git.karo-electronics.de Git - karo-tx-linux.git/commit

author	Patrick McHardy <kaber@trash.net>
	Sun, 5 Nov 2006 08:04:23 +0000 (09:04 +0100)
committer	Adrian Bunk <bunk@stusta.de>
	Sun, 5 Nov 2006 08:04:23 +0000 (09:04 +0100)
commit	0ddfcc96928145d6a6425fdd26dad6abfe7f891d
tree	9fe3f2eb76d7d690fcde2fe000fa0557cda88de7	tree \| snapshot
parent	6ac62be885810e1f8390f0c3b9d3ee451d3d3f19	commit \| diff

[NETFILTER]: Fix ip6_tables extension header bypass bug (CVE-2006-4572)

As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on extension header
matches.

When extension headers occur in the non-first fragment after the fragment
header (possibly with an incorrect nexthdr value in the fragment header)
a rule looking for this extension header will never match.

Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.
Since all extension headers are before the protocol header this makes sure
an extension header is either not present or in the first fragment, where
we can properly parse it.

With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>

net/ipv6/netfilter/ip6_tables.c		diff \| blob \| history
net/ipv6/netfilter/ip6t_ah.c		diff \| blob \| history
net/ipv6/netfilter/ip6t_dst.c		diff \| blob \| history
net/ipv6/netfilter/ip6t_frag.c		diff \| blob \| history
net/ipv6/netfilter/ip6t_hbh.c		diff \| blob \| history
net/ipv6/netfilter/ip6t_rt.c		diff \| blob \| history