From owner-FreeBSD-users-jp@jp.FreeBSD.org Fri May 25 11:17:31 2007
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id l4P2HVa38996;
	Fri, 25 May 2007 11:17:31 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from msa1-25.plala.or.jp (msa1.plala.or.jp [58.93.251.201])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id l4P2HUM38991
	for <FreeBSD-users-jp@jp.freebsd.org>; Fri, 25 May 2007 11:17:31 +0900 (JST)
	(envelope-from t-nozawa@pluto.dti.ne.jp)
Received: from nozt41.speecys ([58.93.50.230]) by msa1-25.plala.or.jp
          with ESMTP
          id <20070525021726.HSWB28364.msa1-25.plala.or.jp@nozt41.speecys>
          for <FreeBSD-users-jp@jp.freebsd.org>;
          Fri, 25 May 2007 11:17:26 +0900
From: Toshiaki Nozawa <t-nozawa@pluto.dti.ne.jp>
To: FreeBSD-users-jp@jp.FreeBSD.org
User-Agent: KMail/1.9.4
MIME-Version: 1.0
Message-Id: <200705251117.25227.t-nozawa@pluto.dti.ne.jp>
Content-Type: Multipart/Mixed;
  boundary="Boundary-00=_1ckVGiOdgyptWbp"
Reply-To: FreeBSD-users-jp@jp.FreeBSD.org
Precedence: list
Date: Fri, 25 May 2007 11:17:24 +0900
X-Sequence: FreeBSD-users-jp 90700
Subject: [FreeBSD-users-jp 90700] patch for IPv6
Sender: owner-FreeBSD-users-jp@jp.FreeBSD.org
X-Originator: t-nozawa@pluto.dti.ne.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+060209

--Boundary-00=_1ckVGiOdgyptWbp
Content-Type: text/plain;
  charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

$B?tG/$V$j$NEj9F$NLnBt$H?=$7$^$9!#(B

FreeBSD-SA-07:03.ipv6 $B$N(B patch $B$@$1$G$O==J,$G$O$J$$$H(B itojun $B$5$s$+$iJ9$-!"(B
$B;d$,;HMQ$7$F$$$k(B 6.2-RELEASE-p4 $B$G(B patch $B$r:n$j$^$7$?!#(B
#$B$?$^$K$O9W8%$G$-$l$P$H;W$$$^$7$F(B (^^)

$B85$O(B
http://www.kame.net/newsletter/20070502/index.ja.html
$B$G$9!#(B

current $B$G$O!"$I$&$J$C$F$$$k$+$4B8CN$JJ}$$$i$C$7$c$$$^$9$+(B?

#$B$s!<!":#$K$J$C$F(B route6.c $B$N(B "@@ -89,6 +91,22 @@" $B$NItJ,$,5$$K$J$C$F$-$?(B (^^;

--Boundary-00=_1ckVGiOdgyptWbp
Content-Type: text/x-diff;
  charset="iso-2022-jp";
  name="rthdr0.FreeBSD6_2p4.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="rthdr0.FreeBSD6_2p4.diff"

--- sys/netinet6/in6_proto.c.orig	Fri May  4 15:14:10 2007
+++ sys/netinet6/in6_proto.c	Fri May 18 13:52:14 2007
@@ -361,7 +361,7 @@
 int	ip6_maxfragpackets;	/* initialized in frag6.c:frag6_init() */
 int	ip6_maxfrags;	/* initialized in frag6.c:frag6_init() */
 int	ip6_log_interval = 5;
-int	ip6_hdrnestlimit = 50;	/* appropriate? */
+int	ip6_hdrnestlimit = 15;	/* appropriate? */
 int	ip6_dad_count = 1;	/* DupAddrDetectionTransmits */
 int	ip6_auto_flowlabel = 1;
 int	ip6_gif_hlim = 0;
--- sys/netinet6/ip6_input.c.orig	Wed Feb  1 01:36:11 2006
+++ sys/netinet6/ip6_input.c	Mon May 21 10:30:14 2007
@@ -234,7 +234,7 @@
 	int off = sizeof(struct ip6_hdr), nest;
 	u_int32_t plen;
 	u_int32_t rtalert = ~0;
-	int nxt, ours = 0;
+	int nxt, ours = 0, rh_present = 0;
 	struct ifnet *deliverifp = NULL;
 	struct in6_addr odst;
 	int srcrt = 0;
@@ -758,9 +758,11 @@
 	in6_ifstat_inc(deliverifp, ifs6_in_deliver);
 	nest = 0;
 
