[patch 08/09] [BRIDGE]: prevent bad forwarding table updates

Avoid poisoning of the bridge forwarding table by frames that have been
dropped by filtering. This prevents spoofed source addresses on hostile
side of bridge from causing packet leakage, a small but possible security
risk.

Signed-off-by: Stephen Hemminger <[email protected]>
Signed-off-by: Chris Wright <[email protected]>

Index: 2.6.11.11-net/net/bridge/br_input.c
===================================================================
--- 2.6.11.11-net.orig/net/bridge/br_input.c
+++ 2.6.11.11-net/net/bridge/br_input.c
@@ -54,6 +54,9 @@ int br_handle_frame_finish(struct sk_buf
 	struct net_bridge_fdb_entry *dst;
 	int passedup = 0;
 
+	/* insert into forwarding database after filtering to avoid spoofing */
+	br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
+
 	if (br->dev->flags & IFF_PROMISC) {
 		struct sk_buff *skb2;
 
@@ -108,8 +111,7 @@ int br_handle_frame(struct net_bridge_po
 	if (eth_hdr(skb)->h_source[0] & 1)
 		goto err;
 
-	if (p->state == BR_STATE_LEARNING ||
-	    p->state == BR_STATE_FORWARDING)
+	if (p->state == BR_STATE_LEARNING)
 		br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
 
 	if (p->br->stp_enabled &&
Index: 2.6.11.11-net/net/bridge/br_stp_bpdu.c
===================================================================
--- 2.6.11.11-net.orig/net/bridge/br_stp_bpdu.c
+++ 2.6.11.11-net/net/bridge/br_stp_bpdu.c
@@ -140,6 +140,9 @@ int br_stp_handle_bpdu(struct sk_buff *s
 	struct net_bridge *br = p->br;
 	unsigned char *buf;
 
+	/* insert into forwarding database after filtering to avoid spoofing */
+	br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
+
 	/* need at least the 802 and STP headers */
 	if (!pskb_may_pull(skb, sizeof(header)+1) ||
 	    memcmp(skb->data, header, sizeof(header)))
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• References:
  • [00/09] -stable review
    • From: Chris Wright <[email protected]>

• Prev by Date: [patch 05/09] x86_64: Fix ptrace boundary check
• Next by Date: [patch 03/09] fix hfsplus oops, hfs and hfsplus leak
• Previous by thread: [patch 05/09] x86_64: Fix ptrace boundary check
• Next by thread: [patch 03/09] fix hfsplus oops, hfs and hfsplus leak
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]