DivestOS/Patches/Linux_CVEs-New/CVE-2015-2922/ANY/0.patch

From 6fd99094de2b83d1d4c8457f2c83483b2828e75a Mon Sep 17 00:00:00 2001
From: "D.S. Ljungmark" <ljungmark@modio.se>
Date: Wed, 25 Mar 2015 09:28:15 +0100
Subject: [PATCH] ipv6: Don't reduce hop limit for an interface

A local route may have a lower hop_limit set than global routes do.

RFC 3756, Section 4.2.7, "Parameter Spoofing"

>   1.  The attacker includes a Current Hop Limit of one or another small
>       number which the attacker knows will cause legitimate packets to
>       be dropped before they reach their destination.

>   As an example, one possible approach to mitigate this threat is to
>   ignore very small hop limits.  The nodes could implement a
>   configurable minimum hop limit, and ignore attempts to set it below
>   said limit.

Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/ipv6/ndisc.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 471ed24aabaec..14ecdaf06bf74 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1218,7 +1218,14 @@ static void ndisc_router_discovery(struct sk_buff *skb)
 	if (rt)
 		rt6_set_expires(rt, jiffies + (HZ * lifetime));
 	if (ra_msg->icmph.icmp6_hop_limit) {
-		in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
+		/* Only set hop_limit on the interface if it is higher than
+		 * the current hop_limit.
+		 */
+		if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
+			in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
+		} else {
+			ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n");
+		}
 		if (rt)
 			dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
 				       ra_msg->icmph.icmp6_hop_limit);
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From 6fd99094de2b83d1d4c8457f2c83483b2828e75a Mon Sep 17 00:00:00 2001`
			`From: "D.S. Ljungmark" <ljungmark@modio.se>`
			`Date: Wed, 25 Mar 2015 09:28:15 +0100`
			`Subject: [PATCH] ipv6: Don't reduce hop limit for an interface`

			`A local route may have a lower hop_limit set than global routes do.`

			`RFC 3756, Section 4.2.7, "Parameter Spoofing"`

			`> 1. The attacker includes a Current Hop Limit of one or another small`
			`> number which the attacker knows will cause legitimate packets to`
			`> be dropped before they reach their destination.`

			`> As an example, one possible approach to mitigate this threat is to`
			`> ignore very small hop limits. The nodes could implement a`
			`> configurable minimum hop limit, and ignore attempts to set it below`
			`> said limit.`

			`Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>`
			`Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>`
			`Signed-off-by: David S. Miller <davem@davemloft.net>`
			`---`
			`net/ipv6/ndisc.c \| 9 ++++++++-`
			`1 file changed, 8 insertions(+), 1 deletion(-)`

			`diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c`
			`index 471ed24aabaec..14ecdaf06bf74 100644`
			`--- a/net/ipv6/ndisc.c`
			`+++ b/net/ipv6/ndisc.c`
			`@@ -1218,7 +1218,14 @@ static void ndisc_router_discovery(struct sk_buff *skb)`
			`if (rt)`
			`rt6_set_expires(rt, jiffies + (HZ * lifetime));`
			`if (ra_msg->icmph.icmp6_hop_limit) {`
			`- in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;`
			`+ /* Only set hop_limit on the interface if it is higher than`
			`+ * the current hop_limit.`
			`+ */`
			`+ if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {`
			`+ in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;`
			`+ } else {`
			`+ ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n");`
			`+ }`
			`if (rt)`
			`dst_metric_set(&rt->dst, RTAX_HOPLIMIT,`
			`ra_msg->icmph.icmp6_hop_limit);`