opnsense-src

mirror of https://github.com/opnsense/src.git synced 2026-05-25 18:54:02 -04:00

History

Kornel Dulęba c8cc66928b icmp6: Improve validation of PMTU Currently we accept any pmtu between IPV6_MMTU(1280B) and the link mtu. In some network topologies could allow a bad actor to perform a DOS attack. Contrary to IPv4 in IPv6 oversized packets are dropped, and a ICMP PACKET_TOO_BIG message is sent back to the sender. After receiving an ICMPv6 packet with pmtu bigger than the current one the victim will start sending frames that will be dropped a router with reduced MTU. Although it will eventually receive another message with correct pmtu, an attacker can still just inject their spoofed packets frequently enough to overwrite the correct value. This issue is described in detail in RFC8201, section 6. Fix this by checking the current pmtu, and accepting the new one only if it's smaller. Approved by: mw(mentor) Reviewed by: tuexen MFC after: 1 week Sponsored by: Stormshield Obtained from: Semihalf Differential Revision: https://reviews.freebsd.org/D35871 (cherry picked from commit `82042465c3`)		2022-08-16 10:16:50 +02:00
..
dest6.c	Fix m_pullup() problem after removing PULLDOWN_TESTs and KAME EXT_*macros.	2019-12-01 00:22:04 +00:00
frag6.c	netinet6: Fix a typo in a sysctl description	2021-12-03 16:53:41 +01:00
icmp6.c	icmp6: Improve validation of PMTU	2022-08-16 10:16:50 +02:00
icmp6.h
in6.c	net: Fix memory leaks in lltable_calc_llheader() error paths	2022-04-15 10:21:20 -04:00
in6.h	Expose nonstandard IPv6 kernel definitions to standalone builds.	2020-12-04 21:51:47 +00:00
in6_cksum.c	net: clean up empty lines in .c and .h files	2020-09-01 21:19:14 +00:00
in6_fib.c	MFC `91f2c69ec2`: Fix unused-function waring when compiling with FIB_ALGO.	2021-02-04 22:33:53 +00:00
in6_fib.h	Add modular fib lookup framework.	2020-12-25 11:33:17 +00:00
in6_fib_algo.c	Fix dpdk/ldradix fib lookup algorithm preference calculation.	2021-03-10 21:50:19 +00:00
in6_gif.c	net: Introduce IPV6_DSCP(), IPV6_ECN() and IPV6_TRAFFIC_CLASS() macros	2021-05-10 16:30:44 +02:00
in6_ifattach.c	in6: Enter the net epoch in in6_tmpaddrtimer()	2021-08-16 09:01:39 -04:00
in6_ifattach.h	sys: further adoption of SPDX licensing ID tags.	2017-11-20 19:43:44 +00:00
in6_jail.c	sysent: Get rid of bogus sys/sysent.h include.	2022-06-17 22:35:31 +03:00
in6_mcast.c	Fix panic in IPv6 multicast code.	2021-08-13 10:31:11 +03:00
in6_pcb.c	net: Allow binding of unspecified address without address existance	2021-11-18 19:28:56 -05:00
in6_pcb.h	Filter TCP connections to SO_REUSEPORT_LB listen sockets by NUMA domain	2020-12-19 22:04:46 +00:00
in6_pcbgroup.c	sys: general adoption of SPDX licensing ID tags.	2017-11-27 15:23:17 +00:00
in6_proto.c	Remove unused nhop_ref_any() function.	2020-09-20 21:32:52 +00:00
in6_rmx.c	Introduce scalable route multipath.	2020-10-03 10:47:17 +00:00
in6_rss.c	Implement flowid calculation for outbound connections to balance	2020-10-18 17:15:47 +00:00
in6_rss.h	Implement flowid calculation for outbound connections to balance	2020-10-18 17:15:47 +00:00
