Bug 1684874 - glibc: Add more Linux definitions to <netinet/in.h>, including IP*_PMTUDISC_OMIT
Summary: glibc: Add more Linux definitions to <netinet/in.h>, including IP*_PMTUDISC_OMIT
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: glibc
Version: 7.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Florian Weimer
QA Contact: qe-baseos-tools
URL:
Whiteboard:
Depends On: 1170116
Blocks: 1655768
TreeView+ depends on / blocked
 
Reported: 2019-03-03 13:18 UTC by Daisuke Higashi
Modified: 2019-08-06 12:49 UTC (History)
8 users (show)

Fixed In Version: glibc-2.17-284.el7
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 12:49:40 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1579451 None ASSIGNED glibc: IP_BIND_ADDRESS_NO_PORT is not defined in <netinet/in.h> 2019-07-30 16:40:36 UTC
Red Hat Product Errata RHSA-2019:2118 None None None 2019-08-06 12:49:54 UTC

Internal Links: 1579451

Description Daisuke Higashi 2019-03-03 13:18:44 UTC
-- Description of problem:

  The Linux kernel 3.15 introduced a new socket option IP_PMTUDISC_OMIT / IPV6_PMTUDISC_OMIT [1] and the kernel feature itself was backported to RHEL7 kernel [3.10.0-217.el7], but the corresponding macros was not backported to <netinet/in.h>.

   (actually these macros are defined in /usr/include/bits/in.h --- <netinet/in.h> includes it.)

  The IP*_PMTUDISC_OMIT sockopt is used to mitigate DNS IP fragment attack [2] by
some DNS server implementation by default (if available) [3][4]. Due to missing IP*_PMTUDISC_OMIT macro, this mitigation is not enabled at compile time. Backporting these macros into glibc headers
will resolve this issue.

-- Version-Release number of selected component (if applicable):

I have confirmed this issue on RHEL 7.6.

kernel/glibc-related versions:
 kernel-headers-3.10.0-957.5.1.el7.x86_64
 kernel-3.10.0-957.5.1.el7.x86_64
 glibc-2.17-260.el7_6.3.x86_64
 glibc-common-2.17-260.el7_6.3.x86_64
 glibc-headers-2.17-260.el7_6.3.x86_64
 glibc-devel-2.17-260.el7_6.3.x86_64

-- How reproducible:
100%

-- Steps to Reproduce:

Compile and run this code and see if "IP*_PMTUDISC_OMIT defined" or not.
------
#include <netinet/in.h>
#include <stdio.h>

main() {

// IP_PMTUDISC_DONT is available on RHEL7

#if defined (IP_PMTUDISC_DONT)
 printf("IP_PMTUDISC_DONT defined\n");
#endif
#if defined (IPV6_PMTUDISC_DONT)
 printf("IPV6_PMTUDISC_DONT defined\n");
#endif

// IP_PMTUDISC_OMIT is missing on RHEL7

#if defined (IP_PMTUDISC_OMIT)
 printf("IP_PMTUDISC_OMIT defined\n");
#endif
#if defined (IPV6_PMTUDISC_OMIT)
 printf("IPV6_PMTUDISC_OMIT defined\n");
#endif
}
------

-- Actual results:

  IP*_PMTUDISC_OMIT macro is not defined even if <netinet/in.h> is included.

-- Expected results:

  IP*_PMTUDISC_OMIT macro is defined when <netinet/in.h> is included
  (and corresponding feature is enabled at DNS server's compile time)

-- Additional info:

[1] Linux kernel introduced IP*_PMTUDISC_OMIT
     https://lists.openwall.net/netdev/2014/02/26/4

[2] IP fragmentation attack on DNS
    https://ripe67.ripe.net/presentations/240-ipfragattack.pdf

[3] Unbound 1.5.0 introduced this feature.
   https://github.com/NLnetLabs/unbound/commit/470b7bda8763c36a7db255d1d981f3ae06d41ba0

[4] BIND 9.9.10 introduced this feature.
    https://www.isc.org/blogs/bind-april-2017/

Comment 3 Florian Weimer 2019-03-05 13:22:53 UTC
Patches backported:

commit 7c70f2272edd4efcc4525f1bbb50e92de1a27a57
Author: Mike Frysinger <vapier@gentoo.org>
Date:   Thu Jan 30 18:56:56 2014 -0500

    linux: bits/in.h: sync with latest kernel headers
    
    This pulls in the latest defines for {g,s}etsockopt.
    
    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>

commit 76e5216e317f39da2bc5bf905721cd9554ee6d09
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Mon Jun 23 15:48:42 2014 +0000

    Update headers for Linux 3.15.
    
    This patch updates glibc headers for changes / new definitions in
    Linux 3.15.  In the course of my review I noticed that
    IPV6_PMTUDISC_INTERFACE was absent from glibc despite the inclusion of
    IP_PMTUDISC_INTERFACE; I added it along with IP_PMTUDISC_OMIT and
    IPV6_PMTUDISC_OMIT.  I did not add FALLOC_FL_NO_HIDE_STALE given the
    kernel header comment that it is reserved.

Comment 6 Daisuke Higashi 2019-06-14 17:52:56 UTC
  I confirmed that this issue is fixed in RHEL7.7 beta.
  IP_PMTUDISC_OMIT feature of several DNS servers [1] is enabled at compile time
and it ignores forged ICMPv4 type3-code4 on IPv4/UDP as expected.

Thank you!

[1] I have tested NSD 4.1.27 and BIND 9.11.6.

Comment 8 errata-xmlrpc 2019-08-06 12:49:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2118


Note You need to log in before you can comment on or make changes to this bug.