1. 24 Oct, 2006 4 commits
    • Patrick McHardy's avatar
      [NETFILTER]: Fix ip6_tables extension header bypass bug · 6d381634
      Patrick McHardy authored
      
      
      As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
      to a fragmentation attack causing false negatives on extension header matches.
      
      When extension headers occur in the non-first fragment after the fragment
      header (possibly with an incorrect nexthdr value in the fragment header)
      a rule looking for this extension header will never match.
      
      Drop fragments that are at offset 0 and don't contain the final protocol
      header regardless of the ruleset, since this should not happen normally.
      Since all extension headers are before the protocol header this makes sure
      an extension header is either not present or in the first fragment, where
      we can properly parse it.
      
      With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6d381634
    • Patrick McHardy's avatar
      [NETFILTER]: Fix ip6_tables protocol bypass bug · 51d8b1a6
      Patrick McHardy authored
      
      
      As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
      to a fragmentation attack causing false negatives on protocol matches.
      
      When the protocol header doesn't follow the fragment header immediately,
      the fragment header contains the protocol number of the next extension
      header. When the extension header and the protocol header are sent in
      a second fragment a rule like "ip6tables .. -p udp -j DROP" will never
      match.
      
      Drop fragments that are at offset 0 and don't contain the final protocol
      header regardless of the ruleset, since this should not happen normally.
      
      With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      51d8b1a6
    • Patrick McHardy's avatar
      [XFRM]: Fix xfrm_state accounting · 2fab22f2
      Patrick McHardy authored
      
      
      xfrm_state_num needs to be increased for XFRM_STATE_ACQ states created
      by xfrm_state_find() to prevent the counter from going negative when
      the state is destroyed.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2fab22f2
    • Al Viro's avatar
      [IPV4] ipconfig: fix RARP ic_servaddr breakage · 82571026
      Al Viro authored
      
      
      memcpy 4 bytes to address of auto unsigned long variable followed
      by comparison with u32 is a bloody bad idea.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      82571026
  2. 23 Oct, 2006 13 commits
  3. 22 Oct, 2006 21 commits
  4. 21 Oct, 2006 2 commits