[PATCH 09/21] netlink: Be more conservative about ICMP errors
Ian Jackson
ijackson at chiark.greenend.org.uk
Thu Apr 24 02:37:28 BST 2014
Default to not sending ICMP error messages for unknown incoming ICMP
type codes.
Signed-off-by: Ian Jackson <ijackson at chiark.greenend.org.uk>
---
debian/changelog | 1 +
netlink.c | 14 +++++++++++---
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 33b7c0b..fe6caae 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,7 @@ secnet (0.3.1~~unstable) unstable; urgency=low
* Additions to the test-example suite.
* SECURITY: Fixes to MTU and fragmentation handling.
* SECURITY: Correctly set "unused" ICMP header field.
+ * Do not send ICMP errors in response to unknown incoming ICMP.
--
diff --git a/netlink.c b/netlink.c
index 87b6671..d420f7b 100644
--- a/netlink.c
+++ b/netlink.c
@@ -304,9 +304,17 @@ static bool_t netlink_icmp_may_reply(struct buffer_if *buf)
icmph=(struct icmphdr *)buf->start;
if (iph->protocol==1) {
switch(icmph->type) {
- case 3: /* Destination unreachable */
- case 11: /* Time Exceeded */
- case 12: /* Parameter Problem */
+ /* Based on http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-types
+ * as retrieved Thu, 20 Mar 2014 00:16:44 +0000.
+ * Deprecated, reserved, unassigned and experimental
+ * options are treated as not safe to reply to.
+ */
+ case 0: /* Echo Reply */
+ case 8: /* Echo */
+ case 13: /* Timestamp */
+ case 14: /* Timestamp Reply */
+ return True;
+ default:
return False;
}
}
--
1.7.10.4
More information about the sgo-software-discuss
mailing list