diff options
author | Duan Jiong <duanj.fnst@cn.fujitsu.com> | 2013-09-04 19:44:21 +0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-09-05 12:44:31 -0400 |
commit | b55b76b22144ab97cefcb3862bab61f088adf411 (patch) | |
tree | 653c9c8e67466faf48321d35ced7c9dc95f651fd /net/ipv6/ah6.c | |
parent | 60cad4e67bd6ff400e7ea61fe762b3042b12ae9d (diff) | |
download | op-kernel-dev-b55b76b22144ab97cefcb3862bab61f088adf411.zip op-kernel-dev-b55b76b22144ab97cefcb3862bab61f088adf411.tar.gz |
ipv6:introduce function to find route for redirect
RFC 4861 says that the IP source address of the Redirect is the
same as the current first-hop router for the specified ICMP
Destination Address, so the gateway should be taken into
consideration when we find the route for redirect.
There was once a check in commit
a6279458c534d01ccc39498aba61c93083ee0372 ("NDISC: Search over
all possible rules on receipt of redirect.") and the check
went away in commit b94f1c0904da9b8bf031667afc48080ba7c3e8c9
("ipv6: Use icmpv6_notify() to propagate redirect, instead of
rt6_redirect()").
The bug is only "exploitable" on layer-2 because the source
address of the redirect is checked to be a valid link-local
address but it makes spoofing a lot easier in the same L2
domain nonetheless.
Thanks very much for Hannes's help.
Signed-off-by: Duan Jiong <duanj.fnst@cn.fujitsu.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/ah6.c')
-rw-r--r-- | net/ipv6/ah6.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c index bb02e17..73784c3 100644 --- a/net/ipv6/ah6.c +++ b/net/ipv6/ah6.c @@ -628,7 +628,7 @@ static void ah6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, return; if (type == NDISC_REDIRECT) - ip6_redirect(skb, net, 0, 0); + ip6_redirect(skb, net, skb->dev->ifindex, 0); else ip6_update_pmtu(skb, net, info, 0, 0); xfrm_state_put(x); |