* [PATCH 5/5] icmp6: Set limits on route list sizes
@ 2022-01-06 15:05 Andrew Zaborowski
0 siblings, 0 replies; only message in thread
From: Andrew Zaborowski @ 2022-01-06 15:05 UTC (permalink / raw
To: ell
[-- Attachment #1: Type: text/plain, Size: 1980 bytes --]
It seems to be easy for someone to DOS the ICMP6 stacks on a local
network by sending a lot of RAs.
---
ell/icmp6.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/ell/icmp6.c b/ell/icmp6.c
index f720bc5..b7c0fcc 100644
--- a/ell/icmp6.c
+++ b/ell/icmp6.c
@@ -410,6 +410,8 @@ static void icmp6_router_update(struct l_icmp6_client *client,
icmp6_client_event_notify(client, event, r);
}
+#define ICMP6_MAX_ROUTES 50
+
/* Mostly RFC4861 Section 6.3.4 */
static void icmp6_onlink_prefix_update(struct l_icmp6_client *client,
struct l_icmp6_router *ra,
@@ -494,6 +496,14 @@ static void icmp6_onlink_prefix_update(struct l_icmp6_client *client,
info->client = client;
l_queue_push_head(client->prefix_routes, info);
+ /* Prevent the queue from growing too long (possible DOS) */
+ if (l_queue_length(client->prefix_routes) > ICMP6_MAX_ROUTES) {
+ CLIENT_DEBUG("Too many prefix routes, removing oldest");
+
+ icmp6_prefix_timeout(NULL,
+ l_queue_peek_tail(client->prefix_routes));
+ }
+
if (!changed)
return;
@@ -552,6 +562,26 @@ static int icmp6_client_handle_message(struct l_icmp6_client *client,
r->client = client;
l_queue_push_head(client->routers, r);
+ /* Prevent the queue from growing too long (possible DOS) */
+ if (l_queue_length(client->routers) > ICMP6_MAX_ROUTES) {
+ struct l_icmp6_router *r2 =
+ l_queue_peek_tail(client->routers);
+ enum l_icmp6_client_event event =
+ L_ICMP6_CLIENT_EVENT_DEFAULT_ROUTER_REMOVED;
+
+ CLIENT_DEBUG("Too many routers, removing oldest");
+ l_queue_remove(client->routers, r2);
+
+ if (r2->default_route)
+ icmp6_client_event_notify(client, event, r2);
+
+ _icmp6_router_free(r2);
+
+ /* Client may have stopped us */
+ if (!client->io)
+ return -ECANCELED;
+ }
+
icmp6_client_event_notify(client,
L_ICMP6_CLIENT_EVENT_ROUTER_FOUND,
NULL);
--
2.32.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-01-06 15:05 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-01-06 15:05 [PATCH 5/5] icmp6: Set limits on route list sizes Andrew Zaborowski
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.