Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / c4b3a0c6e3d9c7cc3f26b0e721486d2b5111bdc4^! / . / server / InterfaceController.cpp
commitc4b3a0c6e3d9c7cc3f26b0e721486d2b5111bdc4[log] [tgz]
authorHugo Benichi <hugobenichi@google.com>Tue May 22 08:48:40 2018 +0900
committerHugo Benichi <hugobenichi@google.com>Wed May 23 16:01:04 2018 +0900
treee1b1b522826bce49c2c414bb66b567f1e9439d32
parentaa77e4c9c7bb2faeee062403b3700a2316327482 [diff] [blame]
Ensure icmp redirects are always ignored

A side effect of disabling the ip forwarding sysconf on all
interfaces is to re-enable the ICMP redirects sysconf on all
interfaces.

This patch ensures that ICMP redirects stays turned off when disabling
ip forwarding in TetherController.

Accepting ICMP redirects can allow an attacker to inject malicious
routes into a host and it is therefore desirable to always reject them.

Bug: 62387578
Bug: 77541904
Test: manual
Change-Id: I1f9a950eebf2f65d047f33145feee40d3ab34bd9

diff --git a/server/InterfaceController.cpp b/server/InterfaceController.cpp
index 743ad99..7258ee6 100644
--- a/server/InterfaceController.cpp
+++ b/server/InterfaceController.cpp

@@ -54,10 +54,10 @@
 
 namespace {
 
+const char ipv4_proc_path[] = "/proc/sys/net/ipv4/conf";
 const char ipv6_proc_path[] = "/proc/sys/net/ipv6/conf";
 
 const char ipv4_neigh_conf_dir[] = "/proc/sys/net/ipv4/neigh";
-
 const char ipv6_neigh_conf_dir[] = "/proc/sys/net/ipv6/neigh";
 
 const char proc_net_path[] = "/proc/sys/net";
@@ -245,8 +245,11 @@
     setBaseReachableTimeMs(15 * 1000);
 
     // When sending traffic via a given interface use only addresses configured
-       // on that interface as possible source addresses.
+    // on that interface as possible source addresses.
     setIPv6UseOutgoingInterfaceAddrsOnly("1");
+
+    // Ensure that ICMP redirects are rejected globally on all interfaces.
+    disableIcmpRedirects();
 }
 
 int InterfaceController::setEnableIPv6(const char *interface, const int on) {
@@ -358,6 +361,15 @@
     return ifc_del_address(interface, addrString, prefixLength);
 }
 
+int InterfaceController::disableIcmpRedirects() {
+    int rv = 0;
+    rv |= writeValueToPath(ipv4_proc_path, "all", "accept_redirects", "0");
+    rv |= writeValueToPath(ipv6_proc_path, "all", "accept_redirects", "0");
+    setOnAllInterfaces(ipv4_proc_path, "accept_redirects", "0");
+    setOnAllInterfaces(ipv6_proc_path, "accept_redirects", "0");
+    return rv;
+}
+
 int InterfaceController::getParameter(
         const char *family, const char *which, const char *interface, const char *parameter,
         std::string *value) {