| Message ID | 20101020112118.6260.93956.stgit@este.odu |
|---|---|
| State | Not Applicable, archived |
| Delegated to: | David Miller |
| Headers | show |
Hello. (2010/10/20 20:21), KOVACS Krisztian wrote: > From: Balazs Scheidler<bazsi@balabit.hu> > > Signed-off-by: Balazs Scheidler<bazsi@balabit.hu> > Signed-off-by: KOVACS Krisztian<hidden@balabit.hu> > --- > net/ipv6/af_inet6.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c > index 6022098..9480572 100644 > --- a/net/ipv6/af_inet6.c > +++ b/net/ipv6/af_inet6.c > @@ -343,7 +343,7 @@ int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) > */ > v4addr = LOOPBACK4_IPV6; > if (!(addr_type& IPV6_ADDR_MULTICAST)) { > - if (!ipv6_chk_addr(net,&addr->sin6_addr, > + if (!inet->transparent&& !ipv6_chk_addr(net,&addr->sin6_addr, > dev, 0)) { > err = -EADDRNOTAVAIL; > goto out_unlock; > > As I wrote before in other thread, this does not seem sufficient -- well, it is sufficient to allow non-local bind, but before we're allowing this, we need add checks of source address in sending side. Regards, --yoshfuji -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, 2010-10-20 at 21:45 +0900, YOSHIFUJI Hideaki wrote: > (2010/10/20 20:21), KOVACS Krisztian wrote: > > From: Balazs Scheidler<bazsi@balabit.hu> > > > > Signed-off-by: Balazs Scheidler<bazsi@balabit.hu> > > Signed-off-by: KOVACS Krisztian<hidden@balabit.hu> > > --- > > net/ipv6/af_inet6.c | 2 +- > > 1 files changed, 1 insertions(+), 1 deletions(-) > > > > diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c > > index 6022098..9480572 100644 > > --- a/net/ipv6/af_inet6.c > > +++ b/net/ipv6/af_inet6.c > > @@ -343,7 +343,7 @@ int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) > > */ > > v4addr = LOOPBACK4_IPV6; > > if (!(addr_type& IPV6_ADDR_MULTICAST)) { > > - if (!ipv6_chk_addr(net,&addr->sin6_addr, > > + if (!inet->transparent&& !ipv6_chk_addr(net,&addr->sin6_addr, > > dev, 0)) { > > err = -EADDRNOTAVAIL; > > goto out_unlock; > > > > > > As I wrote before in other thread, this does not seem sufficient -- > well, it is sufficient to allow non-local bind, but before we're > allowing this, we need add checks of source address in sending side. Can you please elaborate or point us to the other thread? Is it some kind of address-type check that we miss?
Hello. 2010-10-20, Balazs Scheidler wrote: > On Wed, 2010-10-20 at 21:45 +0900, YOSHIFUJI Hideaki wrote: > > (2010/10/20 20:21), KOVACS Krisztian wrote: > > > From: Balazs Scheidler<bazsi@balabit.hu> > > > > > > Signed-off-by: Balazs Scheidler<bazsi@balabit.hu> > > > Signed-off-by: KOVACS Krisztian<hidden@balabit.hu> > > > --- > > > net/ipv6/af_inet6.c | 2 +- > > > 1 files changed, 1 insertions(+), 1 deletions(-) > > > > > > diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c > > > index 6022098..9480572 100644 > > > --- a/net/ipv6/af_inet6.c > > > +++ b/net/ipv6/af_inet6.c > > > @@ -343,7 +343,7 @@ int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) > > > */ > > > v4addr = LOOPBACK4_IPV6; > > > if (!(addr_type& IPV6_ADDR_MULTICAST)) { > > > - if (!ipv6_chk_addr(net,&addr->sin6_addr, > > > + if (!inet->transparent&& !ipv6_chk_addr(net,&addr->sin6_addr, > > > dev, 0)) { > > > err = -EADDRNOTAVAIL; > > > goto out_unlock; > > > > > > > > > > As I wrote before in other thread, this does not seem sufficient -- > > well, it is sufficient to allow non-local bind, but before we're > > allowing this, we need add checks of source address in sending side. > > Can you please elaborate or point us to the other thread? Is it some > kind of address-type check that we miss? Please see my comment at: <http://kerneltrap.org/mailarchive/linux-netdev/2010/7/5/6280572> This will result in allowing non-privileged users easily sending from non-local / unauthorized address, which is not good, and which should not be allowed from security aspects. Regards, --yoshfuji -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index 6022098..9480572 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -343,7 +343,7 @@ int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) */ v4addr = LOOPBACK4_IPV6; if (!(addr_type & IPV6_ADDR_MULTICAST)) { - if (!ipv6_chk_addr(net, &addr->sin6_addr, + if (!inet->transparent && !ipv6_chk_addr(net, &addr->sin6_addr, dev, 0)) { err = -EADDRNOTAVAIL; goto out_unlock;