ipv6: drop non loopback packets claiming to originate from ::1
We lack a saddr check for ::1. This causes security issues e.g. with acls permitting connections from ::1 because of assumption that these originate from local machine. Assuming a source address of ::1 is local seems reasonable. RFC4291 doesn't allow such a source address either, so drop such packets. Reported-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Eric Dumazet <edumazet@google.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Florian Westphal
David S. Miller
parent
71947f0f91
commit
0aa8c13eb5
@ -122,11 +122,14 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
|
|||||||
max_t(unsigned short, 1, skb_shinfo(skb)->gso_segs));
|
max_t(unsigned short, 1, skb_shinfo(skb)->gso_segs));
|
||||||
/*
|
/*
|
||||||
* RFC4291 2.5.3
|
* RFC4291 2.5.3
|
||||||
|
* The loopback address must not be used as the source address in IPv6
|
||||||
|
* packets that are sent outside of a single node. [..]
|
||||||
* A packet received on an interface with a destination address
|
* A packet received on an interface with a destination address
|
||||||
* of loopback must be dropped.
|
* of loopback must be dropped.
|
||||||
*/
|
*/
|
||||||
if (!(dev->flags & IFF_LOOPBACK) &&
|
if ((ipv6_addr_loopback(&hdr->saddr) ||
|
||||||
ipv6_addr_loopback(&hdr->daddr))
|
ipv6_addr_loopback(&hdr->daddr)) &&
|
||||||
|
!(dev->flags & IFF_LOOPBACK))
|
||||||
goto err;
|
goto err;
|
||||||
|
|
||||||
/* RFC4291 Errata ID: 3480
|
/* RFC4291 Errata ID: 3480
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user