oss-sec mailing list archives

Re: Linux kernel handling of IPv6 temporary addresses

From: P J P <ppandit () redhat com>
Date: Wed, 16 Jan 2013 15:03:02 +0530 (IST)


  Hello,

+-- On Wed, 14 Nov 2012, Greg KH wrote --+
| > [183.793393] ipv6_create_tempaddr(): retry temporary address
| > regeneration [183.793405] ipv6_create_tempaddr(): retry temporary
| > address regeneration [183.793411] ipv6_create_tempaddr(): retry
| > temporary address regeneration
| > 
| > After 'regen_max_retry' is reached the kernel completely disables
| > temporary address generation for that interface.
| > 
| > [183.793413] ipv6_create_tempaddr(): regeneration time exceeded -
| > disabled temporary address support

  I was trying to reproduce this with the `thc-ipv6-2.0' toolkit, by sending 
ICMPv6 RA requests. Kernel logs following message, not the above ones

...kernel: ICMPv6 RA: ndisc_router_discovery() failed to add default route

| > A malicious LAN user can send a limited amount of RA prefixes and thus
| > disable IPv6 temporary address creation for any Linux host.

  is there a RA parameter I need to pass to reproduce above message from 
ipv6_create_tempaddr() ?

| > 
| > The kernel should at least differentiate between the two cases of
| > reaching max_addresses and being unable to create new addresses, due to
| > DAD conflicts for example.

  Does this patch seem right?

===
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 420e563..742d66a 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1046,12 +1046,19 @@ retry:
        if (ifp->flags & IFA_F_OPTIMISTIC)
                addr_flags |= IFA_F_OPTIMISTIC;
 
-       ift = !max_addresses ||
-             ipv6_count_addresses(idev) < max_addresses ?
-               ipv6_add_addr(idev, &addr, tmp_plen,
-                             ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
-                             addr_flags) : NULL;
-       if (!ift || IS_ERR(ift)) {
+    ift = NULL;
+    if (!max_addresses || ipv6_count_addresses(idev) < max_addresses)
+        ipv6_add_addr(idev, &addr, tmp_plen,
+                        ipv6_addr_type(&addr) & IPV6_ADDR_SCOPE_MASK,
+                        addr_flags);
+    if (!ift) {
+        in6_ifa_put(ifp);
+        in6_dev_put(idev);
+        pr_info("%s: ipv6 temporary address upper limit reached\n", __func__);
+        ret = -1;
+        goto out;
+    }
+    else if (IS_ERR(ift)) {
                in6_ifa_put(ifp);
                in6_dev_put(idev);
                pr_info("%s: retry temporary address regeneration\n", __func__);
===


Thank you.
--
Prasad J Pandit / Red Hat Security Response Team
DB7A 84C5 D3F9 7CD1 B5EB  C939 D048 7860 3655 602B

Current thread:

Re: Linux kernel handling of IPv6 temporary addresses P J P (Jan 16)
- <Possible follow-ups>
- Re: Linux kernel handling of IPv6 temporary addresses George Kargiotakis (Jan 16)
  - Re: Linux kernel handling of IPv6 temporary addresses P J P (Jan 16)
    - Re: Linux kernel handling of IPv6 temporary addresses George Kargiotakis (Jan 16)
    - Re: Linux kernel handling of IPv6 temporary addresses P J P (Jan 16)
    - Re: Linux kernel handling of IPv6 temporary addresses P J P (Jan 17)
    - Re: Linux kernel handling of IPv6 temporary addresses George Kargiotakis (Jan 17)
    - Re: Linux kernel handling of IPv6 temporary addresses P J P (Jan 17)
    - Re: Linux kernel handling of IPv6 temporary addresses George Kargiotakis (Jan 20)
    - Re: Linux kernel handling of IPv6 temporary addresses P J P (Jan 21)
- Re: Linux kernel handling of IPv6 temporary addresses Kurt Seifried (Feb 21)