Commit 076b8ca
ipv6: Cap TLV scan in ip6_tnl_parse_tlv_enc_lim
Commit 47d3d7a ("ipv6: Implement limits on Hop-by-Hop and
Destination options") added net.ipv6.max_{hbh,dst}_opts_{cnt,len}
and applied them in ip6_parse_tlv(), the generic TLV walker
invoked from ipv6_destopt_rcv() and ipv6_parse_hopopts().
ip6_tnl_parse_tlv_enc_lim() does not go through ip6_parse_tlv();
it has its own hand-rolled TLV scanner inside its NEXTHDR_DEST
branch which looks for IPV6_TLV_TNL_ENCAP_LIMIT. That inner
loop is bounded only by optlen, which can be up to 2048 bytes.
Stuffing the Destination Options header with 2046 Pad1 (type=0)
entries advances the scanner a single byte at a time, yielding
~2000 TLV iterations per extension header.
Reusing max_dst_opts_cnt to bound the TLV iterations, matching
the semantics from 47d3d7a, would require duplicating
ip6_parse_tlv() to also validate Pad1/PadN payload. It would
also mandate enforcing max_dst_opts_len, since otherwise an
attacker shifts the axis to few options with a giant PadN and
recovers the original DoS. Allowing up to 8 options before the
tunnel encapsulation limit TLV is liberal enough; in practice
encap limit is the first TLV. Thus, go with a hard-coded limit
IP6_TUNNEL_MAX_DEST_TLVS (8).
Signed-off-by: Daniel Borkmann <[email protected]>
Reviewed-by: Ido Schimmel <[email protected]>
Reviewed-by: Justin Iurman <[email protected]>
Signed-off-by: Jakub Kicinski <[email protected]>1 parent d293ca7 commit 076b8ca
1 file changed
Lines changed: 6 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
62 | 62 | | |
63 | 63 | | |
64 | 64 | | |
| 65 | + | |
| 66 | + | |
65 | 67 | | |
66 | 68 | | |
67 | 69 | | |
| |||
425 | 427 | | |
426 | 428 | | |
427 | 429 | | |
| 430 | + | |
428 | 431 | | |
429 | 432 | | |
430 | 433 | | |
431 | 434 | | |
432 | 435 | | |
| 436 | + | |
| 437 | + | |
| 438 | + | |
433 | 439 | | |
434 | 440 | | |
435 | 441 | | |
| |||
0 commit comments