Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 51d8b1a65291a6956b79374b6adbbadc2263bcf6
commit51d8b1a65291a6956b79374b6adbbadc2263bcf6[log] [tgz]
authorPatrick McHardy <kaber@trash.net>Tue Oct 24 16:14:04 2006 -0700
committerDavid S. Miller <davem@davemloft.net>Tue Oct 24 16:14:04 2006 -0700
treed6b8cbd6628c11d1c3e9c8c8e9ca048acf723a71
parent2fab22f2d3290ff7c602fe62f22e825c48e97a06 [diff]
[NETFILTER]: Fix ip6_tables protocol bypass bug

As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on protocol matches.

When the protocol header doesn't follow the fragment header immediately,
the fragment header contains the protocol number of the next extension
header. When the extension header and the protocol header are sent in
a second fragment a rule like "ip6tables .. -p udp -j DROP" will never
match.

Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.

With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 file changed
tree: d6b8cbd6628c11d1c3e9c8c8e9ca048acf723a71
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. fs/
  7. include/
  8. init/
  9. ipc/
  10. kernel/
  11. lib/
  12. mm/
  13. net/
  14. scripts/
  15. security/
  16. sound/
  17. usr/
  18. .gitignore
  19. COPYING
  20. CREDITS
  21. Kbuild
  22. MAINTAINERS
  23. Makefile
  24. README
  25. REPORTING-BUGS