aboutsummaryrefslogtreecommitdiff
path: root/website/static/security/patches/SA-07:03/ipv6.patch
blob: 1f4c0e7664d0cd7acc8aba5930ceccd7b7159a4e (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

Index: sys/netinet6/in6.h
===================================================================
RCS file: /sources/FreeBSD-CVS/src/sys/netinet6/in6.h,v
retrieving revision 1.36.2.7
diff -u -r1.36.2.7 in6.h
--- sys/netinet6/in6.h	20 Aug 2006 19:28:43 -0000	1.36.2.7
+++ sys/netinet6/in6.h	24 Apr 2007 03:11:29 -0000
@@ -574,5 +574,6 @@
 #define IPV6CTL_STEALTH		45
-#define IPV6CTL_MAXID		46
+#define IPV6CTL_RTHDR0_ALLOWED  46
+#define IPV6CTL_MAXID		47
 #endif /* __BSD_VISIBLE */
 
 /*
Index: sys/netinet6/in6_proto.c
===================================================================
RCS file: /sources/FreeBSD-CVS/src/sys/netinet6/in6_proto.c,v
retrieving revision 1.32.2.5
diff -u -r1.32.2.5 in6_proto.c
--- sys/netinet6/in6_proto.c	16 Oct 2006 15:11:18 -0000	1.32.2.5
+++ sys/netinet6/in6_proto.c	24 Apr 2007 07:46:54 -0000
@@ -376,6 +376,8 @@
 #ifdef IPSTEALTH
 int	ip6stealth = 0;
 #endif
+int     ip6_rthdr0_allowed = 0; /* Disallow use of routing header 0 */
+				/* by default. */
 
 /* icmp6 */
 /*
@@ -519,6 +521,9 @@
 SYSCTL_INT(_net_inet6_ip6, IPV6CTL_STEALTH, stealth, CTLFLAG_RW,
 	&ip6stealth, 0, "");
 #endif
+SYSCTL_INT(_net_inet6_ip6, IPV6CTL_RTHDR0_ALLOWED, 
+	   rthdr0_allowed, CTLFLAG_RW, &ip6_rthdr0_allowed, 0, "");
+
 
 /* net.inet6.icmp6 */
 SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_REDIRACCEPT,
Index: sys/netinet6/route6.c
===================================================================
RCS file: /sources/FreeBSD-CVS/src/sys/netinet6/route6.c,v
retrieving revision 1.11.2.1
diff -u -r1.11.2.1 route6.c
--- sys/netinet6/route6.c	4 Nov 2005 20:26:15 -0000	1.11.2.1
+++ sys/netinet6/route6.c	24 Apr 2007 08:06:00 -0000
@@ -49,6 +49,8 @@
 
 #include <netinet/icmp6.h>
 
+extern int ip6_rthdr0_allowed;
+
 static int ip6_rthdr0 __P((struct mbuf *, struct ip6_hdr *,
     struct ip6_rthdr0 *));
 
@@ -88,6 +90,8 @@
 
 	switch (rh->ip6r_type) {
 	case IPV6_RTHDR_TYPE_0:
+		if (!ip6_rthdr0_allowed)
+			return (IPPROTO_DONE);
 		rhlen = (rh->ip6r_len + 1) << 3;
 #ifndef PULLDOWN_TEST
 		/*
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-22 17:02:15 +0000