[src/netbsd-2-0]: src Pull up following revision(s) (requested by adrianp in ...

[bouyer <bouyer%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/d29ee5853078
branches:  netbsd-2-0
changeset: 565052:d29ee5853078
user:      bouyer <bouyer%NetBSD.org@localhost>
date:      Mon Jun 04 19:24:35 2007 +0000

description:
Pull up following revision(s) (requested by adrianp in ticket #11330):
        sys/netinet6/ip6_input.c: revision 1.102 via patch
        sys/netinet6/route6.c: revision 1.18 via patch
        sys/netinet6/ip6_var.h: revisions 1.41-1.42 via patch
        sbin/sysctl/sysctl.8: patch
Disable processing of routing header type 0 packets since they can be used
of DoS attacks. Provide a sysctl to re-enable them (net.inet6.ip6.rht0).
Information from:
        http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf

diffstat:

 sbin/sysctl/sysctl.8     |   5 +++--
 sys/netinet6/ip6_input.c |  36 ++++++++++++++++++++++++++++++++++--
 sys/netinet6/ip6_var.h   |   5 ++++-
 sys/netinet6/route6.c    |  42 ++++++++++++++++++++++++------------------
 4 files changed, 65 insertions(+), 23 deletions(-)

diffs (178 lines):

diff -r b1e83d7d2a60 -r d29ee5853078 sbin/sysctl/sysctl.8
--- a/sbin/sysctl/sysctl.8      Wed May 30 19:55:11 2007 +0000
+++ b/sbin/sysctl/sysctl.8      Mon Jun 04 19:24:35 2007 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: sysctl.8,v 1.111.2.1 2004/11/12 05:32:05 jmc Exp $
+.\"    $NetBSD: sysctl.8,v 1.111.2.2 2007/06/04 19:24:35 bouyer Exp $
 .\"
 .\" Copyright (c) 1993
 .\"    The Regents of the University of California.  All rights reserved.
@@ -29,7 +29,7 @@
 .\"
 .\"    @(#)sysctl.8    8.1 (Berkeley) 6/6/93
 .\"
-.Dd October 15, 2004
+.Dd April 25, 2007
 .Dt SYSCTL 8
 .Os
 .Sh NAME
@@ -422,6 +422,7 @@
 .It net.inet6.ip6.maxfragpackets       integer yes
 .It net.inet6.ip6.maxfrags     integer yes
 .It net.inet6.ip6.redirect     integer yes
+.It net.inet6.ip6.rht0 integer yes
 .It net.inet6.ip6.rr_prune     integer yes
 .It net.inet6.ip6.use_deprecated       integer yes
 .It net.inet6.ipsec6.ah_net_deflev     integer yes
diff -r b1e83d7d2a60 -r d29ee5853078 sys/netinet6/ip6_input.c
--- a/sys/netinet6/ip6_input.c  Wed May 30 19:55:11 2007 +0000
+++ b/sys/netinet6/ip6_input.c  Mon Jun 04 19:24:35 2007 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_input.c,v 1.73.2.2 2006/05/24 02:37:15 riz Exp $   */
+/*     $NetBSD: ip6_input.c,v 1.73.2.3 2007/06/04 19:24:35 bouyer Exp $        */
 /*     $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $     */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.73.2.2 2006/05/24 02:37:15 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.73.2.3 2007/06/04 19:24:35 bouyer Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -1440,6 +1440,31 @@
        ENOPROTOOPT
 };
 
+static int
+sysctl_net_inet6_ip6_rht0(SYSCTLFN_ARGS)
+{  
+       int error, tmp;
+       struct sysctlnode node;
+
+       node = *rnode;
+       tmp = ip6_rht0;
+       node.sysctl_data = &tmp;
+       error = sysctl_lookup(SYSCTLFN_CALL(&node));
+       if (error || newp == NULL)
+               return error;
+
+       switch (tmp) {
+       case -1:        /* disable processing */
+       case 0:         /* disable for host, enable for router */
+       case 1:         /* enable for all */
+               break;
+       default:
+               return EINVAL;
+       }
+       ip6_rht0 = tmp;
+       return 0;
+}
+
 SYSCTL_SETUP(sysctl_net_inet6_ip6_setup, "sysctl net.inet6.ip6 subtree setup")
 {
 
