Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754468AbcCBCGB (ORCPT ); Tue, 1 Mar 2016 21:06:01 -0500 Received: from mail333.us4.mandrillapp.com ([205.201.137.77]:42851 "EHLO mail333.us4.mandrillapp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754394AbcCAXvV (ORCPT ); Tue, 1 Mar 2016 18:51:21 -0500 DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mandrill; d=linuxfoundation.org; b=qL6nCJHPCFcRPgeCOUmEZW1d/dHl9AXwQiPrPbSy9VWHU/qx9NUHwzD2N4eWrtaomKml+aW6OrBp DwtORNrl3+WzgZg1+Bu6LKOGK+DX90pWChcWrcEesE7K9sAk/Jo9ob/Hkx8Fx2YctMe7NkJuLfYQ XrPErTh2Bh14Fz/75Fg=; From: Greg Kroah-Hartman Subject: [PATCH 3.14 036/130] ipv6: addrconf: validate new MTU before applying it X-Mailer: git-send-email 2.7.2 To: Cc: Greg Kroah-Hartman , , Marcelo Ricardo Leitner , Sabrina Dubroca , "David S. Miller" , "Charles (Chas) Williams" <3chas3@gmail.com> Message-Id: <20160301234501.023875504@linuxfoundation.org> In-Reply-To: <20160301234459.768886030@linuxfoundation.org> References: <20160301234459.768886030@linuxfoundation.org> X-Report-Abuse: Please forward a copy of this message, including all headers, to abuse@mandrill.com X-Report-Abuse: You can also report abuse here: http://mandrillapp.com/contact/abuse?id=30481620.0afb9bd3f0584412b728d0c307b72167 X-Mandrill-User: md_30481620 Date: Tue, 01 Mar 2016 23:51:02 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2135 Lines: 67 3.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Marcelo Leitner commit 77751427a1ff25b27d47a4c36b12c3c8667855ac upstream. Currently we don't check if the new MTU is valid or not and this allows one to configure a smaller than minimum allowed by RFCs or even bigger than interface own MTU, which is a problem as it may lead to packet drops. If you have a daemon like NetworkManager running, this may be exploited by remote attackers by forging RA packets with an invalid MTU, possibly leading to a DoS. (NetworkManager currently only validates for values too small, but not for too big ones.) The fix is just to make sure the new value is valid. That is, between IPV6_MIN_MTU and interface's MTU. Note that similar check is already performed at ndisc_router_discovery(), for when kernel itself parses the RA. Signed-off-by: Marcelo Ricardo Leitner Signed-off-by: Sabrina Dubroca Signed-off-by: David S. Miller Cc: "Charles (Chas) Williams" <3chas3@gmail.com> Signed-off-by: Greg Kroah-Hartman --- net/ipv6/addrconf.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -4793,6 +4793,21 @@ int addrconf_sysctl_forward(struct ctl_t return ret; } +static +int addrconf_sysctl_mtu(struct ctl_table *ctl, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) +{ + struct inet6_dev *idev = ctl->extra1; + int min_mtu = IPV6_MIN_MTU; + struct ctl_table lctl; + + lctl = *ctl; + lctl.extra1 = &min_mtu; + lctl.extra2 = idev ? &idev->dev->mtu : NULL; + + return proc_dointvec_minmax(&lctl, write, buffer, lenp, ppos); +} + static void dev_disable_change(struct inet6_dev *idev) { struct netdev_notifier_info info; @@ -4944,7 +4959,7 @@ static struct addrconf_sysctl_table .data = &ipv6_devconf.mtu6, .maxlen = sizeof(int), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = addrconf_sysctl_mtu, }, { .procname = "accept_ra",