[Midnightbsd-cvs] src: /src: IPv6 Neighbor Discovery Protocol routing vulnerability

Thu Oct 2 22:30:33 EDT 2008

Log Message:
-----------
IPv6 Neighbor Discovery Protocol routing vulnerability

Tags:
----
RELENG_0_1

Modified Files:
--------------
    src:
        UPDATING (r1.20.2.9 -> r1.20.2.10)
    src/sys/netinet6:
        in6.h (r1.2.2.1 -> r1.2.2.2)
        in6_proto.c (r1.1.1.1.2.1 -> r1.1.1.1.2.2)
        nd6.h (r1.1.1.2 -> r1.1.1.2.2.1)
        nd6_nbr.c (r1.1.1.2 -> r1.1.1.2.2.1)
    src/sys/sys:
        param.h (r1.5.2.6 -> r1.5.2.7)

-------------- next part --------------
Index: UPDATING
===================================================================
RCS file: /home/cvs/src/UPDATING,v
retrieving revision 1.20.2.9
retrieving revision 1.20.2.10
diff -L UPDATING -L UPDATING -u -r1.20.2.9 -r1.20.2.10

--- UPDATING
+++ UPDATING
@@ -3,6 +3,9 @@
 Items affecting the mports and packages system can be found in
 /usr/mports/UPDATING. 
 
+20081002:
+	IPv6 Neighbor Discovery Protocol routing vulnerability
+
 20080929:
 	Fix an issue with ftpd's command buffer.
 
Index: in6_proto.c
===================================================================
RCS file: /home/cvs/src/sys/netinet6/in6_proto.c,v
retrieving revision 1.1.1.1.2.1
retrieving revision 1.1.1.1.2.2
diff -L sys/netinet6/in6_proto.c -L sys/netinet6/in6_proto.c -u -r1.1.1.1.2.1 -r1.1.1.1.2.2
--- sys/netinet6/in6_proto.c
+++ sys/netinet6/in6_proto.c
@@ -352,6 +352,7 @@
 #ifndef	IPV6_SENDREDIRECTS
 #define	IPV6_SENDREDIRECTS	1
 #endif
+int	nd6_onlink_ns_rfc4861 = 0; /* allow 'on-link' nd6 NS (as in RFC 4861) */
 
 int	ip6_forwarding = IPV6FORWARDING;	/* act as router? */
 int	ip6_sendredirects = IPV6_SENDREDIRECTS;
@@ -549,3 +550,6 @@
 	nd6_maxnudhint, CTLFLAG_RW,	&nd6_maxnudhint, 0, "");
 SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_DEBUG,
 	nd6_debug, CTLFLAG_RW,	&nd6_debug,		0, "");
+SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_ONLINKNSRFC4861,
+	nd6_onlink_ns_rfc4861, CTLFLAG_RW, &nd6_onlink_ns_rfc4861, 0,
+	"Accept 'on-link' nd6 NS in compliance with RFC 4861.");
Index: in6.h
===================================================================
RCS file: /home/cvs/src/sys/netinet6/in6.h,v
retrieving revision 1.2.2.1
retrieving revision 1.2.2.2
diff -L sys/netinet6/in6.h -L sys/netinet6/in6.h -u -r1.2.2.1 -r1.2.2.2
--- sys/netinet6/in6.h
+++ sys/netinet6/in6.h
@@ -597,7 +597,8 @@
 /* to define items, should talk with KAME guys first, for *BSD compatibility */
 #define IPV6CTL_STEALTH		45
 #define IPV6CTL_RTHDR0_ALLOWED  46
-#define IPV6CTL_MAXID		47
+#define	ICMPV6CTL_ND6_ONLINKNSRFC4861	47
+#define IPV6CTL_MAXID		48
 #endif /* __BSD_VISIBLE */
 
 /*
Index: nd6_nbr.c
===================================================================
RCS file: /home/cvs/src/sys/netinet6/nd6_nbr.c,v
retrieving revision 1.1.1.2
retrieving revision 1.1.1.2.2.1
diff -L sys/netinet6/nd6_nbr.c -L sys/netinet6/nd6_nbr.c -u -r1.1.1.2 -r1.1.1.2.2.1
--- sys/netinet6/nd6_nbr.c
+++ sys/netinet6/nd6_nbr.c
@@ -146,6 +146,24 @@
 			    "(wrong ip6 dst)\n"));
 			goto bad;
 		}
+	} else if (!nd6_onlink_ns_rfc4861) {
+		struct sockaddr_in6 src_sa6;
+
+		/*
+		 * According to recent IETF discussions, it is not a good idea
+		 * to accept a NS from an address which would not be deemed
+		 * to be a neighbor otherwise.  This point is expected to be
+		 * clarified in future revisions of the specification.
+		 */
+		bzero(&src_sa6, sizeof(src_sa6));
+		src_sa6.sin6_family = AF_INET6;
+		src_sa6.sin6_len = sizeof(src_sa6);
+		src_sa6.sin6_addr = saddr6;
+		if (!nd6_is_addr_neighbor(&src_sa6, ifp)) {
+			nd6log((LOG_INFO, "nd6_ns_input: "
+				"NS packet from non-neighbor\n"));
+			goto bad;
+		}
 	}
 
 	if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
Index: nd6.h
===================================================================
RCS file: /home/cvs/src/sys/netinet6/nd6.h,v
retrieving revision 1.1.1.2
retrieving revision 1.1.1.2.2.1
diff -L sys/netinet6/nd6.h -L sys/netinet6/nd6.h -u -r1.1.1.2 -r1.1.1.2.2.1
--- sys/netinet6/nd6.h
+++ sys/netinet6/nd6.h
@@ -339,6 +339,7 @@
 extern struct nd_drhead nd_defrouter;
 extern struct nd_prhead nd_prefix;
 extern int nd6_debug;
+extern int nd6_onlink_ns_rfc4861;
 
 #define nd6log(x)	do { if (nd6_debug) log x; } while (/*CONSTCOND*/ 0)
 
Index: param.h
===================================================================
RCS file: /home/cvs/src/sys/sys/param.h,v
retrieving revision 1.5.2.6
retrieving revision 1.5.2.7
diff -L sys/sys/param.h -L sys/sys/param.h -u -r1.5.2.6 -r1.5.2.7
--- sys/sys/param.h
+++ sys/sys/param.h
@@ -60,7 +60,7 @@
 #define __FreeBSD_version 601000	/* Master, propagated to newvers */
 
 #undef __MidnightBSD_version
-#define __MidnightBSD_version	001012
+#define __MidnightBSD_version	001013
 
 #ifndef LOCORE
 #include <sys/types.h>
