Discussion:
IPv6 DoS
(too old to reply)
Loganaden Velvindron
2013-08-20 19:43:05 UTC
Permalink
Hi all,

i saw this vulnerability that was MFC'ed in OpenBSD:

005: RELIABILITY FIX: May 31, 2013 All architectures
A local denial of service is possible by an unprivileged user if
the SIOCSIFADDR ioctl is performed upon an AF_INET6 socket with a
specially crafted parameter.

Going through the netbsd in6.c code, it looks like netbsd is vulnerable
as well.

Patch on my netbsd-6 box:

Index: in6.c
===================================================================
RCS file: /cvsroot/src/sys/netinet6/in6.c,v
retrieving revision 1.159
diff -u -p -r1.159 in6.c
--- in6.c 19 Nov 2011 22:51:26 -0000 1.159
+++ in6.c 20 Aug 2013 19:28:26 -0000
@@ -465,6 +465,12 @@ in6_control1(struct socket *so, u_long c
case SIOCGIFSTAT_ICMP6:
sa6 = &ifr->ifr_addr;
break;
+ case SIOCSIFADDR:
+ /*
+ * Do not pass this ioctl to driver handler since it is not
+ * properly setup. Instead just error out.
+ */
+ return (EOPNOTSUPP);
default:
sa6 = NULL;
break;

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Christos Zoulas
2013-08-21 13:35:18 UTC
Permalink
Post by Loganaden Velvindron
Hi all,
005: RELIABILITY FIX: May 31, 2013 All architectures
A local denial of service is possible by an unprivileged user if
the SIOCSIFADDR ioctl is performed upon an AF_INET6 socket with a
specially crafted parameter.
Going through the netbsd in6.c code, it looks like netbsd is vulnerable
as well.
The patch is not needed, we fixed that 7 years ago:

1.105 (christos 03-Jun-06): * XXX: Fix me, once we fix SIOCSIFADDR,
SIOCIFDSTADDR, etc.
1.104 (christos 03-Jun-06): */
1.104 (christos 03-Jun-06): case SIOCSIFADDR:
1.105 (christos 03-Jun-06): case SIOCSIFDSTADDR:
1.129 (cube 27-May-07): #ifdef SIOCSIFCONF_X25
1.106 (christos 03-Jun-06): case SIOCSIFCONF_X25:
1.110 (matt 25-Aug-06): #endif
1.104 (christos 03-Jun-06): return EOPNOTSUPP;

You might as well tell OpenBSD that SIOCSIFDSTADDR is problematic too ;-)

christos


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...