[Midnightbsd-cvs] src: /src: IPv6 Neighbor Discovery Protocol routing vulnerability

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Thu Oct 2 18:31:54 EDT 2008 

Log Message:
-----------
  IPv6 Neighbor Discovery Protocol routing vulnerability

Tags:
----
RELENG_0_2

Modified Files:
--------------
    src:
        UPDATING (r1.38.2.9 -> r1.38.2.10)
    src/sys/conf:
        newvers.sh (r1.3.2.4 -> r1.3.2.5)
    src/sys/netinet6:
        in6.h (r1.3 -> r1.3.2.1)
        in6_proto.c (r1.2 -> r1.2.2.1)
        nd6.h (r1.1.1.2 -> r1.1.1.2.4.1)
        nd6_nbr.c (r1.1.1.2 -> r1.1.1.2.4.1)
    src/sys/sys:
        param.h (r1.8.2.4 -> r1.8.2.5)

-------------- next part --------------
Index: UPDATING
===================================================================
RCS file: /home/cvs/src/UPDATING,v
retrieving revision 1.38.2.9
retrieving revision 1.38.2.10
diff -L UPDATING -L UPDATING -u -r1.38.2.9 -r1.38.2.10
--- UPDATING
+++ UPDATING
@@ -3,7 +3,23 @@
 Items affecting the mports and packages system can be found in
 /usr/mports/UPDATING. 
 
+20081002:
+	MidnightBSD 0.2.1-RELEASE-p2
+
+	IPv6 Neighbor Discovery Protocol routing vulnerability
+
+	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2476
+	http://www.kb.cert.org/vuls/id/472363
+
+	This fix causes IPv6 Neighbor Discovery Neighbor Solicitation 
+	messages to be ignored from non-neighbors.
+
+	This can be re-enabled, if needed, by setting the newly added
+	net.inet6.icmp6.nd6_onlink_ns_rfc4861 sysctl to 1.
+
 20080929:
+	MidnightBSD 0.2.1-RELEASE-p1
+
 	Fix a defect in ftpd.  The command buffer was split which allowed
 	attackers to send arbritrary commands over the network.
 
Index: newvers.sh
===================================================================
RCS file: /home/cvs/src/sys/conf/newvers.sh,v
retrieving revision 1.3.2.4
retrieving revision 1.3.2.5
diff -L sys/conf/newvers.sh -L sys/conf/newvers.sh -u -r1.3.2.4 -r1.3.2.5
--- sys/conf/newvers.sh
+++ sys/conf/newvers.sh
@@ -33,7 +33,7 @@
 
 TYPE="MidnightBSD"
 REVISION="0.2.1"
-BRANCH="RELEASE-p1"
+BRANCH="RELEASE-p2"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
Index: in6_proto.c
===================================================================
RCS file: /home/cvs/src/sys/netinet6/in6_proto.c,v
retrieving revision 1.2
retrieving revision 1.2.2.1
diff -L sys/netinet6/in6_proto.c -L sys/netinet6/in6_proto.c -u -r1.2 -r1.2.2.1
--- sys/netinet6/in6_proto.c
+++ sys/netinet6/in6_proto.c
@@ -352,6 +352,7 @@
 #ifndef	IPV6_SENDREDIRECTS
 #define	IPV6_SENDREDIRECTS	1
 #endif
+int	nd6_onlink_ns_rfc4861 = 0; /* allow 'on-link' nd6 NS (as in RFC 4861) */
 