in6_src.c	Enforce net epoch in in6_selectsrc().	2021-03-10 21:57:59 +00:00
in6_var.h	Remove per-packet ifa refcounting from IPv6 fast path.	2021-03-10 21:45:55 +00:00
ip6.h
ip6_ecn.h	sys: further adoption of SPDX licensing ID tags.	2017-11-20 19:43:44 +00:00
ip6_fastfwd.c	net: clean up empty lines in .c and .h files	2020-09-01 21:19:14 +00:00
ip6_forward.c	ipv6: quit dropping packets looping back on p2p interfaces	2020-08-31 01:45:48 +00:00
ip6_gre.c	Introduce NET_EPOCH_CALL() macro and use it everywhere where we free	2020-01-15 06:05:20 +00:00
ip6_id.c	ip6_randomflowlabel: Avoid blocking if random(4) is not available	2019-04-23 17:18:20 +00:00
ip6_input.c	socket: Implement SO_RERROR	2021-08-10 18:54:00 -07:00
ip6_mroute.c	ip6mrouter: Make the expiration callout MPSAFE	2021-09-21 09:37:32 -04:00
ip6_mroute.h	sys: further adoption of SPDX licensing ID tags.	2017-11-20 19:43:44 +00:00
ip6_output.c	Fix ipfw fwd that doesn't work in some cases	2022-04-18 11:58:45 +03:00
ip6_var.h	Convert route caching to nexthop caching.	2020-04-25 09:06:11 +00:00
ip6protosw.h	sys: further adoption of SPDX licensing ID tags.	2017-11-20 19:43:44 +00:00
ip_fw_nat64.h	Reapply r345274 with build fixes for 32-bit architectures.	2019-03-19 10:57:03 +00:00
ip_fw_nptv6.h	net: clean up empty lines in .c and .h files	2020-09-01 21:19:14 +00:00
mld6.c	mld6: Ensure that mld_domifattach() always succeeds	2022-04-27 20:34:17 -04:00
mld6.h	sys: general adoption of SPDX licensing ID tags.	2017-11-27 15:23:17 +00:00
mld6_var.h	icmpv6: Fix mbuf change in mld	2019-11-18 21:59:47 +00:00
nd6.c	inet6(4): Fix a typo in a source code comment	2022-08-10 14:24:03 +02:00
nd6.h	lltable: Add support for "child" LLEs holding encap for IPv4oIPv6 entries.	2021-09-07 21:02:58 +00:00
nd6_nbr.c	net: Fix LLE lock leaks	2022-04-11 09:43:27 -04:00
nd6_rtr.c	netinet6: Fix a typo in a source code comment	2022-04-02 15:31:45 +02:00
pim6.h	sys: further adoption of SPDX licensing ID tags.	2017-11-20 19:43:44 +00:00
pim6_var.h	Rework IP encapsulation handling code.	2018-06-05 20:51:01 +00:00
raw_ip6.c	rip6: Fix a lock order reversal in rip6_bind()	2022-06-21 08:53:34 -04:00
raw_ip6.h	sys: further adoption of SPDX licensing ID tags.	2017-11-20 19:43:44 +00:00
route6.c	Fix m_pullup() problem after removing PULLDOWN_TESTs and KAME EXT_*macros.	2019-12-01 00:22:04 +00:00
scope6.c	net: clean up empty lines in .c and .h files	2020-09-01 21:19:14 +00:00
scope6_var.h	Make net.inet6.ip6.deembed_scopeid behaviour default & remove sysctl.	2020-08-15 11:37:44 +00:00
sctp6_usrreq.c	sctp: improve sctp_pathmtu_adjustment()	2022-02-23 00:58:06 +01:00
sctp6_var.h	Whitespace changes due to changes in ident.	2018-07-19 20:16:33 +00:00
send.c	socket: Implement SO_RERROR	2021-08-10 18:54:00 -07:00
send.h	sys: general adoption of SPDX licensing ID tags.	2017-11-27 15:23:17 +00:00
tcp6_var.h	mend	2021-06-07 11:01:28 +02:00
udp6_usrreq.c	MFC `2290dfb40f`:	2022-02-25 14:49:33 -05:00
udp6_var.h	sys: further adoption of SPDX licensing ID tags.	2017-11-20 19:43:44 +00:00