git: kernel - Adjustments for CERT VU#711516

Matthew Dillon dillon at crater.dragonflybsd.org
Sat Mar 28 15:09:19 PDT 2015


commit 74ceb998af302c8fb9fe0303aa736e3ab66780c8
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date:   Sat Mar 28 15:00:43 2015 -0700

    kernel - Adjustments for CERT VU#711516
    
    Note that IPV6 route advertisements are disabled by default, so these
    adjustments have no real security implications if you haven't enabled
    it.  And, generally speaking, enabling IPV6 route advertisements is a
    really bad idea anyway and these adjustments only address one small part
    of the problem.
    
    * Allowing RTR packets via net.inet6.ip6.accept_rtadv is not advised
      even with this adjustment.
    
    * Add a sysctl to put a lower limit on the IPV6 hop limit received via
      RTR packets when allowed, default is 39. sysctl net.inet6.ip6.minhlim.

Summary of changes:
 sys/netinet/ip6.h        |  1 +
 sys/netinet6/icmp6.c     |  5 ++++-
 sys/netinet6/in6.h       |  1 +
 sys/netinet6/in6_pcb.c   | 17 ++++++++++++-----
 sys/netinet6/in6_proto.c |  3 +++
 sys/netinet6/in6_src.c   | 16 +++++++++++-----
 sys/netinet6/ip6_var.h   |  1 +
 7 files changed, 33 insertions(+), 11 deletions(-)

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/74ceb998af302c8fb9fe0303aa736e3ab66780c8


-- 
DragonFly BSD source repository



More information about the Commits mailing list