commit c4b3a0c6e3d9c7cc3f26b0e721486d2b5111bdc4
author Hugo Benichi <hugobenichi@google.com> Tue May 22 08:48:40 2018 +0900
committer Hugo Benichi <hugobenichi@google.com> Wed May 23 16:01:04 2018 +0900
tree e1b1b522826bce49c2c414bb66b567f1e9439d32
parent aa77e4c9c7bb2faeee062403b3700a2316327482

Ensure icmp redirects are always ignored

A side effect of disabling the ip forwarding sysconf on all
interfaces is to re-enable the ICMP redirects sysconf on all
interfaces.

This patch ensures that ICMP redirects stays turned off when disabling
ip forwarding in TetherController.

Accepting ICMP redirects can allow an attacker to inject malicious
routes into a host and it is therefore desirable to always reject them.

Bug: 62387578
Bug: 77541904
Test: manual
Change-Id: I1f9a950eebf2f65d047f33145feee40d3ab34bd9

server/TetherController.cpp

diff --git a/server/TetherController.cpp b/server/TetherController.cpp
index 00430b6..55d636e 100644
--- a/server/TetherController.cpp
+++ b/server/TetherController.cpp
@@ -133,10 +133,18 @@
 
 bool TetherController::setIpFwdEnabled() {
     bool success = true;
-    const char* value = mForwardingRequests.empty() ? "0" : "1";
+    bool disable = mForwardingRequests.empty();
+    const char* value = disable ? "0" : "1";
     ALOGD("Setting IP forward enable = %s", value);
     success &= writeToFile(IPV4_FORWARDING_PROC_FILE, value);
     success &= writeToFile(IPV6_FORWARDING_PROC_FILE, value);
+    if (disable) {
+        // Turning off the forwarding sysconf in the kernel has the side effect
+        // of turning on ICMP redirect, which is a security hazard.
+        // Turn ICMP redirect back off immediately.
+        int rv = InterfaceController::disableIcmpRedirects();
+        success &= (rv == 0);
+    }
     return success;
 }