Browse files

ipv6: addrconf: validate new MTU before applying it

Currently we don't check if the new MTU is valid or not and this allows
one to configure a smaller than minimum allowed by RFCs or even bigger
than interface own MTU, which is a problem as it may lead to packet

If you have a daemon like NetworkManager running, this may be exploited
by remote attackers by forging RA packets with an invalid MTU, possibly
leading to a DoS. (NetworkManager currently only validates for values
too small, but not for too big ones.)

The fix is just to make sure the new value is valid. That is, between
IPV6_MIN_MTU and interface's MTU.

Note that similar check is already performed at
ndisc_router_discovery(), for when kernel itself parses the RA.

Change-Id: I6b70d0c12a77c7932066982f8797d8024f130d7c
Signed-off-by: Marcelo Ricardo Leitner <>
Signed-off-by: Sabrina Dubroca <>
Signed-off-by: David S. Miller <>
  • Loading branch information...
Marcelo Leitner authored and andi34 committed Feb 23, 2015
1 parent 90e94c8 commit f2345f7e92901cdd8bdf0d478cb0db717598bdf1
Showing with 16 additions and 1 deletion.
  1. +16 −1 net/ipv6/addrconf.c
@@ -4327,6 +4327,21 @@ int addrconf_sysctl_forward(ctl_table *ctl, int write,
return ret;
int addrconf_sysctl_mtu(struct ctl_table *ctl, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
struct inet6_dev *idev = ctl->extra1;
int min_mtu = IPV6_MIN_MTU;
struct ctl_table lctl;
lctl = *ctl;
lctl.extra1 = &min_mtu;
lctl.extra2 = idev ? &idev->dev->mtu : NULL;
return proc_dointvec_minmax(&lctl, write, buffer, lenp, ppos);
static void dev_disable_change(struct inet6_dev *idev)
if (!idev || !idev->dev)
@@ -4427,7 +4442,7 @@ static struct addrconf_sysctl_table
.data = &ipv6_devconf.mtu6,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec,
.proc_handler = addrconf_sysctl_mtu,
.procname = "accept_ra",

0 comments on commit f2345f7

Please sign in to comment.