File: cve-2020-13401-disable-IPv6-router-advertisements.patch

package info (click to toggle)
docker.io 18.09.1%2Bdfsg1-7.1%2Bdeb10u3
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 66,144 kB
  • sloc: sh: 9,753; makefile: 827; ansic: 239; python: 162; asm: 10
file content (65 lines) | stat: -rw-r--r-- 2,343 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
 
From 153d0769a1181bf591a9637fd487a541ec7db1e6 Mon Sep 17 00:00:00 2001
From: Samuel Karp <skarp@amazon.com>
Date: Fri, 3 Apr 2020 16:23:18 -0700
Subject: [PATCH] bridge: disable IPv6 router advertisements

Signed-off-by: Samuel Karp <skarp@amazon.com>
---
 libnetwork/drivers/bridge/bridge.go       |  6 ++++++
 libnetwork/drivers/bridge/setup_device.go | 19 +++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/drivers/bridge/bridge.go b/drivers/bridge/bridge.go
index b617ea7bc4..22ee29e238 100644
--- a/libnetwork/drivers/bridge/bridge.go
+++ b/libnetwork/drivers/bridge/bridge.go
@@ -679,6 +679,12 @@ func (d *driver) createNetwork(config *networkConfiguration) (err error) {
 	bridgeAlreadyExists := bridgeIface.exists()
 	if !bridgeAlreadyExists {
 		bridgeSetup.queueStep(setupDevice)
+		bridgeSetup.queueStep(setupDefaultSysctl)
+	}
+
+	// For the default bridge, set expected sysctls
+	if config.DefaultBridge {
+		bridgeSetup.queueStep(setupDefaultSysctl)
 	}
 
 	// Even if a bridge exists try to setup IPv4.
diff --git a/drivers/bridge/setup_device.go b/drivers/bridge/setup_device.go
index 548ad951df..1343305ae9 100644
--- a/libnetwork/drivers/bridge/setup_device.go
+++ b/libnetwork/drivers/bridge/setup_device.go
@@ -2,6 +2,9 @@ package bridge
 
 import (
 	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
 
 	"github.com/docker/docker/pkg/parsers/kernel"
 	"github.com/docker/libnetwork/netutils"
@@ -49,6 +52,22 @@ func setupDevice(config *networkConfiguration, i *bridgeInterface) error {
 	return err
 }
 
+func setupDefaultSysctl(config *networkConfiguration, i *bridgeInterface) error {
+	// Disable IPv6 router advertisements originating on the bridge
+	sysPath := filepath.Join("/proc/sys/net/ipv6/conf/", config.BridgeName, "accept_ra")
+	if _, err := os.Stat(sysPath); err != nil {
+		logrus.
+			WithField("bridge", config.BridgeName).
+			WithField("syspath", sysPath).
+			Info("failed to read ipv6 net.ipv6.conf.<bridge>.accept_ra")
+		return nil
+	}
+	if err := ioutil.WriteFile(sysPath, []byte{'0', '\n'}, 0644); err != nil {
+		return fmt.Errorf("libnetwork: Unable to disable IPv6 router advertisement: %v", err)
+	}
+	return nil
+}
+
 // SetupDeviceUp ups the given bridge interface.
 func setupDeviceUp(config *networkConfiguration, i *bridgeInterface) error {
 	err := i.nlh.LinkSetUp(i.Link)