 int	ip6_forwarding = IPV6FORWARDING;	/* act as router? */
 int	ip6_sendredirects = IPV6_SENDREDIRECTS;
@@ -549,3 +550,6 @@
 	nd6_maxnudhint, CTLFLAG_RW,	&nd6_maxnudhint, 0, "");
 SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_DEBUG,
 	nd6_debug, CTLFLAG_RW,	&nd6_debug,		0, "");
+SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_ONLINKNSRFC4861,
+	nd6_onlink_ns_rfc4861, CTLFLAG_RW, &nd6_onlink_ns_rfc4861, 0,
+	"Accept 'on-link' nd6 NS in compliance with RFC 4861.");
Index: in6.h
===================================================================
RCS file: /home/cvs/src/sys/netinet6/in6.h,v
retrieving revision 1.3
retrieving revision 1.3.2.1
diff -L sys/netinet6/in6.h -L sys/netinet6/in6.h -u -r1.3 -r1.3.2.1
--- sys/netinet6/in6.h
+++ sys/netinet6/in6.h
@@ -597,7 +597,8 @@
 /* to define items, should talk with KAME guys first, for *BSD compatibility */
 #define IPV6CTL_STEALTH		45
 #define IPV6CTL_RTHDR0_ALLOWED  46
-#define IPV6CTL_MAXID		47
+#define	ICMPV6CTL_ND6_ONLINKNSRFC4861	47
+#define IPV6CTL_MAXID		48
 #endif /* __BSD_VISIBLE */
 
 /*
Index: nd6_nbr.c
===================================================================
RCS file: /home/cvs/src/sys/netinet6/nd6_nbr.c,v
retrieving revision 1.1.1.2
retrieving revision 1.1.1.2.4.1
diff -L sys/netinet6/nd6_nbr.c -L sys/netinet6/nd6_nbr.c -u -r1.1.1.2 -r1.1.1.2.4.1
--- sys/netinet6/nd6_nbr.c
+++ sys/netinet6/nd6_nbr.c
@@ -146,6 +146,24 @@
 			    "(wrong ip6 dst)\n"));
 			goto bad;
 		}
+	} else if (!nd6_onlink_ns_rfc4861) {
+		struct sockaddr_in6 src_sa6;
+
+		/*
+		 * According to recent IETF discussions, it is not a good idea
+		 * to accept a NS from an address which would not be deemed
+		 * to be a neighbor otherwise.  This point is expected to be
+		 * clarified in future revisions of the specification.
+		 */
+		bzero(&src_sa6, sizeof(src_sa6));
+		src_sa6.sin6_family = AF_INET6;
+		src_sa6.sin6_len = sizeof(src_sa6);
+		src_sa6.sin6_addr = saddr6;
+		if (!nd6_is_addr_neighbor(&src_sa6, ifp)) {
+			nd6log((LOG_INFO, "nd6_ns_input: "
+				"NS packet from non-neighbor\n"));
+			goto bad;
+		}
 	}
 
 	if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
Index: nd6.h
===================================================================
RCS file: /home/cvs/src/sys/netinet6/nd6.h,v
retrieving revision 1.1.1.2
retrieving revision 1.1.1.2.4.1
diff -L sys/netinet6/nd6.h -L sys/netinet6/nd6.h -u -r1.1.1.2 -r1.1.1.2.4.1
--- sys/netinet6/nd6.h
+++ sys/netinet6/nd6.h
@@ -339,6 +339,7 @@
 extern struct nd_drhead nd_defrouter;
 extern struct nd_prhead nd_prefix;
 extern int nd6_debug;
+extern int nd6_onlink_ns_rfc4861;
 
 #define nd6log(x)	do { if (nd6_debug) log x; } while (/*CONSTCOND*/ 0)
 
Index: param.h
===================================================================
RCS file: /home/cvs/src/sys/sys/param.h,v
retrieving revision 1.8.2.4
retrieving revision 1.8.2.5
diff -L sys/sys/param.h -L sys/sys/param.h -u -r1.8.2.4 -r1.8.2.5
--- sys/sys/param.h
+++ sys/sys/param.h
@@ -61,7 +61,7 @@
 #define __FreeBSD_version 601000	/* Master, propagated to newvers */
 
 #undef __MidnightBSD_version
-#define __MidnightBSD_version	002006
+#define __MidnightBSD_version	002007
 
 #ifndef LOCORE
 #include <sys/types.h>

More information about the Midnightbsd-cvs mailing list