+	rh_present = 0;
 	while (nxt != IPPROTO_DONE) {
 		if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) {
 			ip6stat.ip6s_toomanyhdr++;
+			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
 			goto bad;
 		}
 
@@ -774,6 +776,30 @@
 			goto bad;
 		}
 
+ 		/*
+ 		 * Here we try to reject packets with more than 1 routing
+ 		 * headers.  we do this here (instead of tagging mbuf route6.c) 
+ 		 * for the sake of computational costs, such as malloc().
+ 		 *
+ 		 * The code could be too restrictive - there could be
+ 		 * actual use of more than 1 routing headers on a packet
+ 		 * which cannot be used to do bad things unlike
+ 		 * IPV6_RTHDR_TYPE_0.  This code could also prohibit a mixed use
+ 		 * of TYPE_x and TYPE_y routing headers (x != y) even if it is
+ 		 * safe.
+ 		 *
+ 		 * We may need to revisit this behavior if and when a new type
+ 		 * of routing header is defined.
+ 		 */
+ 		if (nxt == IPPROTO_ROUTING) {
+ 			if (rh_present++) {
+ 				in6_ifstat_inc(m->m_pkthdr.rcvif,
+ 				    ifs6_in_hdrerr);
+ 				ip6stat.ip6s_badoptions++;
+ 				goto bad;
+ 			}
+ 		}
+ 
 #ifdef IPSEC
 		/*
 		 * enforce IPsec policy checking if we are seeing last header.
--- sys/netinet6/route6.c.orig	Fri May  4 15:14:10 2007
+++ sys/netinet6/route6.c	Mon May 21 10:40:12 2007
@@ -51,8 +51,10 @@
 
 extern int ip6_rthdr0_allowed;
 
+#if 0
 static int ip6_rthdr0 __P((struct mbuf *, struct ip6_hdr *,
     struct ip6_rthdr0 *));
+#endif
 
 int
 route6_input(mp, offp, proto)
@@ -89,6 +91,22 @@
 #endif
 
 	switch (rh->ip6r_type) {
+#if 0
+	/*
+	 * See http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
+	 * for why IPV6_RTHDR_TYPE_0 is banned here.
+	 *
+	 * We return ICMPv6 parameter problem so that innocent people
+	 * (not an attacker) would notice about the use of IPV6_RTHDR_TYPE_0.
+	 * Since there's no amplification, and ICMPv6 error will be rate-
+	 * controlled, it shouldn't cause any problem.
+	 * If you are concerned about this, you may want to use the following
+	 * code fragment:
+	 *
+	 * case IPV6_RTHDR_TYPE_0:
+	 *	m_freem(m);
+	 *	return (IPPROTO_DONE);
+	 */
 	case IPV6_RTHDR_TYPE_0:
 		if (!ip6_rthdr0_allowed)
 			return (IPPROTO_DONE);
@@ -118,6 +136,7 @@
 		if (ip6_rthdr0(m, ip6, (struct ip6_rthdr0 *)rh))
 			return (IPPROTO_DONE);
 		break;
+#endif
 	default:
 		/* unknown routing type */
 		if (rh->ip6r_segleft == 0) {
@@ -134,6 +153,7 @@
 	return (rh->ip6r_nxt);
 }
 
+#if 0
 /*
  * Type0 routing header processing
  *
@@ -237,3 +257,4 @@
 	m_freem(m);
 	return (-1);
 }
+#endif

--Boundary-00=_1ckVGiOdgyptWbp--
