oss-sec mailing list archives
Re: Linux kernel handling of IPv6 temporary addresses
From: P J P <ppandit () redhat com>
Date: Wed, 16 Jan 2013 15:03:02 +0530 (IST)
Hello, +-- On Wed, 14 Nov 2012, Greg KH wrote --+ | > [183.793393] ipv6_create_tempaddr(): retry temporary address | > regeneration [183.793405] ipv6_create_tempaddr(): retry temporary | > address regeneration [183.793411] ipv6_create_tempaddr(): retry | > temporary address regeneration | > | > After 'regen_max_retry' is reached the kernel completely disables | > temporary address generation for that interface. | > | > [183.793413] ipv6_create_tempaddr(): regeneration time exceeded - | > disabled temporary address support I was trying to reproduce this with the `thc-ipv6-2.0' toolkit, by sending ICMPv6 RA requests. Kernel logs following message, not the above ones ...kernel: ICMPv6 RA: ndisc_router_discovery() failed to add default route | > A malicious LAN user can send a limited amount of RA prefixes and thus | > disable IPv6 temporary address creation for any Linux host. is there a RA parameter I need to pass to reproduce above message from ipv6_create_tempaddr() ? | > | > The kernel should at least differentiate between the two cases of | > reaching max_addresses and being unable to create new addresses, due to | > DAD conflicts for example. Does this patch seem right? === diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 420e563..742d66a 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -1046,12 +1046,19 @@ retry: if (ifp->flags & IFA_F_OPTIMISTIC) addr_flags |= IFA_F_OPTIMISTIC; - ift = !max_addresses || - ipv6_count_addresses(idev) < max_addresses ? - ipv6_add_addr(idev, &addr, tmp_plen, - ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK, - addr_flags) : NULL; - if (!ift || IS_ERR(ift)) { + ift = NULL; + if (!max_addresses || ipv6_count_addresses(idev) < max_addresses) + ipv6_add_addr(idev, &addr, tmp_plen, + ipv6_addr_type(&addr) & IPV6_ADDR_SCOPE_MASK, + addr_flags); + if (!ift) { + in6_ifa_put(ifp); + in6_dev_put(idev); + pr_info("%s: ipv6 temporary address upper limit reached\n", __func__); + ret = -1; + goto out; + } + else if (IS_ERR(ift)) { in6_ifa_put(ifp); in6_dev_put(idev); pr_info("%s: retry temporary address regeneration\n", __func__); === Thank you. -- Prasad J Pandit / Red Hat Security Response Team DB7A 84C5 D3F9 7CD1 B5EB C939 D048 7860 3655 602B
Current thread:
- Re: Linux kernel handling of IPv6 temporary addresses P J P (Jan 16)
- <Possible follow-ups>
- Re: Linux kernel handling of IPv6 temporary addresses George Kargiotakis (Jan 16)
- Re: Linux kernel handling of IPv6 temporary addresses P J P (Jan 16)
- Re: Linux kernel handling of IPv6 temporary addresses George Kargiotakis (Jan 16)
- Re: Linux kernel handling of IPv6 temporary addresses P J P (Jan 16)
- Re: Linux kernel handling of IPv6 temporary addresses P J P (Jan 17)
- Re: Linux kernel handling of IPv6 temporary addresses George Kargiotakis (Jan 17)
- Re: Linux kernel handling of IPv6 temporary addresses P J P (Jan 17)
- Re: Linux kernel handling of IPv6 temporary addresses George Kargiotakis (Jan 20)
- Re: Linux kernel handling of IPv6 temporary addresses P J P (Jan 21)
- Re: Linux kernel handling of IPv6 temporary addresses P J P (Jan 16)