Re: CVS commit: src/sys/netinet

To: source-changes-d%netbsd.org@localhost
Subject: Re: CVS commit: src/sys/netinet
From: "David H. Gutteridge" <dhgutteridge%sympatico.ca@localhost>
Date: Sat, 10 Feb 2018 17:49:44 -0500

On Mon, 05 Feb 2018, at 13:23:11 +0000, Maxime Villard wrote:
>Module Name:    src
>Committed By:   maxv
>Date:           Mon Feb  5 13:23:11 UTC 2018
>
>Modified Files:
>        src/sys/netinet: ip_input.c
>
>Log Message:
>Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a
>completely dumb idea, because they have security implications.
>
>By sending an IPv4 packet containing an LSRR option, an attacker will
>cause the system to forward the packet to another IPv4 address - and
>this way he white-washes the source of the packet.
>
>It is also possible for an attacker to reach hidden networks: if a
server
>has a public address, and a private one on an internal network (network
>which has several internal machines connected), the attacker can send a
>packet with:
>
>        source = 0.0.0.0
>        destination = public address of the server
>        LSRR first address = address of a machine on the internal
network
>
>And the packet will be forwarded, by the server, to the internal
machine,
>in some cases even with the internal IP address of the server as a
source.

Hello,

This particular fix has been pulled up to the various 6.x and 7.x
branches, but not to 8.0_BETA. Is that still pending because it's part
of a larger planned change set?

Thanks for all the improvements you've been making!

Regards,

Dave

Prev by Date: re: CVS commit: src/include
Next by Date: Fwd: Re: CVS commit: src/sys/netinet
Previous by Thread: Re: CVS commit: src/sys/dev/sun
Next by Thread: Fwd: Re: CVS commit: src/sys/netinet
Indexes:

Home | Main Index | Thread Index | Old Index