git: kernel - Adjustments for CERT VU#711516
Matthew Dillon
dillon at crater.dragonflybsd.org
Sat Mar 28 15:09:19 PDT 2015
commit 74ceb998af302c8fb9fe0303aa736e3ab66780c8
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date: Sat Mar 28 15:00:43 2015 -0700
kernel - Adjustments for CERT VU#711516
Note that IPV6 route advertisements are disabled by default, so these
adjustments have no real security implications if you haven't enabled
it. And, generally speaking, enabling IPV6 route advertisements is a
really bad idea anyway and these adjustments only address one small part
of the problem.
* Allowing RTR packets via net.inet6.ip6.accept_rtadv is not advised
even with this adjustment.
* Add a sysctl to put a lower limit on the IPV6 hop limit received via
RTR packets when allowed, default is 39. sysctl net.inet6.ip6.minhlim.
Summary of changes:
sys/netinet/ip6.h | 1 +
sys/netinet6/icmp6.c | 5 ++++-
sys/netinet6/in6.h | 1 +
sys/netinet6/in6_pcb.c | 17 ++++++++++++-----
sys/netinet6/in6_proto.c | 3 +++
sys/netinet6/in6_src.c | 16 +++++++++++-----
sys/netinet6/ip6_var.h | 1 +
7 files changed, 33 insertions(+), 11 deletions(-)
http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/74ceb998af302c8fb9fe0303aa736e3ab66780c8
--
DragonFly BSD source repository
More information about the Commits
mailing list