From patchwork Tue Mar 4 02:57:35 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Linus_L=C3=BCssing?= X-Patchwork-Id: 326114 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 952B52C00AC for ; Tue, 4 Mar 2014 13:58:14 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756039AbaCDC5r (ORCPT ); Mon, 3 Mar 2014 21:57:47 -0500 Received: from mout.web.de ([212.227.15.14]:51915 "EHLO mout.web.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755935AbaCDC5q (ORCPT ); Mon, 3 Mar 2014 21:57:46 -0500 Received: from localhost ([95.211.10.3]) by smtp.web.de (mrweb004) with ESMTPSA (Nemesis) id 0Lo4Lo-1Wrpa13qOG-00g3Ol for ; Tue, 04 Mar 2014 03:57:45 +0100 From: =?UTF-8?q?Linus=20L=C3=BCssing?= To: netdev@vger.kernel.org Cc: bridge@lists.linux-foundation.org, Stephen Hemminger , "David S. Miller" , linux-kernel@vger.kernel.org, Jan Stancek , Florian Westphal , =?UTF-8?q?Linus=20L=C3=BCssing?= Subject: [PATCH] bridge: multicast: add sanity check for query source addresses Date: Tue, 4 Mar 2014 03:57:35 +0100 Message-Id: <1393901855-18231-1-git-send-email-linus.luessing@web.de> X-Mailer: git-send-email 1.9.0 MIME-Version: 1.0 X-Provags-ID: V03:K0:kfFjBbsyQIFrPsWUru1IE/mOXyltpnwxgdy80c6GJcZCRlJahwn fsjlk0jFZlWeSbIJkiZZcPxrp/vzDxhKPj6DyTF6TK9j9DFrVCVD2hzNw4GZT2vt4iCFo9y Gv81RncR2U2gSnIpNUguJNzk6Se8WilNL0VToMlZNBM7xKHoan4oCblnZNV/zOrzxQaV33N z+1Q8kG1gQKKYU3NwQP8w== Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org MLD queries are supposed to have an IPv6 link-local source address according to RFC2710, section 4 and RFC3810, section 5.1.14. This patch adds a sanity check to ignore such broken MLD queries. Without this check, such malformed MLD queries can result in a denial of service: The queries are ignored by any MLD listener therefore they will not respond with an MLD report. However, without this patch these malformed MLD queries would enable the snooping part in the bridge code, potentially shutting down the according ports towards these hosts for multicast traffic as the bridge did not learn about these listeners. Reported-by: Jan Stancek Signed-off-by: Linus Lüssing Reviewed-by: Hannes Frederic Sowa --- net/bridge/br_multicast.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index ef66365..fb0e36f 100644 --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c @@ -1235,6 +1235,12 @@ static int br_ip6_multicast_query(struct net_bridge *br, (port && port->state == BR_STATE_DISABLED)) goto out; + /* RFC2710+RFC3810 (MLDv1+MLDv2) require link-local source addresses */ + if (!(ipv6_addr_type(&ip6h->saddr) & IPV6_ADDR_LINKLOCAL)) { + err = -EINVAL; + goto out; + } + if (skb->len == sizeof(*mld)) { if (!pskb_may_pull(skb, sizeof(*mld))) { err = -EINVAL;