[Midnightbsd-cvs] src: /src: IPv6 Neighbor Discovery Protocol routing vulnerability
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Thu Oct 2 18:31:54 EDT 2008
Log Message:
-----------
IPv6 Neighbor Discovery Protocol routing vulnerability
Tags:
----
RELENG_0_2
Modified Files:
--------------
src:
UPDATING (r1.38.2.9 -> r1.38.2.10)
src/sys/conf:
newvers.sh (r1.3.2.4 -> r1.3.2.5)
src/sys/netinet6:
in6.h (r1.3 -> r1.3.2.1)
in6_proto.c (r1.2 -> r1.2.2.1)
nd6.h (r1.1.1.2 -> r1.1.1.2.4.1)
nd6_nbr.c (r1.1.1.2 -> r1.1.1.2.4.1)
src/sys/sys:
param.h (r1.8.2.4 -> r1.8.2.5)
-------------- next part --------------
Index: UPDATING
===================================================================
RCS file: /home/cvs/src/UPDATING,v
retrieving revision 1.38.2.9
retrieving revision 1.38.2.10
diff -L UPDATING -L UPDATING -u -r1.38.2.9 -r1.38.2.10
--- UPDATING
+++ UPDATING
@@ -3,7 +3,23 @@
Items affecting the mports and packages system can be found in
/usr/mports/UPDATING.
+20081002:
+ MidnightBSD 0.2.1-RELEASE-p2
+
+ IPv6 Neighbor Discovery Protocol routing vulnerability
+
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2476
+ http://www.kb.cert.org/vuls/id/472363
+
+ This fix causes IPv6 Neighbor Discovery Neighbor Solicitation
+ messages to be ignored from non-neighbors.
+
+ This can be re-enabled, if needed, by setting the newly added
+ net.inet6.icmp6.nd6_onlink_ns_rfc4861 sysctl to 1.
+
20080929:
+ MidnightBSD 0.2.1-RELEASE-p1
+
Fix a defect in ftpd. The command buffer was split which allowed
attackers to send arbritrary commands over the network.
Index: newvers.sh
===================================================================
RCS file: /home/cvs/src/sys/conf/newvers.sh,v
retrieving revision 1.3.2.4
retrieving revision 1.3.2.5
diff -L sys/conf/newvers.sh -L sys/conf/newvers.sh -u -r1.3.2.4 -r1.3.2.5
--- sys/conf/newvers.sh
+++ sys/conf/newvers.sh
@@ -33,7 +33,7 @@
TYPE="MidnightBSD"
REVISION="0.2.1"
-BRANCH="RELEASE-p1"
+BRANCH="RELEASE-p2"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Index: in6_proto.c
===================================================================
RCS file: /home/cvs/src/sys/netinet6/in6_proto.c,v
retrieving revision 1.2
retrieving revision 1.2.2.1
diff -L sys/netinet6/in6_proto.c -L sys/netinet6/in6_proto.c -u -r1.2 -r1.2.2.1
--- sys/netinet6/in6_proto.c
+++ sys/netinet6/in6_proto.c
@@ -352,6 +352,7 @@
#ifndef IPV6_SENDREDIRECTS
#define IPV6_SENDREDIRECTS 1
#endif
+int nd6_onlink_ns_rfc4861 = 0; /* allow 'on-link' nd6 NS (as in RFC 4861) */
int ip6_forwarding = IPV6FORWARDING; /* act as router? */
int ip6_sendredirects = IPV6_SENDREDIRECTS;
@@ -549,3 +550,6 @@
nd6_maxnudhint, CTLFLAG_RW, &nd6_maxnudhint, 0, "");
SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_DEBUG,
nd6_debug, CTLFLAG_RW, &nd6_debug, 0, "");
+SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_ONLINKNSRFC4861,
+ nd6_onlink_ns_rfc4861, CTLFLAG_RW, &nd6_onlink_ns_rfc4861, 0,
+ "Accept 'on-link' nd6 NS in compliance with RFC 4861.");
Index: in6.h
===================================================================
RCS file: /home/cvs/src/sys/netinet6/in6.h,v
retrieving revision 1.3
retrieving revision 1.3.2.1
diff -L sys/netinet6/in6.h -L sys/netinet6/in6.h -u -r1.3 -r1.3.2.1
--- sys/netinet6/in6.h
+++ sys/netinet6/in6.h
@@ -597,7 +597,8 @@
/* to define items, should talk with KAME guys first, for *BSD compatibility */
#define IPV6CTL_STEALTH 45
#define IPV6CTL_RTHDR0_ALLOWED 46
-#define IPV6CTL_MAXID 47
+#define ICMPV6CTL_ND6_ONLINKNSRFC4861 47
+#define IPV6CTL_MAXID 48
#endif /* __BSD_VISIBLE */
/*
Index: nd6_nbr.c
===================================================================
RCS file: /home/cvs/src/sys/netinet6/nd6_nbr.c,v
retrieving revision 1.1.1.2
retrieving revision 1.1.1.2.4.1
diff -L sys/netinet6/nd6_nbr.c -L sys/netinet6/nd6_nbr.c -u -r1.1.1.2 -r1.1.1.2.4.1
--- sys/netinet6/nd6_nbr.c
+++ sys/netinet6/nd6_nbr.c
@@ -146,6 +146,24 @@
"(wrong ip6 dst)\n"));
goto bad;
}
+ } else if (!nd6_onlink_ns_rfc4861) {
+ struct sockaddr_in6 src_sa6;
+
+ /*
+ * According to recent IETF discussions, it is not a good idea
+ * to accept a NS from an address which would not be deemed
+ * to be a neighbor otherwise. This point is expected to be
+ * clarified in future revisions of the specification.
+ */
+ bzero(&src_sa6, sizeof(src_sa6));
+ src_sa6.sin6_family = AF_INET6;
+ src_sa6.sin6_len = sizeof(src_sa6);
+ src_sa6.sin6_addr = saddr6;
+ if (!nd6_is_addr_neighbor(&src_sa6, ifp)) {
+ nd6log((LOG_INFO, "nd6_ns_input: "
+ "NS packet from non-neighbor\n"));
+ goto bad;
+ }
}
if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
Index: nd6.h
===================================================================
RCS file: /home/cvs/src/sys/netinet6/nd6.h,v
retrieving revision 1.1.1.2
retrieving revision 1.1.1.2.4.1
diff -L sys/netinet6/nd6.h -L sys/netinet6/nd6.h -u -r1.1.1.2 -r1.1.1.2.4.1
--- sys/netinet6/nd6.h
+++ sys/netinet6/nd6.h
@@ -339,6 +339,7 @@
extern struct nd_drhead nd_defrouter;
extern struct nd_prhead nd_prefix;
extern int nd6_debug;
+extern int nd6_onlink_ns_rfc4861;
#define nd6log(x) do { if (nd6_debug) log x; } while (/*CONSTCOND*/ 0)
Index: param.h
===================================================================
RCS file: /home/cvs/src/sys/sys/param.h,v
retrieving revision 1.8.2.4
retrieving revision 1.8.2.5
diff -L sys/sys/param.h -L sys/sys/param.h -u -r1.8.2.4 -r1.8.2.5
--- sys/sys/param.h
+++ sys/sys/param.h
@@ -61,7 +61,7 @@
#define __FreeBSD_version 601000 /* Master, propagated to newvers */
#undef __MidnightBSD_version
-#define __MidnightBSD_version 002006
+#define __MidnightBSD_version 002007
#ifndef LOCORE
#include <sys/types.h>
More information about the Midnightbsd-cvs
mailing list