diff options
| author | Colin Percival <cperciva@FreeBSD.org> | 2007-04-26 23:42:23 +0000 |
|---|---|---|
| committer | Colin Percival <cperciva@FreeBSD.org> | 2007-04-26 23:42:23 +0000 |
| commit | 0f2698e88d0b1c956d6fc7fb3cd8d52fc045bbc5 (patch) | |
| tree | 5ebe282a1b260858901f216671b52214c39cc09c | |
| parent | e53a4bc781d94d2149c1e5d087d1cc64c06690d7 (diff) | |
| download | src-test2-0f2698e88d0b1c956d6fc7fb3cd8d52fc045bbc5.tar.gz src-test2-0f2698e88d0b1c956d6fc7fb3cd8d52fc045bbc5.zip | |
Disable processing of IPv6 type 0 Routing Headers. This behaviour
can be changed via the (newly added) net.inet6.ip6.rthdr0_allowed
sysctl.
Security: FreeBSD-SA-07:03.ipv6
Approved by: so (cperciva)
Notes
Notes:
svn path=/releng/6.1/; revision=169063
| -rw-r--r-- | UPDATING | 5 | ||||
| -rw-r--r-- | sys/conf/newvers.sh | 2 | ||||
| -rw-r--r-- | sys/netinet6/in6.h | 3 | ||||
| -rw-r--r-- | sys/netinet6/in6_proto.c | 5 | ||||
| -rw-r--r-- | sys/netinet6/route6.c | 4 |
5 files changed, 17 insertions, 2 deletions
@@ -8,6 +8,11 @@ Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20070426: p16 FreeBSD-SA-07:03.ipv6 + Disable processing of IPv6 type 0 Routing Headers. This behaviour + can be changed via the (newly added) net.inet6.ip6.rthdr0_allowed + sysctl. + 20070228: p15 FreeBSD-EN-07:04.zoneinfo Update zoneinfo files for change in Daylight Savings Time that begins in 2007. diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 9d0c2d5c7dea..7020e2cb803a 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="6.1" -BRANCH="RELEASE-p15" +BRANCH="RELEASE-p16" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/netinet6/in6.h b/sys/netinet6/in6.h index d5c0b2363407..9df197504d82 100644 --- a/sys/netinet6/in6.h +++ b/sys/netinet6/in6.h @@ -596,7 +596,8 @@ struct ip6_mtuinfo { /* New entries should be added here from current IPV6CTL_MAXID value. */ /* to define items, should talk with KAME guys first, for *BSD compatibility */ #define IPV6CTL_STEALTH 45 -#define IPV6CTL_MAXID 46 +#define IPV6CTL_RTHDR0_ALLOWED 46 +#define IPV6CTL_MAXID 47 #endif /* __BSD_VISIBLE */ /* diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c index 83691bae18bd..ddccdae16ce3 100644 --- a/sys/netinet6/in6_proto.c +++ b/sys/netinet6/in6_proto.c @@ -376,6 +376,8 @@ time_t ip6_log_time = (time_t)0L; #ifdef IPSTEALTH int ip6stealth = 0; #endif +int ip6_rthdr0_allowed = 0; /* Disallow use of routing header 0 */ + /* by default. */ /* icmp6 */ /* @@ -518,6 +520,9 @@ SYSCTL_INT(_net_inet6_ip6, IPV6CTL_MCAST_PMTU, SYSCTL_INT(_net_inet6_ip6, IPV6CTL_STEALTH, stealth, CTLFLAG_RW, &ip6stealth, 0, ""); #endif +SYSCTL_INT(_net_inet6_ip6, IPV6CTL_RTHDR0_ALLOWED, + rthdr0_allowed, CTLFLAG_RW, &ip6_rthdr0_allowed, 0, ""); + /* net.inet6.icmp6 */ SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_REDIRACCEPT, diff --git a/sys/netinet6/route6.c b/sys/netinet6/route6.c index c082e33a8104..ba8c26b12f60 100644 --- a/sys/netinet6/route6.c +++ b/sys/netinet6/route6.c @@ -49,6 +49,8 @@ #include <netinet/icmp6.h> +extern int ip6_rthdr0_allowed; + static int ip6_rthdr0 __P((struct mbuf *, struct ip6_hdr *, struct ip6_rthdr0 *)); @@ -88,6 +90,8 @@ route6_input(mp, offp, proto) switch (rh->ip6r_type) { case IPV6_RTHDR_TYPE_0: + if (!ip6_rthdr0_allowed) + return (IPPROTO_DONE); rhlen = (rh->ip6r_len + 1) << 3; #ifndef PULLDOWN_TEST /* |