL_MAXID 47
#endif /* __BSD_VISIBLE */
/*
diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c
index 1dc69342c439..f5f97e25ac7c 100644
--- a/sys/netinet6/in6_proto.c
+++ b/sys/netinet6/in6_proto.c
@@ -314,6 +314,8 @@ time_t ip6_log_time = (time_t)0L;
#ifdef IPSTEALTH
int ip6stealth = 0;
#endif
+int ip6_rthdr0_allowed = 0; /* Disallow use of routing header 0 */
+ /* by default. */
/* icmp6 */
/*
@@ -452,6 +454,9 @@ SYSCTL_INT(_net_inet6_ip6, IPV6CTL_MAXFRAGS,
SYSCTL_INT(_net_inet6_ip6, IPV6CTL_STEALTH, stealth, CTLFLAG_RW,
&ip6stealth, 0, "");
#endif
+SYSCTL_INT(_net_inet6_ip6, IPV6CTL_RTHDR0_ALLOWED,
+ rthdr0_allowed, CTLFLAG_RW, &ip6_rthdr0_allowed, 0, "");
+
/* net.inet6.icmp6 */
SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_REDIRACCEPT,
diff --git a/sys/netinet6/route6.c b/sys/netinet6/route6.c
index aa2544035029..6a44a558f730 100644
--- a/sys/netinet6/route6.c
+++ b/sys/netinet6/route6.c
@@ -48,6 +48,8 @@
#include <netinet/icmp6.h>
+extern int ip6_rthdr0_allowed;
+
static int ip6_rthdr0 __P((struct mbuf *, struct ip6_hdr *,
struct ip6_rthdr0 *));
@@ -87,6 +89,8 @@ route6_input(mp, offp, proto)
switch (rh->ip6r_type) {
case IPV6_RTHDR_TYPE_0:
+ if (!ip6_rthdr0_allowed)
+ return (IPPROTO_DONE);
rhlen = (rh->ip6r_len + 1) << 3;
#ifndef PULLDOWN_TEST
/*