@@ -1669,4 +1694,11 @@
                       NULL, 0, &ip6_maxfrags, 0,
                       CTL_NET, PF_INET6, IPPROTO_IPV6,
                       IPV6CTL_MAXFRAGS, CTL_EOL);
+       sysctl_createv(clog, 0, NULL, NULL,
+                       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+                       CTLTYPE_INT, "rht0",
+                       SYSCTL_DESCR("Processing of routing header type 0 (IPv6)"),
+                       sysctl_net_inet6_ip6_rht0, 0, &ip6_rht0, 0,
+                       CTL_NET, PF_INET6, IPPROTO_IPV6,
+                       CTL_CREATE, CTL_EOL);
 }
diff -r b1e83d7d2a60 -r d29ee5853078 sys/netinet6/ip6_var.h
--- a/sys/netinet6/ip6_var.h    Wed May 30 19:55:11 2007 +0000
+++ b/sys/netinet6/ip6_var.h    Mon Jun 04 19:24:35 2007 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_var.h,v 1.32 2003/09/06 03:36:33 itojun Exp $      */
+/*     $NetBSD: ip6_var.h,v 1.32.2.1 2007/06/04 19:24:35 bouyer Exp $  */
 /*     $KAME: ip6_var.h,v 1.33 2000/06/11 14:59:20 jinmei Exp $        */
 
 /*
@@ -242,6 +242,9 @@
 extern int   ip6_lowportmin;           /* minimum reserved port */
 extern int   ip6_lowportmax;           /* maximum reserved port */
 
+extern int     ip6_rht0;               /* processing routing header type 0 */
+
+
 struct in6pcb;
 
 int    icmp6_ctloutput __P((int, struct socket *, int, int, struct mbuf **));
diff -r b1e83d7d2a60 -r d29ee5853078 sys/netinet6/route6.c
--- a/sys/netinet6/route6.c     Wed May 30 19:55:11 2007 +0000
+++ b/sys/netinet6/route6.c     Mon Jun 04 19:24:35 2007 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: route6.c,v 1.13 2003/06/06 08:13:44 itojun Exp $       */
+/*     $NetBSD: route6.c,v 1.13.4.1 2007/06/04 19:24:35 bouyer Exp $   */
 /*     $KAME: route6.c,v 1.22 2000/12/03 00:54:00 itojun Exp $ */
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: route6.c,v 1.13 2003/06/06 08:13:44 itojun Exp $");
+__KERNEL_RCSID(0, "$NetBSD: route6.c,v 1.13.4.1 2007/06/04 19:24:35 bouyer Exp $");
 
 #include <sys/param.h>
 #include <sys/mbuf.h>
@@ -48,6 +48,8 @@
 
 #include <netinet/icmp6.h>
 
+int ip6_rht0 = -1;     /* disabled by default */
+
 static int ip6_rthdr0 __P((struct mbuf *, struct ip6_hdr *,
     struct ip6_rthdr0 *));
 
@@ -70,23 +72,27 @@
 
        switch (rh->ip6r_type) {
        case IPV6_RTHDR_TYPE_0:
-               rhlen = (rh->ip6r_len + 1) << 3;
-               /*
-                * note on option length:
-                * maximum rhlen: 2048
-                * max mbuf m_pulldown can handle: MCLBYTES == usually 2048
-                * so, here we are assuming that m_pulldown can handle
-                * rhlen == 2048 case.  this may not be a good thing to
-                * assume - we may want to avoid pulling it up altogether.
-                */
-               IP6_EXTHDR_GET(rh, struct ip6_rthdr *, m, off, rhlen);
-               if (rh == NULL) {
-                       ip6stat.ip6s_tooshort++;
-                       return IPPROTO_DONE;
+               if ((ip6_forwarding && ip6_rht0 == 0) || ip6_rht0 > 0) {
+                       rhlen = (rh->ip6r_len + 1) << 3;
+                       /*
+                        * note on option length:
+                        * maximum rhlen: 2048
+                        * max mbuf m_pulldown can handle: MCLBYTES == usually
+                        * 2048 so, here we are assuming that m_pulldown can
+                        * handle hlen == 2048 case. This may not be a good
+                        * thing to assume - we may want to avoid pulling it
+                        * up altogether.
+                        */
+                       IP6_EXTHDR_GET(rh, struct ip6_rthdr *, m, off, rhlen);
+                       if (rh == NULL) {
+                               ip6stat.ip6s_tooshort++;
+                               return IPPROTO_DONE;
+                       }
+                       if (ip6_rthdr0(m, ip6, (struct ip6_rthdr0 *)rh))
+                               return IPPROTO_DONE;
+                       break;
                }
-               if (ip6_rthdr0(m, ip6, (struct ip6_rthdr0 *)rh))
-                       return (IPPROTO_DONE);
-               break;
+               /*FALLTHROUGH*/
        default:
                /* unknown routing type */
                if (rh->ip6r_segleft == 0) {