summaryrefslogtreecommitdiffstats
path: root/main/linux-grsec/0002-gre-fix-hard-header-destination-address-checking.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/linux-grsec/0002-gre-fix-hard-header-destination-address-checking.patch')
-rw-r--r--main/linux-grsec/0002-gre-fix-hard-header-destination-address-checking.patch44
1 files changed, 44 insertions, 0 deletions
diff --git a/main/linux-grsec/0002-gre-fix-hard-header-destination-address-checking.patch b/main/linux-grsec/0002-gre-fix-hard-header-destination-address-checking.patch
new file mode 100644
index 000000000..36a0ae449
--- /dev/null
+++ b/main/linux-grsec/0002-gre-fix-hard-header-destination-address-checking.patch
@@ -0,0 +1,44 @@
+From 9082391046940c410eac3bad065c8701998b5cab Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Wed, 3 Mar 2010 04:01:13 +0000
+Subject: [PATCH 02/18] gre: fix hard header destination address checking
+
+ipgre_header() can be called with zero daddr when the gre device is
+configured as multipoint tunnel and still has the NOARP flag set (which is
+typically cleared by the userspace arp daemon). If the NOARP packets are
+not dropped, ipgre_tunnel_xmit() will take rt->rt_gateway (= NBMA IP) and
+use that for route look up (and may lead to bogus xfrm acquires).
+
+The multicast address check is removed as sending to multicast group should
+be ok. In fact, if gre device has a multicast address as destination
+ipgre_header is always called with multicast address.
+
+Signed-off-by: Timo Teras <timo.teras@iki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+(cherry picked from commit 6d55cb91a0020ac0d78edcad61efd6c8cf5785a3)
+---
+ net/ipv4/ip_gre.c | 7 ++-----
+ 1 files changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index 1433338..ac88ce5 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -1137,12 +1137,9 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
+
+ if (saddr)
+ memcpy(&iph->saddr, saddr, 4);
+-
+- if (daddr) {
++ if (daddr)
+ memcpy(&iph->daddr, daddr, 4);
+- return t->hlen;
+- }
+- if (iph->daddr && !ipv4_is_multicast(iph->daddr))
++ if (iph->daddr)
+ return t->hlen;
+
+ return -t->hlen;
+--
+1.7.0.2
+