iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
51d8b1a652
linux/net/ipv6/netfilter
History
Patrick McHardy 51d8b1a652 [NETFILTER]: Fix ip6_tables protocol bypass bug 
As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on protocol matches.

When the protocol header doesn't follow the fragment header immediately,
the fragment header contains the protocol number of the next extension
header. When the extension header and the protocol header are sent in
a second fragment a rule like "ip6tables .. -p udp -j DROP" will never
match.

Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.

With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-10-24 16:14:04 -07:00
..
ip6_queue.c [NETFILTER]: make some netfilter globals __read_mostly 2006-09-22 15:19:58 -07:00
ip6_tables.c [NETFILTER]: Fix ip6_tables protocol bypass bug 2006-10-24 16:14:04 -07:00
ip6t_ah.c [NETFILTER]: x_tables: remove unused size argument to check/destroy functions 2006-09-22 14:55:34 -07:00
ip6t_eui64.c [IPV6]: Endian fix in net/ipv6/netfilter/ip6t_eui64.c:match(). 2006-05-16 15:24:41 -07:00
ip6t_frag.c [NETFILTER]: x_tables: remove unused size argument to check/destroy functions 2006-09-22 14:55:34 -07:00
ip6t_hbh.c [NETFILTER]: ip6_tables: consolidate dst and hbh matches 2006-09-22 14:55:37 -07:00
ip6t_hl.c [NETFILTER]: Rename init functions. 2006-03-28 17:02:48 -08:00
ip6t_HL.c [NETFILTER]: ip6t_HL: remove write-only variable 2006-09-22 15:19:55 -07:00
ip6t_ipv6header.c [NETFILTER]: x_tables: remove unused size argument to check/destroy functions 2006-09-22 14:55:34 -07:00
ip6t_LOG.c [NETFILTER]: x_tables: remove unused size argument to check/destroy functions 2006-09-22 14:55:34 -07:00
ip6t_owner.c [NETFILTER]: x_tables: remove unused size argument to check/destroy functions 2006-09-22 14:55:34 -07:00
ip6t_REJECT.c [NETFILTER]: x_tables: remove unused size argument to check/destroy functions 2006-09-22 14:55:34 -07:00
ip6t_rt.c [NETFILTER]: x_tables: remove unused size argument to check/destroy functions 2006-09-22 14:55:34 -07:00
ip6table_filter.c [NETFILTER]: x_tables: remove unused argument to target functions 2006-09-22 14:55:33 -07:00
ip6table_mangle.c [NETFILTER]: ip6table_mangle: reroute when nfmark changes in NF_IP6_LOCAL_OUT 2006-09-22 15:19:51 -07:00
ip6table_raw.c [NETFILTER]: x_tables: remove unused argument to target functions 2006-09-22 14:55:33 -07:00
Kconfig [NETFILTER]: x_tables: unify IPv4/IPv6 multiport match 2006-04-01 02:22:54 -08:00
Makefile [NETFILTER]: ip6_tables: consolidate dst and hbh matches 2006-09-22 14:55:37 -07:00
nf_conntrack_l3proto_ipv6.c [NETFILTER]: Change tunables to __read_mostly 2006-09-22 15:18:54 -07:00
nf_conntrack_proto_icmpv6.c [NETFILTER]: Change tunables to __read_mostly 2006-09-22 15:18:54 -07:00
nf_conntrack_reasm.c [NETFILTER]: Change tunables to __read_mostly 2006-09-22 15:18:54 -07:00