Merge "Ensure icmp redirects are always ignored"

author: Hugo Benichi <hugobenichi@google.com> 2018-05-30 06:25:37 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> 2018-05-30 06:25:37 +0000
commit: f988ee70cdfbb16d6bb29985b2541d0d63e8c523 (patch)
tree: b1b7838611ddcf55a7061d6f5d4c5ca6f32a809f /server/TetherController.cpp
parent: 1448b570ebbfb58777eb825d0a2d5e1bc4d7defe (diff)
parent: c4b3a0c6e3d9c7cc3f26b0e721486d2b5111bdc4 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/server/TetherController.cpp b/server/TetherController.cpp
index 7facb7bd..779426fd 100644
--- a/server/TetherController.cpp
+++ b/server/TetherController.cpp
@@ -155,10 +155,18 @@ TetherController::TetherController() {
 
 bool TetherController::setIpFwdEnabled() {
     bool success = true;
-    const char* value = mForwardingRequests.empty() ? "0" : "1";
+    bool disable = mForwardingRequests.empty();
+    const char* value = disable ? "0" : "1";
     ALOGD("Setting IP forward enable = %s", value);
     success &= writeToFile(IPV4_FORWARDING_PROC_FILE, value);
     success &= writeToFile(IPV6_FORWARDING_PROC_FILE, value);
+    if (disable) {
+        // Turning off the forwarding sysconf in the kernel has the side effect
+        // of turning on ICMP redirect, which is a security hazard.
+        // Turn ICMP redirect back off immediately.
+        int rv = InterfaceController::disableIcmpRedirects();
+        success &= (rv == 0);
+    }
     return success;
 }
author	Hugo Benichi <hugobenichi@google.com>	2018-05-30 06:25:37 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	2018-05-30 06:25:37 +0000
commit	f988ee70cdfbb16d6bb29985b2541d0d63e8c523 (patch)
tree	b1b7838611ddcf55a7061d6f5d4c5ca6f32a809f /server/TetherController.cpp
parent	1448b570ebbfb58777eb825d0a2d5e1bc4d7defe (diff)
parent	c4b3a0c6e3d9c7cc3f26b0e721486d2b5111bdc4 (diff)