Google Git
Sign in
kernel / pub / scm / linux / kernel / git / jkirsher / net-queue / 0aa8c13eb512823bc4d60397d666a6b6260bb965
commit0aa8c13eb512823bc4d60397d666a6b6260bb965[log] [tgz]
authorFlorian Westphal <fw@strlen.de>Fri Apr 14 20:22:43 2017 +0200
committerDavid S. Miller <davem@davemloft.net>Mon Apr 17 15:09:23 2017 -0400
treecb0a1a2dd8d48965f34613646c4d5b3a52c59e03
parent71947f0f91ad9c995e11c671d24bd4da5d11c0cb [diff]
ipv6: drop non loopback packets claiming to originate from ::1

We lack a saddr check for ::1. This causes security issues e.g. with acls
permitting connections from ::1 because of assumption that these originate
from local machine.

Assuming a source address of ::1 is local seems reasonable.
RFC4291 doesn't allow such a source address either, so drop such packets.

Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 file changed
tree: cb0a1a2dd8d48965f34613646c4d5b3a52c59e03
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README