original_kernel/net/ipv6
Patrick McHardy 6d381634d2 [NETFILTER]: Fix ip6_tables extension header bypass bug
As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on extension header matches.

When extension headers occur in the non-first fragment after the fragment
header (possibly with an incorrect nexthdr value in the fragment header)
a rule looking for this extension header will never match.

Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.
Since all extension headers are before the protocol header this makes sure
an extension header is either not present or in the first fragment, where
we can properly parse it.

With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-10-24 16:15:10 -07:00
..
netfilter [NETFILTER]: Fix ip6_tables extension header bypass bug 2006-10-24 16:15:10 -07:00
Kconfig [IPV6]: Make IPV6_SUBTREES depend on IPV6_MULTIPLE_TABLES. 2006-10-18 19:55:29 -07:00
Makefile [IPV6]: Seperate sit driver to extra module 2006-10-11 23:59:50 -07:00
addrconf.c [IPV6]: Seperate sit driver to extra module (addrconf.c changes) 2006-10-11 23:59:52 -07:00
af_inet6.c [IPV6]: Seperate sit driver to extra module 2006-10-11 23:59:50 -07:00
ah6.c
anycast.c [IPV6] ADDRCONF: Convert addrconf_lock to RCU. 2006-09-22 15:20:26 -07:00
datagram.c
esp6.c
exthdrs.c
exthdrs_core.c
fib6_rules.c [IPv6] rules: Use RT6_LOOKUP_F_HAS_SADDR and fix source based selectors 2006-10-15 23:14:19 -07:00
icmp.c
inet6_connection_sock.c
inet6_hashtables.c [IPV4]: INET_MATCH() annotations 2006-09-28 18:02:25 -07:00
ip6_fib.c [IPv6] fib: initialize tb6_lock in common place to give lockdep a key 2006-10-21 20:20:54 -07:00
ip6_flowlabel.c
ip6_input.c
ip6_output.c [IPV6] NDISC: Add proxy_ndp sysctl. 2006-09-22 15:20:25 -07:00
ip6_tunnel.c
ipcomp6.c [XFRM]: BEET mode 2006-10-04 00:31:09 -07:00
ipv6_sockglue.c [IPV6]: Disable SG for GSO unless we have checksum 2006-09-28 18:02:45 -07:00
ipv6_syms.c [IPV6] ADDRCONF: Convert addrconf_lock to RCU. 2006-09-22 15:20:26 -07:00
mcast.c
mip6.c Remove all inclusions of <linux/config.h> 2006-10-04 03:38:54 -04:00
ndisc.c [IPV6]: Remove bogus WARN_ON in Proxy-NA handling. 2006-10-15 23:14:20 -07:00
netfilter.c
proc.c
protocol.c
raw.c
reassembly.c
route.c [IPV6]: Fix route.c warnings when multiple tables are disabled. 2006-10-18 21:20:57 -07:00
sit.c [IPV6] sit: Add missing MODULE_LICENSE 2006-10-15 23:14:21 -07:00
sysctl_net_ipv6.c
tcp_ipv6.c [NET]: Use typesafe inet_twsk() inline function instead of cast. 2006-10-11 23:59:58 -07:00
tunnel6.c
udp.c [UDP]: Fix MSG_PROBE crash 2006-10-04 00:31:00 -07:00
xfrm6_input.c [XFRM]: xrfm_replay_check() annotations 2006-09-28 18:02:40 -07:00
xfrm6_mode_beet.c [XFRM]: BEET mode 2006-10-04 00:31:09 -07:00
xfrm6_mode_ro.c [IPSEC]: output mode to take an xfrm state as input param 2006-09-22 15:18:48 -07:00
xfrm6_mode_transport.c [IPSEC]: output mode to take an xfrm state as input param 2006-09-22 15:18:48 -07:00
xfrm6_mode_tunnel.c [IPSEC]: output mode to take an xfrm state as input param 2006-09-22 15:18:48 -07:00
xfrm6_output.c [IPSEC]: output mode to take an xfrm state as input param 2006-09-22 15:18:48 -07:00
xfrm6_policy.c [IPV6]: Make sure error handling is done when calling ip6_route_output(). 2006-10-18 19:55:27 -07:00
xfrm6_state.c [XFRM]: ports in struct xfrm_selector annotated 2006-09-28 18:02:33 -07:00
xfrm6_tunnel.c [XFRM]: xrfm_replay_check() annotations 2006-09-28 18:02:40 -07:00