linux/net
Li Yewang 29556526b9 [IPV6]: fix BUG of ndisc_send_redirect()
When I tested IPv6 redirect function about kernel 2.6.19.1, and found
that the kernel can send redirect packets whose target address is global
address, and the target is not the actual endpoint of communication.

  But the criteria conform to RFC2461, the target address defines as
following:

  Target Address An IP address that is a better first hop to use for
                 he ICMP Destination Address.  When the target is
                 the actual endpoint of communication, i.e., the
                 destination is a neighbor, the Target Address field
                 MUST contain the same value as the ICMP Destination
                 Address field.  Otherwise the target is a better
                 first-hop router and the Target Address MUST be the
                 router's link-local address so that hosts can
                 uniquely identify routers.

According to this definition, when a router redirect to a host, the
target address either the better first-hop router's link-local address
or the same as the ICMP destination address field. But the function of
ndisc_send_redirect() in net/ipv6/ndisc.c, does not check the target
address correctly.

There is another definition about receive Redirect message in RFC2461:

8.1.  Validation of Redirect Messages

   A host MUST silently discard any received Redirect message that does
   not satisfy all of the following validity checks:
   ......
   - The ICMP Target Address is either a link-local address (when
     redirected to a router) or the same as the ICMP Destination
     Address (when redirected to the on-link destination).
   ......

And the receive redirect function of ndisc_redirect_rcv() implemented
this definition, checks the target address correctly.
    if (ipv6_addr_equal(dest, target)) {
        on_link = 1;
    } else if (!(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) {
        ND_PRINTK2(KERN_WARNING
               "ICMPv6 Redirect: target address is not link-local.\n");
        return;
    }

So, I think the send redirect function must check the target address
also.

Signed-off-by: Li Yewang <lyw@nanjing-fnst.com>
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-30 14:33:20 -08:00
..
802 [NET]: Kill direct includes of asm/checksum.h 2006-12-02 21:22:59 -08:00
8021q [PATCH] Finish annotations of struct vlan_ethhdr 2006-10-10 16:15:34 -07:00
appletalk [PATCH] severing skbuff.h -> highmem.h 2006-12-04 02:00:29 -05:00
atm [PATCH] struct path: convert atm 2006-12-08 08:28:44 -08:00
ax25 [AX.25]: Fix unchecked ax25_linkfail_register uses 2006-12-17 21:59:11 -08:00
bluetooth [Bluetooth] Restrict well known PSM to privileged users 2007-01-22 22:00:45 +01:00
bridge [NETFILTER]: ebtables: don't compute gap before checking struct type 2007-01-04 12:17:44 -08:00
core [IPSEC] flow: Fix potential memory leak 2007-01-23 20:25:39 -08:00
dccp [TCP]: Restore SKB socket owner setting in tcp_transmit_skb(). 2007-01-26 01:04:55 -08:00
decnet [DECNET]: Handle a failure in neigh_parms_alloc (take 2) 2007-01-25 15:51:51 -08:00
econet [NET]: Conversions from kmalloc+memset to k(z|c)alloc. 2006-07-21 14:51:30 -07:00
ethernet [NET]: Kill direct includes of asm/checksum.h 2006-12-02 21:22:59 -08:00
ieee80211 [PATCH] ieee80211softmac: Fix mutex_lock at exit of ieee80211_softmac_get_genie 2006-12-19 16:19:45 -05:00
ipv4 [NETFILTER]: SIP conntrack: fix out of bounds memory access 2007-01-30 14:25:24 -08:00
ipv6 [IPV6]: fix BUG of ndisc_send_redirect() 2007-01-30 14:33:20 -08:00
ipx [IPX]: Annotate and fix IPX checksum 2006-11-05 14:11:25 -08:00
irda [PATCH] tty: switch to ktermios and new framework 2006-12-08 08:28:56 -08:00
key audit: Add auditing to ipsec 2006-12-06 20:14:22 -08:00
lapb [LAPB]: Fix windowsize check 2006-08-05 21:15:58 -07:00
llc [LLC]: anotations 2006-12-02 21:21:23 -08:00
netfilter [NETFILTER]: SIP conntrack: fix out of bounds memory access 2007-01-30 14:25:24 -08:00
netlabel NetLabel: correct CIPSO tag handling when adding new DOI definitions 2007-01-09 00:30:01 -08:00
netlink [AF_NETLINK]: module_put cleanup 2007-01-03 18:38:15 -08:00
netrom [AX.25]: Fix unchecked ax25_linkfail_register uses 2006-12-17 21:59:11 -08:00
packet [AF_PACKET]: Check device down state before hard header callbacks. 2007-01-25 19:30:36 -08:00
rose [AX.25]: Fix unchecked rose_add_loopback_neigh uses 2006-12-17 21:59:14 -08:00
rxrpc [PATCH] Add include/linux/freezer.h and move definitions from sched.h 2006-12-07 08:39:27 -08:00
sched [NET_SCHED] sch_htb: turn intermediate classes into leaves 2006-12-08 17:19:32 -08:00
sctp [TCP]: Restore SKB socket owner setting in tcp_transmit_skb(). 2007-01-26 01:04:55 -08:00
sunrpc [PATCH] knfsd: ratelimit some nfsd messages that are triggered by external events 2007-01-30 08:26:45 -08:00
tipc [PATCH] getting rid of all casts of k[cmz]alloc() calls 2006-12-13 09:05:58 -08:00
unix [PATCH] struct path: convert unix 2006-12-08 08:28:50 -08:00
wanrouter [WANROUTER]: Kill kmalloc debugging code. 2006-12-07 00:18:22 -08:00
x25 [X.25]: Add missing sock_put in x25_receive_data 2007-01-23 20:25:48 -08:00
xfrm [IPSEC]: Policy list disorder 2007-01-23 20:25:51 -08:00
compat.c [NET]: File descriptor loss while receiving SCM_RIGHTS 2006-10-11 23:59:48 -07:00
Kconfig [NETFILTER]: remove the reference to ipchains from Kconfig 2006-12-02 21:31:35 -08:00
Makefile [NetLabel]: core NetLabel subsystem 2006-09-22 14:53:34 -07:00
nonet.c [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
socket.c [PATCH] struct path: convert net 2006-12-08 08:28:48 -08:00
sysctl_net.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
TUNABLE