kernel-fxtec-pro1x/net/ipv6/netfilter
Patrick McHardy 6d381634d2 [NETFILTER]: Fix ip6_tables extension header bypass bug
As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on extension header matches.

When extension headers occur in the non-first fragment after the fragment
header (possibly with an incorrect nexthdr value in the fragment header)
a rule looking for this extension header will never match.

Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.
Since all extension headers are before the protocol header this makes sure
an extension header is either not present or in the first fragment, where
we can properly parse it.

With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-10-24 16:15:10 -07:00
..
ip6_queue.c
ip6_tables.c [NETFILTER]: Fix ip6_tables extension header bypass bug 2006-10-24 16:15:10 -07:00
ip6t_ah.c [NETFILTER]: Fix ip6_tables extension header bypass bug 2006-10-24 16:15:10 -07:00
ip6t_eui64.c
ip6t_frag.c [NETFILTER]: Fix ip6_tables extension header bypass bug 2006-10-24 16:15:10 -07:00
ip6t_hbh.c [NETFILTER]: Fix ip6_tables extension header bypass bug 2006-10-24 16:15:10 -07:00
ip6t_HL.c
ip6t_hl.c
ip6t_ipv6header.c
ip6t_LOG.c
ip6t_owner.c
ip6t_REJECT.c
ip6t_rt.c [NETFILTER]: Fix ip6_tables extension header bypass bug 2006-10-24 16:15:10 -07:00
ip6table_filter.c
ip6table_mangle.c
ip6table_raw.c
Kconfig
Makefile
nf_conntrack_l3proto_ipv6.c
nf_conntrack_proto_icmpv6.c
nf_conntrack_reasm.c