RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1684874 - glibc: Add more Linux definitions to <netinet/in.h>, including IP*_PMTUDISC_OMIT
Summary: glibc: Add more Linux definitions to <netinet/in.h>, including IP*_PMTUDISC_OMIT
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: glibc
Version: 7.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Florian Weimer
QA Contact: qe-baseos-tools-bugs
URL:
Whiteboard:
Depends On: 1170116
Blocks: 1655768
TreeView+ depends on / blocked
 
Reported: 2019-03-03 13:18 UTC by Daisuke Higashi
Modified: 2019-08-06 12:49 UTC (History)
8 users (show)

Fixed In Version: glibc-2.17-284.el7
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 12:49:40 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1579451 0 unspecified CLOSED glibc: IP_BIND_ADDRESS_NO_PORT is not defined in <netinet/in.h> 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHSA-2019:2118 0 None None None 2019-08-06 12:49:54 UTC

Internal Links: 1579451

Description Daisuke Higashi 2019-03-03 13:18:44 UTC 
-- Description of problem:

  The Linux kernel 3.15 introduced a new socket option IP_PMTUDISC_OMIT / IPV6_PMTUDISC_OMIT [1] and the kernel feature itself was backported to RHEL7 kernel [3.10.0-217.el7], but the corresponding macros was not backported to <netinet/in.h>.

   (actually these macros are defined in /usr/include/bits/in.h --- <netinet/in.h> includes it.)

  The IP*_PMTUDISC_OMIT sockopt is used to mitigate DNS IP fragment attack [2] by
some DNS server implementation by default (if available) [3][4]. Due to missing IP*_PMTUDISC_OMIT macro, this mitigation is not enabled at compile time. Backporting these macros into glibc headers
will resolve this issue.

-- Version-Release number of selected component (if applicable):

I have confirmed this issue on RHEL 7.6.

kernel/glibc-related versions:
 kernel-headers-3.10.0-957.5.1.el7.x86_64
 kernel-3.10.0-957.5.1.el7.x86_64
 glibc-2.17-260.el7_6.3.x86_64
 glibc-common-2.17-260.el7_6.3.x86_64
 glibc-headers-2.17-260.el7_6.3.x86_64
 glibc-devel-2.17-260.el7_6.3.x86_64

-- How reproducible:
100%

-- Steps to Reproduce:

Compile and run this code and see if "IP*_PMTUDISC_OMIT defined" or not.
------
#include <netinet/in.h>
#include <stdio.h>

main() {

// IP_PMTUDISC_DONT is available on RHEL7

#if defined (IP_PMTUDISC_DONT)
 printf("IP_PMTUDISC_DONT defined\n");
#endif
#if defined (IPV6_PMTUDISC_DONT)
 printf("IPV6_PMTUDISC_DONT defined\n");
#endif

// IP_PMTUDISC_OMIT is missing on RHEL7

#if defined (IP_PMTUDISC_OMIT)
 printf("IP_PMTUDISC_OMIT defined\n");
#endif
#if defined (IPV6_PMTUDISC_OMIT)
 printf("IPV6_PMTUDISC_OMIT defined\n");
#endif
}
------

-- Actual results:

  IP*_PMTUDISC_OMIT macro is not defined even if <netinet/in.h> is included.

-- Expected results:

  IP*_PMTUDISC_OMIT macro is defined when <netinet/in.h> is included
  (and corresponding feature is enabled at DNS server's compile time)

-- Additional info:

[1] Linux kernel introduced IP*_PMTUDISC_OMIT
     https://lists.openwall.net/netdev/2014/02/26/4

[2] IP fragmentation attack on DNS
    https://ripe67.ripe.net/presentations/240-ipfragattack.pdf

[3] Unbound 1.5.0 introduced this feature.
   https://github.com/NLnetLabs/unbound/commit/470b7bda8763c36a7db255d1d981f3ae06d41ba0

[4] BIND 9.9.10 introduced this feature.
    https://www.isc.org/blogs/bind-april-2017/
Comment 3 Florian Weimer 2019-03-05 13:22:53 UTC 
Patches backported:

commit 7c70f2272edd4efcc4525f1bbb50e92de1a27a57
Author: Mike Frysinger <vapier>
Date:   Thu Jan 30 18:56:56 2014 -0500

    linux: bits/in.h: sync with latest kernel headers
    
    This pulls in the latest defines for {g,s}etsockopt.
    
    Reviewed-by: Carlos O'Donell <carlos>
    Signed-off-by: Mike Frysinger <vapier>

commit 76e5216e317f39da2bc5bf905721cd9554ee6d09
Author: Joseph Myers <joseph>
Date:   Mon Jun 23 15:48:42 2014 +0000

    Update headers for Linux 3.15.
    
    This patch updates glibc headers for changes / new definitions in
    Linux 3.15.  In the course of my review I noticed that
    IPV6_PMTUDISC_INTERFACE was absent from glibc despite the inclusion of
    IP_PMTUDISC_INTERFACE; I added it along with IP_PMTUDISC_OMIT and
    IPV6_PMTUDISC_OMIT.  I did not add FALLOC_FL_NO_HIDE_STALE given the
    kernel header comment that it is reserved.
Comment 6 Daisuke Higashi 2019-06-14 17:52:56 UTC 
  I confirmed that this issue is fixed in RHEL7.7 beta.
  IP_PMTUDISC_OMIT feature of several DNS servers [1] is enabled at compile time
and it ignores forged ICMPv4 type3-code4 on IPv4/UDP as expected.

Thank you!

[1] I have tested NSD 4.1.27 and BIND 9.11.6.
Comment 8 errata-xmlrpc 2019-08-06 12:49:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2118
Note You need to log in before you can comment on or make changes to this bug.